• Tidak ada hasil yang ditemukan

Welcome to ePrints Sriwijaya University - UNSRI Online Institutional Repository

N/A
N/A
Protected

Academic year: 2017

Membagikan "Welcome to ePrints Sriwijaya University - UNSRI Online Institutional Repository"

Copied!
5
0
0

Teks penuh

(1)

2010 2nd International Coference on Education Technoloy and Computer (ICET)

The Trends of Intrusion Prevention System Network

Deris Stiawan

Faculty of Computer Science, Sriwjaya University, Indonesia.

Faculty of Computer Science

&

Information System, Universiti

Abdul Hanan Abdullah

Faculty of Computer Science

&

Information System, Universiti Teknologi Malaysia.

[email protected]

Mohd. Yazid Idris

Faculty of Computer Science

&

Information System, Universiti Teknologi Malaysia.

[email protected] Teknologi Malaysia.

[email protected]

Abstract-In recent years, Intrusion Prevention System (IPS) have been widely implemented to prevent from suspicious threat. Unlike traditional Intrusion Detection System, IPS has additional features to secure computer network system. The additional features identifying and recognizing suspicious threat trigger alarm, event notiication, through responsible response. However, IPS has issues problem, which afect the utilized overall system.

In this paper we present the main challenging problem and steps to avoid that, such as (i) accuracy signature, (ii) the traic volume, (iii) topology design, (iv) quota usage logging, (v) protecting intrusion prevention system, (vii) monitoring sensor, and (viii) collaboration of UTM. Finally, as part of our enhancements, we explored the possibility of making framework to collaborate and integrated various technologies of defense system, we called Uniied Threat Management (UTM).

Kywords - Issued challenge of Intrusion revention, Colaboration efense syste, Unied Threat Management (UTM).

I. INTRODUCTION

Over the past few years, computer security has become a main issues, the increment number of trend and attack. he security issue can afect factor of the reliability (including perfomnce and availability) in intenetwork [14]. here is several vulnerabiliy system to attempted attacks rom the network, application or operating system. According to CSIIFBI survey [11], he compny business has dollar amount of loss by ype of attack. Meanwhile, to secure he system, the enteprise uses several technology securiy systems, and almost 69% of them use intrusion prevention to defense rom threat nd attack.

Inrusion prevention is a new approach system to defense networking systems, which combine he technique Irewall with the Inusion detection properly, which is proactive technique. Prevent the attacks rom entering he network by examining various data record and prevention demeanor of patten recognition sensor. When n attack is identiIed, inrusion prevention block and log the offending data. The primy IPS uses signature to identiy activiy in network raic and host perform detection on inbound - outbound packets nd would be to block hat activiy before he damage and access network resources.

Basically, to erly prediction and prevention suspicious hreat, there re two approaches, Host-based approach and Network-based approach [4],[7],[8],[10].

First,

Host-based approach : Host-based is curently popular technology, it is check for suspicious activity rom the host or operating system level, the monitoring location use the agent component, prevention earlier under level operating system, which is useul before the host reaching he target of attack. Provide intrusive his activity, unfortunately, which could produce numbers of alert and increase consumed of bandwidh, will afect performance computer utilize. Unfortunately, cnnot examine rafIc that doesn't allow.

Secon,

Network-based approach: focus on network, sniffmg nd identiying packet all inbound-outbound in out of he network. he combining Network-based wih other security component, provides an active comprehensive netwok securiy. Furhermore, the system does not require he system to be installed in evey node.

he rest of this paper is structured as follow. In section 2, we describe nalysis and identiy main issues of challenge in IPS. In section 3, we describe the literature fmding to shown our anticipation, and section 4 conclude the paper with of our results nd a discussion of uture work.

II. ANLYSIS

&

IDENTIFY

In this section, we proposed to describes a circumstnce issues in IPS, as following :

Figure

l. n

example of topology to describe issues challenge of intrusion prevention, with number (A) accuracy signature,

(8)

the traic volume, (C) topology design, (D) quota usage logging, (E) protected intrusion prevention, (F) monitoring sensor, (G) collaboration ofUTM.

A.

