Auralization of Intrusion Detection System using JListen

I

Auralization of Intrusion Detection System using JListen 

DISSERTATION

Submitted in the partial fulfillment of the requirements of

BITS G629T Dissertation 

By

Gopinath M C

1998HS12176 

Under the Supervision of 

Prof. K.Venkatasubramainan

Assistant Dean, Distance Learning Programme Division

Birla Institute of Technology and Science

Pilani, India 

Under the Guidance of 

Prof Aditya P Mathur

Department of Computer Science

Purdue University

West Lafayette, IN, USA

 
 
 
 
 
 

BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE

PILANI (RAJASTHAN), INDIA.

March, 2004 

 

Table of Contents 

 

 

 

 

1. Introduction

      Intrusion detection is one of the key components of network management function. Intrusion detection system (IDS) examines a host or network to identify the possible intrusions or attacks. It can be either network based or host based, while network based intrusion detection systems are common. Network-based intrusion detection systems examine all the packets flowing through the network for signs of attacks. While host-based systems look at user and process activity on the local machine for the signs of intrusions.

            Signature-based analysis is used in most of the intrusion detection systems. These systems detect attacks based on pattern matching. Detection of all attacks requires prior knowledge about all possible patterns of intrusions. Currently, the legitimate requests tend to map with the signature available with intrusion detection systems. This leads to the generation of false positives by the existing systems. The false positives tend to deny the operations requested by the legitimate users or processes. To minimize the occurrences of such, early detection of false positives is needed. The network administrator can do it through frequent manual review of the logs generated by the intrusion detection system. The early warning or detection of intrusions will help to avert damages to the network. The implementation of manual intrusion detection [2] can be effective to support early warning of intrusions.

      The frequent review of logs minimizes the false positives of IDS. Also, early warnings help the administrator update the signature of IDS to prevent false negatives. Though log reviews are an offline activity, we believe that they can be performed in real time at appropriate intervals with the help of sounds. Whenever (likely) intrusions occur, appropriate aural signaling of malicious activity would prompt the network administrator to review logs. This can be done with the help of auralization of intrusion detection system.

      The goal of this work is to investigate how useful is auralization in improving the accuracy of intrusion detection systems. This report gives a brief summary of JListen and the list of auralization points considered in Snort, an intrusion detection system that we have selected for the purpose of experimentation using JListen. 
 
 
 

 

2. Background

      Auralization, or Sonification, is defined as the use of non-speech audio to convey information. Auralization of programs maps various events or points during program execution to sound signals.

      Auralization is intended to allow program monitoring in a different perspective with the help of sounds. Listen/C [1] is a tool to auralize programs written in C in order to understand their run-time behavior. The different programming constructs are mapped with a particular set of sound patterns. The mapping between events and sound patterns is specified in Listen Specification Language (LSL). The auralized programs when executed generate sound calls which enable the programmer or a user to monitor the program behavior.

      JListen is an open source tool to auralize Java programs. It is based on Listen/C. JListen is a distributed, versatile (easily configurable) and portable system that allows auralization of Java programs. The architecture of JListen consists of three components:

• Instrumentor
• Configuration Server
• Listener

 

      The user specifies the Java programs that need to be auralized along with a set of event-sound mappings. Then the program is instrumented with the aid of  the instrumentor. The instrumented program is registered with a central server component called Configuration Server. The Configuration Server maintains the details of registered auralized programs i.e., a list of event-sound mappings. Users interested in listening to auralized programs must register with the Configuration Server. These registered users, or nodes, are known as Listeners. When an instrumented program is executed, it sends sound signals to the Configuration Server which in turn multicasts the sound signals to the registered Listeners for that particular program.

      The features of JListen components are briefly summarized below. 

2.1 Instrumentor

      This component is used to instrument the Java program. It has the following features:

• Provides an interface to map events with sound patterns
• Provides an interface to register with Configuration Server
• The instrumented program will contain necessary Sound call libraries to communicate with Configuration Server. Thus, the instrumented program can be executed from a machine (environment) different as that of instrumentor

 

2.2 Configuration Server

   This component acts as a central server for the instrumented program and Listener. The features include,

• An interface to view the registered listeners for a particular program and their status whether they are logged on or logged out
• It multicasts the events sent by the executing auralized program to a set of registered Listeners
• The Configuration Server holds the event and sound mapping information for a set of registered instrumented programs

 

2.3 Listener 

   This component aids in generation of musical output based on a set of events sent by the configuration server. Listener has the following features:

• An interface to register with a particular configuration server
• An interface to login or logout from the configuration server
• Provides a facility to register with a particular set of auralized programs
• Allows customization of event and sound mappings i.e., a different sound variable can be associated with an event, the listening status of an event can be switched on or off
• Provides a facility to record events of a program in a Musical Instrument Digital Interface (MIDI) file
• An interface to play the recorded events of a program

 

In JListen, the following constructs in a Java Program can be decorated with the aid of instrumentor. The auralization points could be

• Activity track for a method
• Data track for a variable
• Method call Entry and Exit
• Method body begin and end with support for polymorphism
• Loop statements Entry and Exit
• Recursive method call

 

3. Experimental Design for the auralization of Snort

      Network intrusion detection systems (NIDS) are an important part of any network security architecture.  They provide a layer of defense, which monitors network traffic for predefined suspicious activity or patterns, and alerts system administrators when potential hostile traffic is detected. Snort [3] is a libpcap-based [4] packet sniffer and logger that can be used as a network intrusion detection system (NIDS).  It features rule-based logging to perform content pattern matching. It detects a variety of attacks and probes such as buffer overflows and stealth port scans. It also has real-time alerting capability, with alerts being sent to syslog.  

3.1 Hypothesis

1. Auralization would help in early detection of false positives
2. Early detection of false positives would help in fine tuning the Intrusion Detection System to avert false positives in the future
3. Auralization would assist in frequent manual review of logs, which will help in identifying false negatives of Intrusion Detection System.

 

3.2 Experimental Procedure

      The hypothesis can be tested by comparing the capability of the user in identifying the false positives and false negatives with normal and auralized system. The subjects considered for experimentation would include students with knowledge of network security. The questionnaire will be given to students to evaluate the timeliness in identifying false positives and false negatives between the normal and auralized system. 

      We propose to study the effectiveness of auralization in network intrusion detection systems with the help of Snort. For this purpose we plan to use JListen to auralize the following events in Snort for the purpose of investigating the usage of auralization in these systems. 

1. Requests from a suspicious host or network
2. Requests for a non existing service
3. Packet holding suspicious payload data
4. Detection of trace route attempts
5. Number of Connection Requests exceeding Threshold value
6. ICMP Echo request
7. ICMP Timestamp request
8. TCP packet with zero flags set called NULL packet
9. TCP packet with all flags set called XMAS packet
10. TCP packet with SYN&FIN flag set
11. Detection of denial of Service attacks
12. Detection of a non-standard protocol or event
13. Attempted Administrator Privilege Gain
14. Attempted User Privilege Gain
15. Successful Administrator Privilege Gain
16. Successful User Privilege Gain

 

      The experiment shall be conducted with the aforementioned auralization points. The first phase of experiment includes the development of modules to simulate attacks in the network. The second phase shall include the auralization of Snort and the determination of effectiveness of auralization in Snort with the feedback given by the subjects. 

3.3 Data Analysis

      The scores given by the students through questionnaire will be used as experimental data. The difference in scores will help to measure the effectiveness of auralization in Intrusion Detection System.

 

4. Tasks Completed

Serial Number	Tasks
1	Preparation of Snort for Experimentation
2	Proper implementation of atrack in JListen
3	Recursive function call auralization
4	Auralization of methods with support for polymorphism
5	Identification of Auralization Events in Snort
6	Creation of MIDI files for the recorded programs

 

5. Plan of Work

Serial Number	Tasks	Deadline
1	Updating JListen with all the following features required for experimentation 1.Loop body auralization       For_body_begin, For_body_end, while_body_begin,         while_body_end, if_body_begin, if_body_end 2. Parameterized auralization 3. Exceptions 4.  Static Blocks	22/3/2004
2	Development of modules to simulate attacks in the network or in a system	7/4/2004
3	Auralization of Snort and Experimental determination of auralization usability in Snort	20/4/2004
4	Submission of the proposed work	30/4/2004

 

 

6. References

 

[1] D. Boardman, G. Greene, V. Khandelwal, and A. P. Mathur, “LISTEN: A Tool to Investigate the Use of Sound for the Analysis of Program Behavior”, In Proceedings of the 19th Annual International Computer Software and Applications Conference (COMPSAC '95), Dallas, TX, pages 184-193 , August 1995. IEEE Press 

[2] Julia Allen et al, “State of the Practice of Intrusion Detection Technologies”, Carnegie Mellon Software Engineering Institute, Pittsburg, Jan. 2000. 

[3] Martin Roesch et al, “Snort, A lightweight Intrusion Detection System”, http://www.snort.org  

[4] Steve McCanne et al,"Packet capturing library,” Lawrence Berkeley National Laboratory, ftp://www.ee.lbl.gov/libpcap.tar.Z