Enhanced network intrusion detection in a smart enterprise

Ricci Ieong, James Pang


Cyberspace Center,

the Hong Kong University of Science & Technology,

Clear Water Bay, Kowloon, Hong Kong

Email: ricci, ckpang@cs.ust.hk


2nd October 1998



1 Introduction


In this electronic commerce era, more and more companies are using Intranet and Extranet as their confidential transaction media. In the old days, computer systems are standalone machines. Resources are confined within a standalone system. Later when people understand the benefit of resource sharing, computer systems are connected together. These networked systems grow rapidly and get evolved into big networked environment.


Worldwide enterprises certainly have the need for networked environment. For instance, reports and databases are made available for sharing all over the world. This induces the difficulties in maintaining a coordinated user account database. Moreover, it also induces the complexity in protecting the network from intruders, especially when implementing anomaly intrusion detection system.


Within an enterprise network, usability is equally important as security. There is always a trade-off between security and usability. On one extreme, we may have a highly secured, well-protected environment, but such system is usually inflexible, difficult to implement, and difficult to use. For a hypothetical example, every user is required to use three different passwords for logon. However, this is extremely inconvenience to a normal user. On the other extreme, we may have a system that is very flexible and easy to implement and use but have low security. In such case, any user could easily obtain the confidential network information from the networked machine. Therefore both security and usability is important.


Various types of distributed authentication systems have already been developed and are available on market, for instance password-based logon authentication, one-time password, access token-based authentication device and smart-card based authentication system. Among all these mechanisms, smart card is the most promising technology to be used. Not only acting as a secure device for storing the password of the user, it can even be programmed to generate responses when random challenge is presented. As smart card development on PC environment is standardized, use of smart card in PC for authentication will be the future direction.


As smart card can accommodate multiple applications, in addition to authentication mechanism, extra functions could be added to the same card. To increase the level of security of an enterprise system, we propose to have some elements of an intrusion detection system incorporated into a smart card.


In general, a total security system is composed of two protection modules, the prevention and detection module. Prevention module includes Firewall that filters out packets and requests. It also includes System Security Policy such as resources allocation, system security settings as well as authentication process. While in the detection module, experienced system administrator or automatic intrusion detection system (IDS) would be required. The security level of the system also depends on how well these components are designed, tuned and integrated.


Hence, we proposed a new approach of intrusion detection system --- the Smart KIDS system. It is an integrated solution of prevention and detection modules. Within the prevention module, system security policy is stored inside a smart card. User could perform the logon authentication by simply inserting his or her smart card into the smart card reader. Resources allocation information is stored in the smart card. Network access and resources allocation will be automatically restored only when the user could successfully authenticate him/herself to the logon system. With this solution, illegal access could be prevented. Within the detection module, the smart card user profile recorder module is combined with the intrusion detection engine. The anomaly detection user profile is embedded in the authentication smart card.


1.1 Intrusion Detection System Basis


Traditional IDS system includes basically the statistical anomaly detection system and rule-based detection system. They are usually further categorized into two groups, the misuse detection system and anomaly detection system [17].


Statistical approach involves the collection of data related to the behavior of legitimate users over a period of time. Then, statistical analysis is applied to the observed behavior to determine whether that behavior belongs to that user or not. If discrepancy is identified, network administrator will be notified.


In rule-based approach, attempts are made to define a set of rules that can be used to decide whether a given behavior is that of an intruder.


In misuse detection system, intruders' actions are determined by the illegal commands performed within the system. The statistical-based threshold detection approach involves defining thresholds of the legal and illegal activities user could perform. It is mainly depending on the frequency of occurrence of various events rather than the behavior of individual user.


Whereas misuse rule-based penetration identification system uses an expert system approach for searching suspicious behavior. As all known suspected intruders' actions are recorded and summarized as intrusion signature, whenever intrusions are recorded, actions will be determined.


While in anomaly detection stream of IDS, statistical-based anomaly detection is usually based on the user-profiles of the user activity. This user activity is developed according to standard average activities of individual accounts based on detecting user behavior. It is assumed that users have standard behavioral action when performing the same activity. Whenever the user is performing activities different from the normal actions summarized in the user-profiles, alert or warning will be issued.


In rule-based anomaly detection approach, the users' behavior is also captured for developing the user profile. However, expert system is used for providing rules of the detection system rather than statistics. Therefore intruders' actions are detected based on deviation from rules obtained from previous patterns.