Signatures

(2)

20i 0 2nd international Coerence on Education Technoloy and Computer (ICET)

To detect suspicious threat, there re two approaches, Host­ based nd Network-based approach.

Signature is primy factor in intrusion prevention, identiy to fmd something and stop it must be distinct characteristics. Signature triggers, using trigger action which cn be applied atomic and stateul signature. here re three trigger mechanism, such as (i) patten prevention, (ii) nomaly-based prevention, (iii) behavior-based prevention [1],[4],[5]. he past research on using technique method with wavelet [1], and [2] present he technique a Hidden Mrkov Model (HM) to model sensor, [8] proposal the incremental-lening algorihm, [9] Present Patten-matching algorihm, and [10] proposed the atiicial immune algorithm.

Figure

2.

The sensor will trigger alert if identiy and recognized suspicious threat, which is alert waning true or false alarm. Meanwhile, event response can do logging, block, allow, deny.

IPS has a snif able to identiy all inbound-outbound packet data. he placements of Host-based nd Network­ based devices affect the accurately of sensor. he sensor produce alert, which is to identiy suspicious data and trigger alert if ofending data, a signature needs he trigger to recognize:

1. Patten-based Prevention : to identiy a speciic patten, to represent a textual or biny string. Patten prevention provide following mechanism, such as [4], [5] : (i) Patten Detection (Regex) : a Regex is a patten-matching language that enables to defmes a lexible custom search string nd patten, (ii) Deobuscation techniques [15] : focuses on obuscating the concrete syntax of the program. The idea is to prevent n attacker rom understanding the inner workings of a program by making the obuscated program, An example of this is chnging vriable names or renaming different variables in diferent scopes to the same identiier

2. Anomaly-based Prevention : is also sometimes as proile-based prevention, we must build proiles that obviously defmes what activity is considered normal activity, in igure 2, is a considered nomal, then

anything that deviates rom this normal proile generates trigger alert [2],[12]

3. Behavior-based Prevention, is similar to patten prevention, but tying to defme speciic pattens, the behavior defme classes of activity that are know to be suspicious [1],[6].

he Alert Generated by he sensor, which in the situation rigger of alam (valid and invalid but feasible) rom sensor, there re four alert generating, such as (i) he true negative, which in nomal user traic and no alarm generated, (ii) ue positive generate alm ater the attack traic, (iii) false negative will be silent no alm generated in attack traic, meanwhile, (iv) the false positive produce alert to identiy nomal activity raic , to reduce false positives alert is the main focus.

B.

Traic Volume

he second issues of IPS is traic volume, which is affect in sensor using of, where, the increasing of the bandwidh traic monitor will afect the overall utilizing perfomnce. We need to veriy actual amount of inbound­ outbound raic usage. n the igure 3, amount of raic affect because of network segments (enteprise or service provider) nd he number of the sensors placements, he mount of data which two interfaces fast Ethenet, will differ with four interfaces Gigabit Ethenet. his is due to real-time inbound-outbound traic data.

S""'e< Fa""

VLAN1

TGb'

_

(a)

_

---

--LAN ,

lAN2

Figure

3.

Example topology afect of traic volume, (a) service provider, (b) enterprise.

The conjunction with main issue, he perfomnce network will afect overall network utilization. his is importnt because any network node cn sufer a variey of problems, including hrdware faults. Report of error operating system, network devices produce broadcast nd consumed bndwidh. herefore, collisions will occur.

(3)

20i 0 2nd international Coference on Education Technoloy and Computer (ICET)

.

Design Topoloy

In his issue, we will identiy the access anywhere to conduct, thenore, we provide penission to connecting business ptner and remote telecommutes. he pupose defme location, as following,

First,

Inside: the usted side network monitoring,

Second,

Outside: the unrusted side network monitoring, however, the monitoring in outside will do inside nd DMZ, nd

Third,

DMZ : Demilitarization side, to identiy and monitoring detect server fan area.

here re two factor that will be affect,

First,

he sensor placement, and

Second,

the number of sensor. The sensor, recognize nd identiy suspicious data and trigger alert if identiy suspicious threat. Furthenore, the situation trigger of alan (valid or invalid but feasible) rom sensor to event response. Previous work introduced [7], the attempt to develop intrusion based on SNP, unforunately, SNMP based have problem that vulnerability MIB nd agent.

