Embedded Intelligent Intrusion Detection: A Behavior ... - IEEE Xplore

2 downloads 0 Views 425KB Size Report
Adrian P. Lauf, Richard A. Peters, and William H. Robinson. Department of Electrical Engineering and Computer Science. Vanderbilt University School of ...
Embedded Intelligent Intrusion Detection: A Behavior-Based Approach Adrian P. Lauf, Richard A. Peters, and William H. Robinson Department of Electrical Engineering and Computer Science Vanderbilt University School of Engineering 2301 Vanderbilt Place, VU Station B #351826 Nashville, TN 37235 Abstract-This paper describes the development of an

intelligent intrusion detection system for use within an embedded device network consisting of interconnected agents. Integral behavior types are categorized by focusing primarily on inter-device requests and actions rather than at a packet or link level. Machine learning techniques use these observed behavioral actions to track devices which deviate from normal protocol. Deviant behavior can be analyzed and flagged, enabling interconnected agents to identify an intruder based upon the historical distribution of behavioral data that is accumulated about the possible deviant agent. Simulation results from the prototype system correlate detection accuracy with a tunable input tolerance factor. I. INTRODUCTION

In the practices of traditional information security, methods of authentication and integrity protection continue to dominate as principal means of protecting sensitive and dynamic information from non-relevant parties. Such methods are proven in reliability and practical security for a vast majority of information transactions taking place at all times in most datadriven environments. Yet these methods are somewhat limited in their scope and flexibility, and especially limited in their ability to provide dynamic security support to interconnected parties – not because of issues in theory or implementation, but rather in the way that security is defined within the contexts of such theory and implementation. Commonly used key exchange protocols, (e.g. RSA), encryption standards, (e.g. 3DES, AES), and digital signature methods, (e.g. GnuPG) all provide a static framework that establish security and then rely on a continuous point of trust that said security will continue to be unaffected in all aspects of subsequent data exchange [1-4]. The reality of such situations indicates that encryption and authentication can be breached due to their points of trust and possible further assumptions that once a source has been authenticated, it is secure. This leads to the need for intrusion detection, capable of determining if authenticity or integrity has been compromised in such a way that the static security

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

methods are unable to compensate or identify. One solution to this dilemma is intelligent intrusion detection which promises methods to protect and secure networks from dynamic threats. Current work on intelligent intrusion detection systems (IDSs) involves a number of approaches. These include fuzzy intrusion classifiers [5] which apply heuristic learning to create “fuzzy” rules for data being transmitted, “hybrid” approaches utilizing a fuzzy intrusion classifier along with neural networks [6] and further methods involving rules derived from AI data mining [7]. This paper attempts to shift the discussion away from general-purpose intrusion detection within the realm of standard TCP/IP-based networks and their associated switching and routing equipment to the paradigm of embedded devices. Such device networks can range in type and complexity while encompassing a wide variety of applications, from portable music players sharing media in a social setting, to autonomous aircraft networks, relaying information on relative position, speed and attitude to nearby aircraft [8-9]. The goal of this research is to create an intelligent intrusion detection system that can be applied to embedded applications to provide intelligent IDS functionality that is independent in design to the target application, yet capable of adapting to the target application environment. Ideally, the proposed mechanism would provide a “system-on-a-chip” solution which could be implemented in new or existing systems, dynamically adjusting to the data traffic that each unique system combination provides. Section two of this document will explain concepts of behaviors and their representation of abstractions of device actions and requests. Section three will detail the concepts behind the I-IDS1 and describe the simulation aspects of the proposed system, while section four discusses the results obtained from simulation trials. Section five will explain the conclusions and

                                                             1

This paper shall use the abbreviation I-IDS for further references to “Intelligent Intrusion Detection System.” The hyphen exists to avoid confusion with the abbreviation IDS, referring to “Intrusion Detection System.”

ramifications of the data, while section six will explain future work to be done on the system. II. BEHAVIORS

