Home > Auralization of Intrusion Detection System using JListen
I
Auralization
of Intrusion Detection System using JListen
DISSERTATION
Submitted in the partial fulfillment of the requirements of
BITS G629T
Dissertation
By
Gopinath M C
1998HS12176
Under the Supervision
of
Prof. K.Venkatasubramainan
Assistant Dean, Distance Learning Programme Division
Birla Institute of Technology and Science
Pilani, India
Under the Guidance
of
Prof Aditya P Mathur
Department of Computer Science
Purdue University
West Lafayette, IN, USA
BIRLA INSTITUTE OF TECHNOLOGY AND SCIENCE
PILANI (RAJASTHAN), INDIA.
March, 2004
Table
of Contents
1. Introduction
Intrusion detection is one of the key components of network management function. Intrusion detection system (IDS) examines a host or network to identify the possible intrusions or attacks. It can be either network based or host based, while network based intrusion detection systems are common. Network-based intrusion detection systems examine all the packets flowing through the network for signs of attacks. While host-based systems look at user and process activity on the local machine for the signs of intrusions.
Signature-based analysis is used in most of the intrusion detection systems. These systems detect attacks based on pattern matching. Detection of all attacks requires prior knowledge about all possible patterns of intrusions. Currently, the legitimate requests tend to map with the signature available with intrusion detection systems. This leads to the generation of false positives by the existing systems. The false positives tend to deny the operations requested by the legitimate users or processes. To minimize the occurrences of such, early detection of false positives is needed. The network administrator can do it through frequent manual review of the logs generated by the intrusion detection system. The early warning or detection of intrusions will help to avert damages to the network. The implementation of manual intrusion detection [2] can be effective to support early warning of intrusions.
The frequent review of logs minimizes the false positives of IDS. Also, early warnings help the administrator update the signature of IDS to prevent false negatives. Though log reviews are an offline activity, we believe that they can be performed in real time at appropriate intervals with the help of sounds. Whenever (likely) intrusions occur, appropriate aural signaling of malicious activity would prompt the network administrator to review logs. This can be done with the help of auralization of intrusion detection system.
The
goal of this work is to investigate how useful is auralization in improving
the accuracy of intrusion detection systems. This report gives
a brief summary of JListen and the list of auralization points considered
in Snort, an intrusion detection system that we have selected for the
purpose of experimentation using JListen.
2. Background
Auralization, or Sonification, is defined as the use of non-speech audio to convey information. Auralization of programs maps various events or points during program execution to sound signals.
Auralization is intended to allow program monitoring in a different perspective with the help of sounds. Listen/C [1] is a tool to auralize programs written in C in order to understand their run-time behavior. The different programming constructs are mapped with a particular set of sound patterns. The mapping between events and sound patterns is specified in Listen Specification Language (LSL). The auralized programs when executed generate sound calls which enable the programmer or a user to monitor the program behavior.
JListen is an open source tool to auralize Java programs. It is based on Listen/C. JListen is a distributed, versatile (easily configurable) and portable system that allows auralization of Java programs. The architecture of JListen consists of three components:
The user specifies the Java programs that need to be auralized along with a set of event-sound mappings. Then the program is instrumented with the aid of the instrumentor. The instrumented program is registered with a central server component called Configuration Server. The Configuration Server maintains the details of registered auralized programs i.e., a list of event-sound mappings. Users interested in listening to auralized programs must register with the Configuration Server. These registered users, or nodes, are known as Listeners. When an instrumented program is executed, it sends sound signals to the Configuration Server which in turn multicasts the sound signals to the registered Listeners for that particular program.
The
features of JListen components are briefly summarized below.
2.1 Instrumentor
This component is used to instrument the Java program. It has the following features:
2.2 Configuration Server
This component acts as a central server for the instrumented program and Listener. The features include,
2.3 Listener
This component aids in generation of musical output based on a set of events sent by the configuration server. Listener has the following features:
In JListen, the following constructs in a Java Program can be decorated with the aid of instrumentor. The auralization points could be
3. Experimental Design for the auralization of Snort
Network
intrusion detection systems (NIDS) are an important part of any network
security architecture. They provide a layer of defense, which
monitors network traffic for predefined suspicious activity or patterns,
and alerts system administrators when potential hostile traffic is detected.
Snort [3] is a libpcap-based [4] packet sniffer and logger that can
be used as a network intrusion detection system (NIDS). It features
rule-based logging to perform content pattern matching. It detects a
variety of attacks and probes such as buffer overflows and stealth port
scans. It also has real-time alerting capability, with alerts being
sent to syslog.
3.1 Hypothesis
3.2 Experimental Procedure
The
hypothesis can be tested by comparing the capability of the user in
identifying the false positives and false negatives with normal and
auralized system. The subjects considered for experimentation would
include students with knowledge of network security. The questionnaire
will be given to students to evaluate the timeliness in identifying
false positives and false negatives between the normal and auralized
system.
We propose to study the effectiveness of auralization in network intrusion detection systems with the help of Snort. For this purpose we plan to use JListen to auralize the following events in Snort for the purpose of investigating the usage of auralization in these systems.
The
experiment shall be conducted with the aforementioned auralization points.
The first phase of experiment includes the development of modules to
simulate attacks in the network. The second phase shall include the
auralization of Snort and the determination of effectiveness of auralization
in Snort with the feedback given by the subjects.
3.3 Data Analysis
The scores given by the students through questionnaire will be used as experimental data. The difference in scores will help to measure the effectiveness of auralization in Intrusion Detection System.
4. Tasks Completed
Serial
Number |
Tasks |
1 | Preparation of Snort for Experimentation |
2 | Proper implementation of atrack in JListen |
3 | Recursive function call auralization |
4 | Auralization of methods with support for polymorphism |
5 | Identification of Auralization Events in Snort |
6 | Creation of MIDI files for the recorded programs |
5. Plan of Work
Serial Number | Tasks | Deadline |
1 | Updating JListen
with all the following features required for experimentation
1.Loop body auralization For_body_begin, For_body_end, while_body_begin, while_body_end, if_body_begin, if_body_end 2. Parameterized auralization 3. Exceptions 4. Static Blocks |
22/3/2004 |
2 | Development of modules to simulate attacks in the network or in a system | 7/4/2004 |
3 | Auralization of Snort and Experimental determination of auralization usability in Snort | 20/4/2004 |
4 | Submission of the proposed work | 30/4/2004 |
6. References
[1] D. Boardman,
G. Greene, V. Khandelwal, and A. P. Mathur, “LISTEN: A Tool to Investigate
the Use of Sound for the Analysis of Program Behavior”, In Proceedings
of the 19th Annual International Computer Software and Applications
Conference (COMPSAC '95), Dallas, TX, pages 184-193 , August 1995. IEEE
Press
[2] Julia Allen
et al, “State of the Practice of Intrusion Detection Technologies”,
Carnegie Mellon Software Engineering Institute, Pittsburg, Jan. 2000.
[3] Martin Roesch et al, “Snort,
A lightweight Intrusion Detection System”, http://www.snort.org
[4] Steve McCanne et al,"Packet
capturing library,” Lawrence Berkeley National Laboratory, ftp://www.ee.lbl.gov/libpcap.tar.Z
All Rights Reserved Powered by Free Document Search and Download
Copyright © 2011