W�lel

0I0055fE54ooC9Df62 680 50 _d l E

0010 0 lC 14 5AC 14.0 P nY BCOEF 00 47 8 49 4A 46 4C 40 4E 4F 0 5152 3 4 5 6 GH,,INOORW

O05 IV� :FGHI

(i)

Oulside Inside

(ii)

(iii)

Figure

4.

The penetration suspicious threat, such as (i) Attack rom two sides, inside and outside (zombie, agent, scanning, shell inject, etc), (ii) attack which in attempt rom inside to DZ, and (iii) several user access to DZ, to penetration and interrogation system, while zombie to looding DZ.

D. Logging

The past researcher [15], proposed all system logs that stored in secured environment. Modules redundancy allows high reliability. Databases coniguration depends on signatures mount nd average update time.

In this issue, we evaluate challenges quota usage, there are mny log ile produce rom logging system, which conduce the lrge storages, logging data transaction, logging attacker traic, logging victim traic, logging incident record, logging incident notiication, logging summay report, logging failure report, etc.

From Figure 5, the problem is the capacity of media storages to accommodate it. Nevertheless, replication, backup nd elimination scheduling re a mechanism to eficiency and effective logging storages, which it the part of policy.

/

... . ·

·

·

·

·

·

·

· ·

. Wireless

.. .

... ... .

.

Internet

ISPB 20C-3

Figure

5.

Topology observation, which in Area A, we have produce logging ile

150

MB/s. The Intrusion Prevention system made produces large ile/sensor, with increasing the number of sensors and traic network. In Figure

5,

represent the observation our network, which bandwidth real­ time traic

135

Mbps with ISP A (three backbone with load balance). The network area A, will produce

150

MB/s log ile. Furthermore, we will capture the packet data transaction (lP, AC, source and destination) without capturing raw dataset.

.

Defense IPS Device

(4)

20i 0 2nd international Coorence on Education Technoloy and Computer (ICET)

Outside Inside

/ ... ..

: & :

...

\

traic analysis J

.. :�;

..

..

..

/

•••••••••

:

Vulnerable attack

Figure

6,

the method distribution Intrusion prevention system. The attacker can do scanning, which in interrogation a topology overall network.

From the attacker sides [16], hackers initiate attacks on trget machines through multiple attack actions and mechnisms. hese multiple single attack actions belong to an attack pln indeed, which the general steps to attack such as probe, scan, intrusion, nd goal.

There are several ways for n attacker to fmd hole. he step of scnning is tried to fmd infomation vulnerable our system, it is cn produce infomation, such as IP Adress devices, scheme of topology, application systems of running, etc.

Countermeasure against hat is : (i) Connected device uses SSL / HTIPS and access with XML to provide a stndrdized interface between it, (ii) Block ICMP reply nd Enable NAT with limited access IP devices, (iii) uses Trnsport Layer Security (TLS), (iv) VPN mechnisms, to tunneling between IPS.

.

Sensor Management

he sensor is one of the pats critical to IPS. Unfortunately, capacity and perfomance of sensor is limited by amount of network traic, placement of installation, nd system uses (hrdware or module based). Accordingly, port monitoring with SPAN (Switched Port Analyzer) can be uses to identiying and recognize packet.

-IX;6fE511COCl0E19:S) d

o � i.ElOMi:ll'IIUl5e � Y IJ lljl!G'I!()Ef)!l<3t65�

1m5jUl�i \H

Figure

8,

network monitoring collect data management rom sensor.

Therefore, monitoring network is easy to chnge control, alert incident response, create notiy administrator, or block traic immediately. Unfortunately, the main issue is that, there are several stndard of proprietay vendor between SNP version. The past researcher [17], propose integration nd encompassing a security inrastructure where multiple securiy device rom a global security layer, which is defmed

with respect to the others and interact dynamically nd automatically with the diferent security devices.

G.