In order to provide a globally-implementable I-IDS solution, a platform must be found that can effectively capture the dynamics of the system being analyzed. As such, many methods exist to characterize information for such purposes across networks, such as packet-level analysis, source/destination verification, message authentication codes (MAC) and hash functions. Most of these methods are protocol and/or data dependent; packet-level analysis optimized for IPv4 cannot be effectively used without significant modification for an IDS intended for IPv6, or for a network protocol differing from the 802.x standard entirely. Therefore, for the purposes of this project a very high-level approach is taken to represent the various system interactions as behaviors instead of using a data packet model. The behavior-based model permits instructions between networked devices (i.e. agents) to be classified numerically for purposes of statistical analysis and machine learning. Thus a behavior-based model separates data from instruction entirely, focusing principally on common or – in the case of intrusion detection – uncharacteristic actions and methods being observed within the scope of the agent network. Of course, such a method has implicit drawbacks, such as in cases where analysis of the data itself might provide more information about an intrusion than perhaps common actions of an agentbased network. However, large-scale data analysis may not be appropriate for use within the embedded device community, where processing power and/or energy requirements are likely to constrain the ability to perform the necessary large-scale data analysis. To meet these requirements, and to simplify a behavior-based model for purposes of creating an experimental I-IDS, behaviors were categorized statistically and represented by integral data values, one per integer, creating an enumerated list of actions and methods. For instance, in the scenario of a series of networked autonomous aircraft, a request for position data might be assigned logically to integer value ‘1’, a request for attitude data might map to a value of ‘2’, and so on. Each of the behaviors is generated according to a probability density function attributed to the frequency of that behavior’s occurrence in an actual embedded, real-time system. All probabilities add to 1 to completely represent the possible behavior space of the system. Fig. 1 demonstrates this concept within the scope of a system containing nine separate behaviors. This capability allows the I-IDS to move beyond the scope of a system-specific implementation, abstracting

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

Fig.1: Behavioral Probabilities over Discrete Types

operations at one of the highest possible levels, (level 1 is used in this paper) as seen in Fig. 2. For the purposes of simulation and experimentation, test behaviors were generated by applying semirandomized chi-squared PDFs2 to a random number generator, thereby capable of creating “system behaviors” for individual agents representing the embedded device network. More on this behavior generation and its context will be discussed in section three of this paper. III. EMBEDDED I-IDS

The goal of this research is to develop a solution allowing organized device networks comprised of homogeneous3 agents to detect single or possibly

Fig. 2: System Abstraction Levels 

                                                             2

3

PDF shall refer in this document to a Probability Density Function

This work is not designed to span across device types, but rather to stay with one particular device format per instance such that behavioral patterns are not adversely affected.

multiple intrusions based on each device’s individual observations. This can collectively lead to the identification of such breach. Each agent maintains a “learning” component allowing it to profile other communicating agents over time, developing a standard behavioral model which represents the average interactions within the agent network.

e. Pseudo Random Number Generator – Called by data generator to construct behaviors based on PDFs associated with each simulated agent. f. Behavior Stack Manager – Accepts pushed behaviors from the agent controller. Used to hold behavior profiles until they are ready to be learned. g. Learning Function – Processes the historical behavioral data to build a profile of each agent. Data is kept in a history matrix consisting of histograms with each bin representing a behavior. Each agent is represented by a row of behaviors in this matrix.

A. Implementation The I-IDS is ultimately designed to be a “system-ona-chip” solution to the security/intrusion problem within embedded systems. To properly construct a development and testing platform, the author has chosen to first implement the system completely in software using networked general-purpose computers. This allows for fast, flexible design, and minimizes constraints in initial development of the system. The software environment used is Mathworks’ MATLAB version 7. In addition to the functionality provided by MATLAB, a TCP/UDP/IP toolkit4 is used, available from a public-domain site. B. System Decomposition The current implementation of the I-IDS involves a simplified model of virtualized networked agents. At the time of writing, the networked, real-time version of the application was not fully ready, thus agents were virtualized and represented by datasets. The simulation of the I-IDS can be subdivided into the following nine components, seen in Fig. 3: a. Agent Controller – This is the main program in which learning functions, behavior generation and behavioral analysis are called. b. PDF Generator – Generates PDFs for each simulated agent, which is used to create behaviors that statistically represent a particular agent’s “typical” behavior set. Each PDF is varied randomly so that no PDF should have the same distribution within a certain tolerance.

h. Analysis Function – Performs maxima detection (currently implemented, other methods to be added later) to find possible deviant behaviors. A behavior with a maximum lower than the global maximum is considered likely deviant, as the errant behaviors may be centering on said local maximum. (Fig. 4) i. Maxima Detection6 – Performs analysis of global and local maxima, returns position C. Simulation For the purposes of simulating a device network with an intruder, a scheme representing eight devices, one intruder and ten shared behaviors was devised. Each agent possessed the ten available behaviors (numerically enumerated from type one to type ten) and was assigned a PDF that was more or less conforming with a “normal” range of device behavior distributions with the exception of the deviant agent, which contained a PDF differing significantly from the other agents. Such a scheme might represent the following situations: a. Networked autonomous aircraft: Each agent

c. Behavior Generator – Issues simulated system behaviors based on statistical probability provided by an agent’s PDF. Behaviors are generated using a pseudo-random generator5 that accepts PDFs as input to generate representative data according to the distribution. d. Data Generator – Calls the behavior generator to create a set of simulated data. Can create both “normal” and deviant agent data sets, differentiated by their PDFs.