Usually these anomaly detection approach types of IDS system are localized onto a specific network. For instance, in the statistical system user-profiles and statistical information are kept within the system. Therefore its security is based on the common system database. In our new system, we mainly concentrate on moving the user-related information into the smart card. So statistical-based anomaly detection and misuse threshold detection algorithm have been selected.


1.2 Smart card basis


In our system, smart card is the core component of our approach. It is used for logon authentication to computer network, keeping user environment profile and security profile. This credit card size device is chosen because of several reasons. First, it is portable. User could carry this device in the wallet and use that for authentication anywhere. Secondly, it is secure. Because it has an onboard microprocessor, any data could be read only after proper authentication. Unauthorized access to the card will cause inactivation of the card [3, 4, 5, 14].


The card can carry not only a set of stored values, encryption and authentication keys for one application, but also can hold multiple sets of data for multiple purposes in a secure way. With the adaptation of Java Card [6, 8, 15] and MULTOS card [11], programs can also be stored and performed on card after the manufacturing stage. With logic circuit and microprocessor embedded on the card, secure computation can be performed on card.


As each card is personalized for each user, it becomes a personalized identification device for the user. Different from the authentication token device, users would not be able to authenticate using others' device. Though more cards would have to be issued than authentication tokens, the cost are still less than others authentication mechanisms.


Although smart card has a lot of advantages, it is still not widely used on market because of several reasons. First of all, it is still lacking standard. Even though smart card is standardized by ISO 7816 specifications, vendors are allowed to use their own sets of card-to-reader communication codes. As a result, smart card host-side application programs have to be tailor-made for individual card vendors.


Secondly, it is lack of interesting software. Because the current uses of smart card is mainly for storage, software and hardware vendors are not actively providing new software for different disciplines other than authentication usage.


Thirdly, the current initiatives of smart card industry secure bank transaction is not as widely accepted as it is excepted. Initially, electronic commerce is thought to be one of the main uses of smart card. However, because electronic commerce, especially Secure Electronic Transaction (SET) protocol [16], is not widely accepted by the commercial world, smart card growth is greatly reduced.


2 Design of Smart KIDS


2.1 Overview


The new approach we developed is based on modified statistical anomaly detection system. It is also incorporated with the threshold misuse detection system. Because the current smart card development are mainly focused on PC market, our prototypical Smart KIDS system is based on Microsoft Windows NT platform. ISO-7816 standard contact CPU smart card is chosen and PC/SC smart card architecture [12], which is a standard jointly worked out by Schlumberger, Gemplus, Microsoft and other companies, is used.


In our prototypical system, 5 standard modules of traditional Intrusion Detection Systems are involved. The Audit log generator that generates the audit event logs is the standard unit in both Windows NT and Unix environment. By the feature extractor, audit logs are filtered and required user as well as system activities are obtained.


These extracted user activities information is transferred to the user profile generator for user profile generation and storage. The extracted features are also passed to the intrusion detectors. At the detector, each feature is evaluated and statistics are compared separately.


Usually in traditional IDS, user and system activities are kept within user profiles that are stored in centralized system database. While in the Smart KIDS system, these profiles are kept separately in individual user smart cards.


In Smart KIDS system, the Smart KIDS control module is the unit in between the user profile generator and the intrusion detector modules. By adding this unit into the traditional intrusion detection system, statistical-based anomaly detection system could be made distributed. In other words, Smart KIDS control module could be considered as a plug-in module for traditional statistical-based anomaly detection system to be modified to Smart KIDS system.


2.2 Audit log generator and feature extraction modules


In our proposed system, the performance monitor and the event log generator [13], which are the audit event log generators in Windows NT platform, collect the user and system activities. These features are selected based on their usefulness and availability. 20 user and system related features are selected from the audit logs. Five of these features are regarding to system resource usage, five of them are related to the time and daily usage of the registered user and 10 remaining selected features are related to the login and access data of users. These features are chosen because of their popularity [7, 8, 17].


These features are selected as an illustration. Basically any user and system activities which represents the user behavior could be used.


2.3 Smart KIDS control module


The Smart KIDS control module is developed for handling several inter-related actions. These activities could be further sub-divided into three main actions,


1) Generalizing clusters from statistics

2) Storing/retrieving cluster information to/from user's smart card

3) Regenerating cluster information


Within the cluster data calculation procedure, statistics of the cluster data including the mean, variance and standard deviation are calculated and kept in the smart card.


The card is used for holding static and dynamic user data as well as logon authentication. Static data includes user personal information and company data. Network information can also be kept. This network information is used for network connection and routing table establishment. In addition, some statistical threshold input will also be held.