Colaboration

In his section, we discuss to collaboration security system, the Uniied

Threat Management

(UTM) respond. UTM cn answer the solution. Furthemore, there are several variously technology uses in defense system. Unfortunately, Propriety vendor is different rom each other.

According to CSIIFBI survey [11], the enteprise uses several technology security system, such as (i) anti-virus sotwre 97%, (ii) anti-spyware 80%, (iii) irewall 97%, (iv) IPS 54%, nd (v) VPN 85%.

There are three components in he defense system, (i) Web Security, (ii) Network Protection, and (iii) Mail iltering. In the recent years Firewall is one of most technology preventive suspicious threat, such as : VPN, URL Filter, IDS, Email Anti Virus, Signing/encyption, NAC, Encyption, Wireless security, P2P ilter, 1M ilter, and Anti Spyware.

There are several standrds default to detemine mework requirement security policy, such as ISO 17799, which is to declre, indentiy, analyze and describes requirement that must be met to accommodate IPS. The previous resercher declared [17], Infomation Security Management System (ISMS), it requires regulation standard, which in ISO security standards nd govement compliance regulations guide and enforce organizations about certain requirements and nom.

Figure

7.

The Uniied Threat Management (UTM), which in collaborate heterogeneous defense system (Firewall, IPS) between policy and network monitoring

According to Common Vulnerability Exposure (cve.mitre.org) is a list of inrusion product, there are several IPS devices with proprietry standard. he mechnism need to integrate heterogeneous network. We proposed Uniied hreat Management (UTM) to collaborate and integrate between it.

(5)

2010 2nd International Conorence on Education Technoloy and Computer (ICETC)

III. RESULT

In this section, we identiy steps anticipated for user and network rchitecture, as following:

1. Accuracy Signature, in his issue, our suggestion is appropriate selection of signature types, which recognize model that can be use. Embedded in layer 2 and layer 3 devices, which is increase recognized suspicious threat solution.

2. Maximum traic volume, this is important because any network node can sufer a variety of problems. We suggest observing user and network architecture, such as (i) large enterprise, (ii) branch oice, (iii) medium fmncial enteprise, (iii) medium educational enteprise, or (iv) the small oice home oice.

3. Topology design, in this issue there re two factors to be afected,

irst

is a sensor placement, and

second

is number of sensor, we must identiying as topology needed.

4. Quota usage logging, replication, backup and elimination scheduling is a mechanism to eiciency and efective logging storages. We must Describes how long sensor event logs should be kept, when they should be rchived, nd where he archive is stored. 5. Protections of IPS device rom attack, Countermeasure

against unauthorized access rom attacker that method distribution IPS.

6. Monitoring of management sensor, installed of sensor directly connected with embedded in the gateway is one of solution, which is the sensor hat provides the ability to inspect, identiied, recognized and monitoring capability of inbound-outbound of real-time traic. Furhemore, monitoring sensor uses Network Monitoring Center (NMC) for early prevention status. Which is, the system of use : (i) Ease of Management (ii) Reduces Complexity, and (iii) Simpliies Operation 7. Collaboration of UTM, to collaborate nd integrate

between heterogeneous defense systems, we proposed UTM mechanism, which in Firewall, IPS between policy and network monitoring to one system management conrol.

IV. CONCLUSION

&

FUTURE WORK

IPS, which proactively combines he irewall technique with hat of the Intrusion Detection System,. In his paper, we have presented, nalyze and identiy challenging issue to develop he intrusion prevention, the evaluation of our solution have shown how to avoid anticipation. Future work will focus on accuracy of signature with behavior-based prevention, which is an experiment wih our data set of real­ traic network.

REFERENCES

[I]

C.M. Akujuobi, et al "Application of Wavelets and Self-similarity to Enterprise Network Intrusion Prevention and Prevention Systems", Consumer Electronics,

2007.

[2]

E. Guillen, et al " Weakness and Strength Analysis over Network-Based Intrusion Prevention and Prevention Systems" Communications,

2009.

[3]

C. Pattinson, et aI, "Trojan Prevention using MIB-based IDSIIPS system", Information, Communication and Automation Technologies,

2009.