                                                             4

Developed by Peter Rydesäter

5

Written by Eran O. Ofek

Fig. 3: Functional Specification of I-IDS Simulation (function calls)

                                                            

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

6

Written by Vassili Pastushenko

system. Let c represent a matrix of dimensions γ × β containing the historically and temporally-updated probabilities of a certain behavior ξ. The local-scope mean probability vector, φ is computed in (1). ∑

Fig. 4: Mean distribution of learned behaviors

requests of the others position, attitude, pitch, speed and other information, and supplies such data as requested. The intruder in this case might be a ground-based listening party, whose behaviors model listening only, or perhaps sending of malicious requests to cause other aircraft to collide. b. Networked media devices: Portable wirelessenabled media devices may occasionally perform shared operations between devices. A normally occurring transaction might involve sharing data as well as redistributing playback history information. An intruding device might be one not sharing content, possibly only listening in on playback patterns, or only receiving audio data without sharing content likewise. Whether the intruder is acting on malicious intent, or whether it is a legitimate business, such as the RIAA attempting to surreptitiously gather user data without their knowledge, such behavior would be seen as an intrusion and the offending source can be flagged and excluded. Once having represented each agent with a PDF, as seen in Fig. 5, a static set of behaviors is generated by generating a set of random numbers for each agent as described by its PDF. In the simulations performed for this research project, the datasets themselves consisted of 200 elements of generated data for each agent. This allows for a period of training of data, as well as evolution over time of the sensitivity to which the learning function is open to change. The classification of an agent as deviant is a twofold process. The first step involves the individual, or local-scope determination of deviant behavior by each individual agent. This is computed by calculating the mean probability of a behavior for the entire set of agents. Let γ be the number of agents in the system and let β represent the number of behaviors present in the 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

η

(1)

The vector φ is then analyzed for global and local maxima. Since most of the behaviors will likely be statistically represented by a larger maximum peak7, deviation in the system behavior will likely manifest itself eventually over time as a smaller, local maximum, as seen earlier in Fig. 4. This smaller local maximum can be correlated to a particular behavior, ξ, as the maxima-finding algorithm is set to return a discrete location of the occurrence of the maxima. The agent corresponding to the maximally-defined deviant behavior ξd is then found by analyzing the column of data in the probability matrix η corresponding to ξd and then finding the row within that column containing the maximum value for the given ξd with in a certain tolerance value τ, representing a probability value. IV. EXPERIMENTAL RESULTS

The I-IDS was configured and run as a timeindependent finite-state simulation in which data was present to all agents at all iterations. Execution cycles are assumed to be instantaneous in the discussion of the results. Though a “discontinuous mode” of operations can be executed within the simulation, providing instances in which data is not present at certain cycles for certain agents in a randomized distribution, the

Fig. 5: Differences in Normal and Deviant PDFs

                                                             7

The reader is asked to recall that the agents in this system are relatively homogeneous – behavioral spread is considered to be limited, and deviation from said behaviors is considered to be significant in nature.

homogeneous interconnected agent network was assumed in this case to follow a synchronous data model. More importantly, all of the functions and algorithms described are deterministic in nature – all iterations and computations compute in a finite, predictable amount of time – yielding a stable configuration for implementation in a real-time system. The dataset in the case of the simulation consisted of 200 behaviors for each agent. Eight standard, nondeviant agents were pre-determined by PDF functions corresponding to non-deviant behavior. One deviant agent was defined by a PDF differing randomly, but significantly from the behavioral PDFs specified for the non-deviant agents. The initial tolerance value τ was statically defined to be 0.5. This value should ideally be automatically updated as the simulation progresses – this is work that will be performed in future revision cycles to the code and simulation environment. Table 1 indicates correlations between number of PDF-generated sets and the tolerance value τ in terms of successful detection. In this simulation, the deviation in generated PDFs for non-deviant agents was less than four integral data values clustered around behavior of type two. Deviant agent PDFs clustered around behavior type 9 with a maximum deviation of two behavior type units. Five trials were performed for each tolerance value. Results can be seen as a plot in Fig. 6. The results shown in the associated table and figure clearly demonstrate that lowering the tolerance factor does, as expected, yield a higher rate of detection. One result not shown in either the table or the figure is one preliminary occurrence (did not recur) of a false positive at a lower tolerance rate. This demonstrates the significance of the tolerance factor in: a) determining if an intruder exists at all and b) preventing the wrong agent from being identified as said intruder. Should this tolerance value eventually be modifiable during program execution, both those concerns could be validly addressed.