Dynamic user profile holds the summary of statistical information of the selected features. After these user features, user and system activity statistics are collected from the audit log generators, they are calculated and kept in the dynamic user profile section on the card.


This profile data would be modified and recalculated for each user session. After each feature is calculated, mean and variance will be recalculated and stored on the card again whenever the newly collected feature is accepted.


2.4 Generalization and clustering mechanism


The clustering generalization procedure is used for summarizing the user features from the selected audit features. Because of the limited storage size on the smart card, audit event logs could not be kept on the card. Only the analyzed and statistically compared audit features are kept in the smart card.


Similar to other IDS system, normal user behavior could be assumed to have patterns. Therefore we analyzed their behavior based on statistical pattern recognition methods. In our prototypical system, K-means method is used [18]. Later models will be developed based on the ISODATA method, a modified K-means algorithm. We will also investigate on using Kohonen map algorithm.


In the generalization procedure, all user and system activities selected are grouped and clustered. Each feature will be clustered individually. Clustered feature will be compared with the newly collected audit event information in order to generate new clustered data.


2.5 Detection mechanism


Based on the clustered mean, variance, newly collected user and system activity feature will be compared with the overall feature statistics.


The closest cluster will be picked from the cluster list of that feature and deviations from the mean value will be calculated. If user behavior lies between 2 to 3 standard deviations, which is less than 15% of the usual behavior, it is considered as the rare case behavior. Warning message will be issued.


When the differences between the newly detected event value and the standard cluster value is greater than three standard deviations, it would be considered as an abnormal action. System alert will also be generated.


However, to solve the behavior changes or training stage discrepancy, manual modifications as well as training acceptance policy have been added. Network administrators could use this mechanism to over-rule the original results.

3 Pros and Cons of this approach


3.1 Advantages of Smart KIDS


From general view point, the mechanism used in Smart KIDS are similar to other intrusion detection system, but prevention action such as system policy used and security level permitted are integrated into the intrusion detection system which are all controlled by the user smart card. As smart card logon authentication system is integrated into the operating system, the same smart card can both be involved in the authentication and detection procedure.


With the use of Smart KIDS, user of the networked enterprise machines could only be a valid, registered smart card holder. External users without valid registered smart cards would not be granted any resources on the network. Besides, summarized user actions are record on the card. Therefore, intrusion actions of the user would be audited and marked on the card as well as the Smart KIDS system. All appropriate and inappropriate actions would be kept on the card as the user identity. No matter which machine the user is logon to, Smart KIDS system would be notified with the user's "black listed" actions immediately.


In addition, statistical information of the clusters within each feature is stored in the smart card. As a result, centralized database will not require to hold the summarized, analyzed cluster information. As the smart card is being kept by the cardholder, the summarized user personal behavioral information will not be viewed even the centralized database is being hacked. Generally speaking, user private information that is kept in the smart card cannot be viewed offline even by the system administrator unless the user presents it to the system administrator. Therefore user privacy could be ensured by the use of smart card.


In addition, some basic intrusion actions such as multiple logon, false password attempts could be prevented by the use of the smart card. As each user would be issued with one smart card, the same user could not logon to more than one machine on the network unless special permission is given by local system administrator. Fortunately even if this special permission is given only to user, it will be restricted within the local network. Therefore he/her would not be able to logon as the same person over two different LANs.


While false password attempts are prevented by the logon policy enforced on the smart card, intruders would not be able to use the same smart card for performing continuous false password attempt. Therefore some basic intrusion detection issues are solved automatically by using smart card technology.


Within the enterprise network environment, distributed intrusion detection system is built by implementing Smart KIDS system locally in individual computer. Because most of the information about the user security information are captured in user smart card which is isolated from the computer, any user could access any computer system in the distributed environment with Smart KIDS installed. This ensures the effective use of IDS across the distributed environment, even if the network is installed across an unreliable network connection.


When traditional enterprise level IDS is used, all computers are required to connection to a common centralized "user-profile" database in order to have the unique descriptions of all users. But with the use of smart card, user information does not required to be synchronized immediately over the network. Each user personal information is stored and carried in his/her own card. Therefore, whenever user logon authentication action is performed, his/her personal information would be transferred directly from the card to the local smart card reader. This greatly reduced the amount of user related content to be transferred over network, so network bandwidth requirement is hence reduced.


3.2 Limitations of Smart KIDS


Smart KIDS system is basically a modified version of statistical-based anomaly detection system, so it shares the same advantages as well as limitations with traditional statistical-based anomaly detection system. On one hand, the huge amount of resources, which is required by the rule-based expert system and database, could be reduced as no rule-based mechanism is used. On the other hand, rapid detection based on rule-based expert system could not be employed in this system.


