Data security in e-business using intrusion signature analysis.

Data security in e-business using intrusion signature analysis.
ABSTRACT - Data security is becoming one of the most serious problem threaten e-business
activity. Most people still worry about their personal information, especially their financial data
can be exposed to those computer criminal. Signature analysis system is the system that can help
detecting known attacking signature by detecting IP packet travel into the system. If any of the
packet match the database of the known attacking signature, the system should then alert the
administrator by e-mail or short message service (SMS) directly into administrator’s mobile
phone, to help them tackle security problem as soon as it happen. The detail of suspected IP
packet also written to relational database system for later analyze. This study conduct by using
all free open source software on Linux system machine.
KEY WORDS - Signature analysis, Security, Hack, Crack, Intrusion Detection.
บทคัดย่อ – ความปลอดภัยของข้อมูลสิ่งซึ่งมีความสำ คัญและเป็นปัจจัยสำ คัญที่ส่งผล
กระทบโดยตรงต่อกิจกรรมธุรกิจทางอิเลคทรอนิคส์ ผู้คนส่วนใหญ่ยังคงมีความกังวล
เกี่ยวกับข้อมูลส่วนตัวของตนเอง โดยเฉพาะอย่างยิ่งข้อมูลทางด้านการเงินอาจรั่วไหล
ไปสูเ่ หล่าอาชญากรทางอิเลคทรอนิคส์ได้ ระบบการวิเคราะห์รูปลักษณะการบุกรุก เป็น
ระบบที่จะสามารถช่วยในการตรวจจับการบุกรุกทางเครือข่ายโดยเทคนิคการตรวจสอบ
ชุดข้อมูล IP ที่เดินทางผ่านเข้ามายังระบบ ซึ่งหากตรวจพบแล้วก็จะทำ การแจ้งเตือนไป
ยังผูบ้ ริหารระบบโดยทางจดหมายอิเลคทรอนิคส์หรือทางบริการข้อความสั้น (SMS) ไป
ยังเครื่องโทรศัพท์เคลื่อนที่ของผู้บริหารระบบให้สามารถเข้ามาแก้ไขปัญหาที่เกิดขึ้นได้
ทันท่วงที รายละเอียดของชุดข้อมูล IP ที่ต้องสงสัยนั้น ก็จะถูกบันทึกลงในฐานข้อมูล
เชิงสัมพันธ์ เพื่อให้สามารถทำ การวิเคราะห์รายละเอียดเพิ่มเติมในภายหลังได้ต่อไป ใน
งานวิจัยครั้งนี้ทำ การศึกษาโดยใช้ซอฟต์แวร์แบบเปิดเผยรหัสชนิดให้เปล่าบนระบบ
ปฏิบัติการลินุกซ์
คำ สำ คัญ – การบุกรุกทางเครือข่าย, การตรวจจับการบุกรุก, ชุดข้อมูล IP
1. Introduction
Nowadays computer network security becoming more and more important issues. As all of the
computer become connected through local or wide area network or even the Internet. Business
organization use the network as part of the business strategy to become the advantage over their
competitors. And the network itself can become threaten to their computer system. Their valuable IT
resources can be threaten by various type of security. This study will be conduct by using Linux
machine act as Intranet server , installing necessary software to work in the manner design by
researcher. The Signature Analysis System can be used efficiently with other security tools especially
the well known firewall system.
2. Scope of this study
Scope of this study will be on the TCP/IP protocol suite. As TCP/IP is becoming world’s
standard protocol used in both small and large network. TCP/IP is also base system for many
important services available on the Internet such as www, ftp, e-mail etc. The system developed in
this study will capture all IP datagram comparing to the known pattern of attacking. If the pattern is
matched, the alert subsystem will work by sending e-mail to the administrator and short message
service (SMS). The detail of the IP suspected datagram will also keep into the relational database
system, namely Postgresql for later query the detail of the attacking.
3. Objective of the study.
Objective of this study is to
• Study the problem of computer network security
• Study the system currently available security system from various research system and
commercial security system.
• Analysis and design security system that can alert the network administrator through the e-mail
and SMS.
• Presenting an appropriate practice to maintain security of the system which can be easily
followed and can be really used.
4. Computer Network Security.
Computer Network Security can be classified into 4 categories [1]
• Secrecy is the practice to keep the data secret and will only be accessible by authorized person.
• Authentication concerning process to prove that the person or process being communicate with is
the real person or process they told.
• Nonrepudiation is the protection against denial of any responsibility , concerning signature which
will prove that the person or client is the one that is desirable. Also this will prove to make sure
that the received message is not from the malicious intention.
• Integrity control is the control the correctiveness of message to be as it was supposed to be
such as sending registered mail or the encryption of data using password.
5. Person who can be dangerous.
Person threaten to computer network security can be classify into [2].