TABLE 1 SIMULATION DETECTION PERFORMANCE VS. TOLERANCE Tolerance 0.515 0.51 0.50 0.45 0.4

Correct Detections 2 2 3 4 5

False Positives 0 0 0 0 0

Correct Percentage 40 40 60 80 100

measured against a tolerance value, can associate deviant behaviors through local maxima detection to a possibly offending agent. All the algorithms and procedures are deterministic and therefore applicable to the reactive, real-time embedded device scenario – whether representing a collection of networked media devices, a series of networked aircraft, linked geological monitoring equipment, or ground-based networked autonomous vehicles. The results from simulation trials indicate a correlation between detection accuracy and the “strength” of the tolerance value applied to the analysis portion of the I-IDS. Under ideal circumstances, the tolerance strength would be dynamically updated by the analysis routine in conditions where the general system behavior appears to change (reduces flagging of all connected agents as intruders) and in cases where the suspicious activity likewise appears to be taking new forms. The targeted adjustment of the tolerance values therefore would complete the adaptive design of the IIDS as a viable method within the field of intrusion detection.

V. CONCLUSIONS

This paper proposes a scheme to create an embedded intelligent intrusion detection system to aid in the detection of deviant devices within a homogeneous connected device network. In particular, the creation of high-level behavior classifications abstracts the interactions and requests seen in the agent network. This can provide a feasible solution to map the patterns of events present in the network, and allows for a significant degree of platform independence for the purposes of implementation into a wide variety of devices in the form of a “system-on-a-chip.” By obtaining a mean device behavioral profile from the collection of data over time, the probabilistic tendencies of an agent can be summarized, and when

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

Fig. 6: Accuracy vs. Tolerance Factor

VI. FUTURE WORK

As mentioned in several locations throughout the paper, work is required in the development of a flexible tolerance value that adjusts for gradual changes in the system and/or recalibration for overall dramatic changes in system behavior. Further work includes the addition of multiple-maxima detection and selfcorrecting methods to allow for the detection of more than one deviant agent. In addition to implementation details, work will be performed to determine a.) the computational overhead required to integrate the I-IDS into a hardware platform, as well as the platformspecific power requirements for the integration of the IIDS into a functional embedded system. Finally, hardware-based implementation and a functioning network protocol layer will be performed using an embedded development platform featuring a fieldprogrammable gate array (FPGA). ACKNOWLEDGMENTS

This work was supported in part by TRUST (The Team for Research in Ubiquitous Secure Technology), which receives support from the National Science Foundation (NSF award number CCF-0424422) and the following organizations: Cisco, British Telecom, ESCHER, HP, IBM, Intel, Microsoft, ORNL, Pirelli, Qualcomm, Sun, Symantec, Telecom Italia and United Technologies. REFERENCES [1] Diffie, W, “The first ten years of public-key cryptography”, Proceedings of the IEEE Volume 76, Issue 5, May 1988 Pages(s):560 – 577 [2] Seung-Jo Han, Heang-Soo Oh, Jongan Park, “The improved data encryption standard (DES) algorithm”, Spread Spectrum Techniques and Applications Proceedings, 1996, IEEE 4th International Symposium on, Volume 3, 22-25 Sept. 1996 Page(s):1310-1314 vol. 3 [3] Shuenn-Shyang wang, Wan-Sheng Ni, “An efficient FPGA implementation of advanced encryption standard algorithm”, Circuits and Systems, 2004. ISCAS ’04. Proceedings of the 2005 International Symposium on, Volume 2, 23-26 May 2004 Page(s):II – 597-600 Vol. 2 [4] “The GNU Privacy Handbook”, The Free Software Foundation, 1999 [5] Keum-Chang Lee and Ludmil Mikhailov, “Intelligent Intrusion Detection System”, IEEE 2nd. Internat’nl Conf. on Intelligent Systems, pp 497 -502, 2004 [6] Dwen-Ren Tsai, Wen-Pin Tai and Chi-Fang Chang, “A hybrid intelligent intrusion detection system to recognize novel attacks”, Security Technology, 2003. Proceedings. IEEE 37th Annual 2003 International Carnahan Conference on 14-16 Oct. 2003 Page(s):428 – 434

21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07) 0-7695-2847-3/07 $20.00 © 2007

[7] Idris, N.B., Shanmugam, B., “Artificial Intelligence Techniques Applied to Intrusion Detection” INDICON, 2005 Annual IEEE 11-13 Dec. 2005 Page(s):52 – 55 [8] Yan Xia, Ren-Fa Li, Ken-Li Li, “Intrusion detection using mobile agent in ad-hoc networks”, Machine Learning and Cybernetics, 2004. Proceedings of 2004 International Conference on Volume 6, 26-29 Aug. 2004 Page(s):3383 - 3388 vol.6 [9] Vilaplana, M.A., Goodchild, C., “Application of distributed artificial intelligence in autonomous aircraft operations”, Digital Avionics Systems, 2001. DASC. The 20th Conference Volume 2, 1418 Oct. 2001 Page(s):7B3/1 - 7B3/14 vol.2