Besides, as all user information summaries must be kept in smart card, it is limited by the memory size of the card. Extra memory space could not be added unless the card is redesigned and manufactured. Therefore some of the related data has to be generalized or even discarded. Data would be then lost due to clustering. As a result, some of the user behavioral information may be deviated from the original data.


4 Future directions and conclusion


In the near future, several implementations will be carried out. These include using smart card in logon system. Currently, Windows NT 5.0 has already included Smart card as the standard unit [2]. Smart card can be used in logon authentication as the "logon key" of the computer. User only needs to carry one smart card and remember one password for logging into any computer within the enterprise network, no matter at home or in the office. Also, their resources configurations and user preferences can be preserved.


Because Smart card could be used for both logon authentication and intrusion detection mechanisms on console or remote location, user could connect through the network to office at any location. As Smart KIDS is installed on remote machines, logon procedure could be carried out. On-card Challenge-Response authentication and encryption mechanism would be implemented as well. If this mechanism is performed on card, secure logon and communication channel will be ensured.


Furthermore, digital certificate could be kept on card as an authentication key both for logon and electronic commerce uses. In our current implementation, we did not include digital certificate, as the size of the digital certificate is too large to be placed in our prototypical smart card. However, when the use of digital certificate in Internet commerce as well as the memory size of the smart card increase, it should be adopted in the smart card system. Ultimately, user behavior calculation procedure should be performed on card as well. This could be prevented from illegal modifications or hacking on the machine.


Biometrics authentication method would be involved in the second stage procedure. Though it is not widely accepted by public as authentication mechanism, many vendors have already developed finger print logon authentication modules.


In conclusion, Smart KIDS system is a separate module in statistical anomaly detection, therefore we could have this module integrated into other intrusion detection system.


When the smart card enable environment becomes a mature network structure, use of smart card in logon authentication and detection would become an integrated solution. By that time, networked home and office would be both easy to use and to protect.


5 References


[1] Donald L. Pipkin, "Halting the Hacker, a practical Guide to Computer Security", Prentice Hall PTR, Upper Saddle River, New Jersey, 1997

[2] Gemplus S. C. A., "Gemplus Previews Windows NT 5.0 Secure-Logon With Smart Cards At CardTech/SecurTech'98", http://www.gemplus.com/presse/1998/windows_nt5.htm, April 1998

[3] Gemplus S. C. A., "Smart Cards and the Internet", http://www.gemplus.com/welcome/internet.htm

[4] Gemplus S. C. A., "Smart Card Applications", http://www.gemplus.com/application.htm

[5] Gemplus S. C. A., "What is a Smart Card?", http://www.gemplus.com/welcome/what_is.htm

[6] Gemplus S. C. A., "Frequently Asked Questions Java Card and GemXpresso RAD", https://store.gemplus.com/WebObjects/Gemplus.woa/Resources/Cache/GemXpresso_Whitepaper.htm, March 1998

[7] Internet Security System Inc., "Understanding the Risk", http://www.iss.net/prod/utr.html

[8] Internet Security System Inc., "Adaptive Security Model, A Model Solution - A Solution Model", http://www.iss.net/prod/asm-2_wp/asm-2_wp3002.html, June 1998

[9] Java Card. http://java.sun.com:80/products/javacard/index.html

[10] M. Crosbie and K. Price, "Intrusion Detection Systems", http://www.cs.purdue.edu/coast/intrusion-detection/ids.html

[11] Maosco Limited, "Multos Frequently Asked Questions", http://www.multos.com/500.html

[12] PC/SC Workgroup, "PC/SC Workgroup, Integrating PC's and Smart Cards", http://www.smartcardsys.com/

[13] B. Russ, "Microsoft Windows NT resource kit", Redmond, Washington, Microsoft Press, 1995

[14] Schlumberger Limited, "Smart Card Technology", http://www.slb.com/et/technology.html

[15] Schlumberger Limited, "Cyberflex 2.0 Multi 8K", http://www.cyberflex.austin.et.slb.com/cyberflex/cyberhome3.htm

[16] SET Secure Electronic Transaction LLC, "SET Secure Electronic Transaction LLC", http://www.setco.org/

[17] W. Stallings, "Network and Internetwork Security: Principles and Practice", Prentice Hall, Englewood Cliffs, New Jersey 07632, 1994

[18] Charles W. Therrien, "Decision Estimation and Classification: An introduction to Pattern Recognition and Related Topics", John Wiley and Sons, 1989