5.1 Hackers
The generic term applies to computer enthusiasts who take pleasure in gaining access to other
people’s computer or networks. Many hackers are content with simply breaking in and leaving their
“footprints”, which are joke applications or messages on computer desktops. Other hackers, often
referred to as “crackers” are more malicious, crashing entire computer system, stealing or damaging
confidential data, defacing Web pages, and ultimately disrupting business. Some amateur hackers
merely locate hacking tools online and deploy them without much understanding of how they work or
their effects.
5.2 Unaware Staff
As employees focus on their specific job duties, they often overlook standard network security
rules. For example, they might choose passwords that are very simple to remember so that they can
log on to their network easily. However, such passwords might be easy to guess or crack by hackers
using simple common sense or widely available password cracking software utility. Employees can
unconsciously cause other security breaches including the accidental contraction and spreading of
computer viruses. One of the most common ways to pick up a virusis from a floppy disk or by
downloading files from the Internet. Employees who transport data via floppy disks can unwittingly
infect their corporate networks with viruses they picked up from computers in copy centers or
libraries. They might not even know if viruses are resident on their PCs. Corporations also face the risk
of infection when employees download files, such as PowerPoint presentations, from the Internet.
Surprisingly, companies must also be wary of human error Employees, whether they are computer
novices or computer savvy, can make such mistakes as erroneously installing virus protection software
or accidentally overlooking warnings regarding security threats.
5.3 Disgruntled Staff
Far more unsettling than the prospect of employee error causing harm to a network is the
potential for an angry or vengeful staff member to inflict damage. Angry employees, often those who
have been reprimanded, fired, or laid off, might vindictively infect their corporate networks with
viruses or intentionally delete crucial files. This group is especially dangerous because it is usually far
more aware of the network, the value of the information within it, where high-priority information is
located, and the safeguards protecting it.
5.4 Snoops
Whether content or disgruntled, some employees might also be curious or mischievous.
Employees known as "snoops" partake in corporate espionage, gaining unauthorized access to
confidential data in order to provide competitors with otherwise inaccessible information. Others are
simply satisfying their personal curiosities by accessing private information, such as financial data, a
romantic e-mail correspondence between coworkers, or the salary of a colleague. Some of these
activities might be relatively harmless, but others, such as previewing private financial, patient, or
human resources data, are far more serious, can be damaging to reputations, and can cause financial
liability for a company.
6. Proposed Signature Analysis System Design.
The Signature Analysis System required by this study is the system that can monitor any
suspected intrusion attempted by capturing all IP packet running within the monitored system. if any
of the IP packet in the system have been founded containing the known signature, this should be
assumed to be an intrusion attempt has occured. The system will alert system administrator by e-mail
and/or short message service (SMS). The detail of the intrusion activities such as activity type, IP
address, date and time of occurrence will also keep into relational database system for later detail
investigation. Design of this system fall into 8 subsystem. (figure 1)
Intrusion
Detection
Subsystem
(Snort)
Linux’s System
logger
(syslogd)
Relational Database
System
(Postgresql)
Incident
Analysis Tools
(ACID)
www Services
(Apache + PHP)
Log file checking
subsystem.
(Logcheck)
SMS
Sending
Subsystem
(smsd)
E-mail Sending
Subsystem
(sendmail)
Any changed in alert file
Figure 1- Illustrate all major subsystem of the Network Intrusion Detection System
6.1 Intrusion Detection Subsystem.
Main part of the system which function is to capture all IP datagram running within the
monitored system (packet originated both from inside or outside the enterprise network should be
captured) and analyze content of the datagram. Comparing datagram with database of intrusion
signature, if found it will put all the detail of the datagram to database subsystem (Postgresql).
Moreover the brief detail of the intrusion activity will also send to system logger daemon
(syslogd).
This subsystem is implemented using lightweight network intrusion detection system called
Snort. Snort has been created by Martin Roesch which based on the libpcap packet capture
library, commonly used in may TCP/IP traffic sniffers and analyzers. It can perform protocol
analysis, content searching/matching, and can be used to detect a variety of attacks and probes,
such as buffer overflow, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
and much more.
Snort use database of known attacking pattern, also known as signature which came from
various source to create rules. Information about Intrusion signature came from web site that
specialize in security. User can create their own rule based on the known attacking signature.
6.2 Relational Database Subsystem.
The database subsystem will function as main storage area of the system where the
Intrusion Detection Subsystem send all detail captured to. The system administrator can use the
database as the main source where they can trace back to the activities that had happen to their
system and may used as source where they can trace back to the origin of the intruder.
6.3 Incident Analysis Tools
Data collected in the database may be large and hard to analyze. To make analysis of the
data not a tedious job a subsystem is needed. Analysis Console for Incident Databases (ACIS) was
chose. The subsystem is PHP-based analysis tool that can help analysis of the data much more
efficient.
6.4 WWW services subsystem.
This subsystem is function as a main interface for system administrator so that they can use
their web browser to query for further detailed. This subsystem work in accordance with prior
subsystem.
6.5 System Logger.
System logger is common process that exist in major operating system. In this study the
system logger of Linux (syslogd) was used as starting point of alerting subsystem by create log
file and write any alert data received from Intrusion Detection Subsystem to this file.