[4]

E. Carter, et aI, "Intrusion Prevention Fundamentals : an introduction to network attack mitigation with IPS", Cisco press,

2006.

[5]

Kjetil Haslum, et aI," Real-time Intrusion Prevention and Security of Network using HMMs", Local Computer Networks,

2008.

[6]

Frias-Martinez.V, et aI, "Behavior-Proile Clustering for False Alert Reduction in Anomaly Prevention Sensors " Computer Security Applications Conference,

2008.

[7]

Xinyau Zhang, et aI, "Intrusion Prevention System Design", Computer and Information Technology,

2004

[8]

Martuza Ahmed, et aI," NIDS : A Network based approach to intrusion prevention and prevention", International Association of Computer Science and Information Technology - Spring Conference,

2009.

[9]

Yaping Jiang, et al ,"A Model of Intrusion Prevention Base on Immune", Fith Intenational Conference on Information Assurance and Security,

2009.

[10]

Rainer Bye, et al, "Design and Modeling of Collaboration Architecture for Security", Intenational Symposium Collaborative Technologies and Systems,

2009.

[Il]

Robert Richardson, "CSI Computer Crime & Security Survey

2008",

2008.

[12]

h Le, et aI," On Optimizing Load Balancing of Intrusion Prevention and Prevention Systems", IEEE, INFOCOM Workshops,

2008

[l3]

Kamei, S, et al," Practicable network design for handling growth in the volume of peer-to-peer traic", Communications, Computers and signal Processing,

2003.

[14]

D. Stiawan, AH. Abdullah, M.Y. Idris, "The Measurement Intenet Services", Intenational Conferences, ICGC-RCICT,

2010.

[15]

Taras Dutkevych, et aI, " Real-Time Intrusion Prevention and Anomaly Analyze System for Corporate Networks, IEEE International Workshop on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications,

2007.

[16]

Zhijie Liu, et al, " Correlating Multi-Step Attack and Constructing

Attack Scenarios Based on Attack Patten Modeling", Intenational Conference on Information Security and Assurance,

2008.

Gambar

Figure example of topology to describe issues challenge of intrusion A. prevention, (F) monitoring sensor, (G) collaboration ofUTM
Figure 2. threat, which is alert waning true or false alarm. Meanwhile, event The sensor will trigger alert if identiy and recognized suspicious response can do logging, block, allow, deny
Figure .capture the packet data transaction (lP, AC, source and destination) logging ile large ile/sensor, with increasing the number of sensors and traic network
Figure 6, the method distribution Intrusion prevention system. The attacker can do scanning, which in interrogation a topology overall network

Referensi

Dokumen terkait

Bentuk tanggung jawab hukum profesi penunjang pasar modal yang telah memberikan informasi yang tidak benar dan menyesatkan dalam pembuatan prospektus menurut

Berdasarkan hasil yang telah dibahas, secara umum dapat disimpulkan bahwa: 1) hasil belajar peserta didik baik di kelas XI.IPA-1 meningkatkan dengan baik saat

Usulan Teknis dinyatakan memenuhi syarat (lulus) apabila mendapat nilai minimal 70 (tujuh puluh), peserta yang dinyatakan lulus akan dilanjutkan pada proses

Bahwa salah satu untuk mendapatkan mahasiswa yang berkualitas maka perlu diadakan penyaringan penerimaan mahasiswa baru dengan cara ujian masuk (testing) berupa

- Pelatihan Ketrampilan dan Bantuan Sarana Usaha bagi Keluarga Miskin :. Manik-manik

Pejabat Pengadaan pada Badan Pelaksana Penyuluhan Pertanian, Perikanan dan Kehutanan Kabupaten Musi Banyuasin Tahun Anggaran 2014, telah melaksanakan Proses Evaluasi Kualifikasi

1. Yang dimaksud dengan budaya organisasi adalah suatu nilai, anggapan, asumsi, sikap, dan norma perilaku yang telah melembaga kemudian mewujud dalam penampilan, sikap,

Pada tahap ini kalimat yang sudah memiliki bobot berdasarkan model graph di rangking menggunakan algoritma pagerank dengan tujuan untuk menemukan kalimat mana yang