6.6 Logfile Cheking Subsystem.
This subsystem’s function is to checking for any changed in the alert log file, any changed
in the log file will activate another two subsystem to alert system administrator.
6.7 Mail Sending Subsystem.
Sending alert through e-mail is one major alerting mechanism in this study. Alerting through
e-mail can give moderate detail of the event. Sendmail is activated whenever the logfile
checking mechanism found any change in the alert log file.
6.8 SMS Sending Subsystem.
This subsystem responsible in communication with GSM digital mobile phone system using
AT command. The system also activate by log file checking mechanism. Major advantage of this
subsystem is that it can send alert message as soon as the intrusion occurred. However the major
drawback of this subsystem is the limited amount of data that can be send at a time.
7. System Implementation and Testing Result.
Signature Analysis System developed in this study has been tested on Linux based Internet
/Intranet Server of 50 clients. The server connect to Internet through two interfaces one is
Ethernet which link to Bangkok headoffice through Satellite communication. The other interface is
dial-up modem connected to Internet Service Provider as a backup channel. The system normally
served as proxy-cache server, DNS server, FTP server, Intranet Web Server. After installing all
required subsystem and making necessary configuration, It can detect many intrusion attempted
both by technical staff who want to test the system and by the real intrusion attempted by staff
from other department. Testing of the system has been done by using tools and some technique
of the well known intrusion attempts and try to break into the Linux Server. The system can send
alert to system administrator both by e-mail and SMS. However some limitation of the system is
7.1 The system developed in this study use all separated free open-source software set up to work
together so the configuration of the whole system is quite tedious and need the understanding all
that component’s configuration.
7.2 The alerting mechanism, if not properly configure can send lots of message to administration
and become a e-mail bomb or sms bomb itself.
7.3 System administrator should always keep the database of signature up-to-date so that it can
detected the most recent technique of intrusion.
8. Conclusion
Signature Analysis System is one major that tool that should be implemented by all
organization interest in e-business activities. As security is the most important issue that can cause
customers or trade partners to be uncertain of their electronics activities. The common used
security tools is firewall which act like security guard that checking any data coming in and out of the
system, if the data coming in or out pass the rules specified by firewall administrator it can go in and
out of the system regardless of what activity that data should effect the system. The Signature
Analysis System on the other hand, is like surveillance system that keep an eye on all activity within a
system regardless of the origin of the activity, if found any suspected activity it will log and alert the
system administrator or even stop related process. Working together of both tools can help improve
the system security.
References
[1] Prasong Praneetpolgrang, Management Information System, Thanathach Press, Bangkok, 2000,pp
447-448
[2] Graham,Robert. , FAQ : Network Intrusion Detection Systems , ,[Online] Available
http://www.robertgraham.com/ pubs/network-intrusion-detection.html [ September 2, 2001]
[3] Frederick, Karen. (2001, March 28 – last update) Network Monitoring for Intrusion Detection
[Online] Available http://www.securityfocus.com/focus/ids/ articles/networmon.html [ September
2, 2001]
[4] Frederick, Karen. (2000, October 13 - last update) Abnormal IP Packets [Online] Available
http://www.securityfocus.com/focus/ids/articles/abnormal1.html [September 2, 2001]
[5] Elson, David. (2000, March 27 - last update) Intrusion Detection, Theory and Practice [Online]
Available http://www.securityfocus.com/focus/ids/articles/ davidelson.html [ September 2, 2001]
[6]. Elson, David (2000, May 22 -last update) Intrusion Detection on Linux [Online] Available
http://www.securityfocus.com/focus/ids/articles/linux-ids.html [September 2, 2001]
[7] MacBride, Robert. (2000, April 6 -last update) Intrusion Detection : Filling in the Gaps [Online]
Available http://www.securityfocus.com/focus/ids/articles/ robmacbride.html [ September 2, 2001]
[8] Cisco Systems ( 2001 ) A Beginner’s guide to Network Security[Online] Available
http://www.cisco.com/warp/public/cc/so/neso/sqso/beggu_pl.pdf [ September 9, 2001]
[9]. Enterprise Management Associates . ( 2000, May ) An Introduction to Network Security ,[Online]
http://www.solsoft.com/library/ema_whitepapers.pdf [ September 9, 2001]
[10]. Jai Sundar Balasubramaniyan, et al. ( 1998, June 11 ) An Architecture for intrusion Detection
using Autonomous Agents. Center for Education and Research in Information Assurance and
Security, Purdue University. [Online] Available
http://www.cerias.purdue.edu/homes/aafid/docs/tr9805.pdf [ September 9, 2001]
[11] Lee, Wenke ,et al. A Data Mining Framework for building Intrusion Detection Model. Computer
Science Department, Columbia University. [Online] Available
http://www.snort.org/docs/ieee_sp99_lee.ps [ September 9, 2001]
[12] Brandenburg University of Technology at Cottbus. The Intrusion Detection System AID. [Online]
Available http://www-rnks.informatik.tu-cottbus.de/~sobirey/aid.e.html [September 9, 2001]