Emerging Threats, Risks and Mitigation Strategies in Network Forensics

Joshua Ojo Nehinbe University of Essex, Colchester, UK

jnehin@essex.ac.uk

AbstractSophisticated intrusions are evolving everyday.

Hence, requirements are changing towards computer systems that provide more robust solutions. However, new issues, bugs, threats and vulnerabilities are unavoidably introduced into the market each time a new product is designed to meet users’ specifications. For these reasons, Vendors, research community, network forensics professionals and other users of Network Intrusion Detection Systems write tons of detection rules to maximally detect attacks. Despite these, numerous attacks still evade intrusion detectors because of insufficient evidence to expose the emerging threats and risks in the usage of intrusion detection technology. Thus, this paper presents a critical review of these problems. The review provides useful guidelines that can be used to enhance efficacy of intrusion detection system and to achieve high returns on investment.

Key Word: Network intrusion detection System, Redundant attacks, failed attacks, pattern matching, information system auditor, network forensics.

1. Monitoring network traffics

Investigation of network intrusions is challenging with the dynamic and speed of migration of network traffics across computer networks [18, 1, 8]. A solid understanding of structure of data travelling in computer networks is required to decode network packets. Therefore, Network Intrusion Detection System (NIDS) is installed to promptly analyze each packet, isolate normal from abnormal activities; capture, alert and preserve evidence of abnormal activities on computer disk [12]. However, properties of datagram suddenly changes at least per second or each time it is processed by a router on the networks.

Thereafter, preserving, analyzing and interpreting evidence of network intrusions are required as the only prove available for discovering hidden meaning and essential features of attacks [13, 16]. Nevertheless, the discrepancies in the patterns of intrusions in different segments of computer networks often render most clustering algorithms such as K-means and hierarchical clustering ineffective for processing intrusion logs [4].

2. Pattern Matching Algorithms

NIDS such as Snort that uses pattern matching techniques to detect network intrusions only searches for intrusive patterns as every packet migrates across the networks. In Snort, each packet is checked against all rules and the rules with highest priority will trigger alerts in case if a packet matches multiple rules [17, 9]. Nevertheless, the detector does not also check for the attributes of each suspicious packet before triggering alerts to notify the users the presence of imminent dangers on the networks.

Intrusion reporting and logging are emerging threats to investigation of network intrusions [6]. This is because NIDS can be configured to capture and log as much traffic as possible that pass through a network gateway. Contrarily, the toolkit can be configured to capture and store certain traffics for future analysis. Both approaches have many overheads. The former configuration requires large amounts of storage space. The latter requires less storage space. However, faster processors more processing time are utilized to suppress network traffics. Evidence provided by the former method is broad while the latter underreports network intrusions.

Detection of different attacks that trigger the same rules is a big challenge for NIDS that uses pattern matching algorithms. This is because it is difficult to precisely design signatures of attacks. For instance, some flood and deceptive attacks such as IP spoofing attacks can simultaneously trigger bad traffic rules [7]. Hence, alerts are wrongly diagnosed by human operators.

3. Intrusion Detection Logs

Recent attacks have shown that some attacks can compromise computers across many countries [8]. Similar attacks can also compromise computes in many continents to finally compromise the final systems. Such attacks would have travelled through different networks. Hence, how to establish chains of attacks is a major problem in network forensics that is militating against evidence for litigations in the law court to combat Internet crimes committed by attackers in another country.

Furthermore, NIDS needs to log many attributes of alerts for the intrusion logs to be broadly useful for investigating varieties of attacks. These

���������������������� �������������������������������������������

IEEE CCECE 2011 - 001228

attributes include timestamp of the event, message description, protocol that route the message from its source address (source IP, source port and ethsrc) to the destination address (destination IP, destination port and ethdst) of the attacks. The timestamp of the event is the time a detector detects an event as suspicious. Other attributes of a datagram that NIDS can log to enhance further investigations of a suspicious event are ethlen, TCP flags of the datagram, TCP sequence number, TCpack, TCP length, TCP window, Time to live (TTL), Type of service (TOS), length of IP datagram (iplen), type of ICMP (icmptype), ICMP code, ICMP identification number, ICMP sequence number and so on. The Time-to-Live (TTL) is the lifetime or hoop count of a network packet on a network before it is discarded or returned to the sender [17, 18]. Hence, the TTL value of each packet gradually decreases as the packet are processed by the routers while migrating towards its destination and the packet gets discarded at the point the TTL value reaches zero. The Type-of-Service (TOS) determines the order of precedence that network devices should treat each packet on the network [17, 18]. The IP flag is used to classify each packet into fragmented and non-fragmented packets. The IPLen denotes the length of packet while the protocols are message standard conventions between the source and the destination machine [17, 18].

In addition, in Snort each alert is also identified by of the rule that triggers it, the signature generator identification number, rule number, signature revision number, classification number, priority, event number, etc [17]. The signature generator identification number is a field in an alert that indicates a particular subsystem of the detection rules such as the rule subsystem, pre-processor, packet decoder, etc that triggers the alerts. The classification identification number indicates the group of the alert. The priority is a value that shows the order of importance of the alert and identification number is the serial number of each event [17].

Essentially, a central issue here is how to determine the attributes that best discriminate attacks among the aforementioned list of attributes.

3. Intrusion Redundancies

Handling alerts swamping is another challenge in network forensics. This is because attackers can launch attacks that will cause NIDS to trigger alerts that will exhaust the capabilities of analysts to accurately analyze [7]. We describe this problem as alerts swamping.

Several factors can cause alerts swamping and intrusion redundancy. Design flaws in computer systems such as limitations associated with NIDS

and implementation of TCP can cause a great number of intrusion redundancies in many ways. Intrusion redundancies are indirectly built in TCP implementation. TCP sends a stream of packets into groups of bytes from the source machine (S) to the destination (T) as shown in figure 1 below.

NIDS

S T

Figure 1 Migration of intrusive datagram

Unfortunately, each byte is assigned a new sequence number. Another trouble is that each byte is repeatedly sent to the TCP in the destination machine by default [18]. The receiving TCP also needs to send acknowledgement message to the TCP of the source machine. Duplicate acknowledgement can be retransmitted to the receiving TCP. All these cause intrusion redundancies.

Furthermore, capabilities of network intrusion detectors to reorder duplicate and segmented packets before triggering alerts also influence intrusion redundancies. Similarly, redundancies can as well be generated if the order at which a detector reorders the duplicate segments that arrive out of order is different from that of the TCP of the receiving machine. Although the reordering timeout can be configured but there is a problem in selecting a suitable threshold. This is because too short reordering timeout will cause into unnecessary timeout and excessive retransmissions of duplicate intrusive packets. Conversely, too long reordering timeout will increase rate of attacks and this will also slow down the time spent to rebuild segmented intrusive packets at the assembly point.

4. Data for evaluating NIDS Research

Most network forensics experts face difficulties in securing suitable datasets for evaluating intrusion detection models and to carryout in-depth investigations of intrusion logs. Scenarios of attacks can vary in different computer networks [2, 3]. Hence, suitable intrusive datasets that will reflect all possible scenarios of normal and abnormal activities are very scarce.

Most publicly available datasets rapidly become obsolete. For instance, DARPA 2000 datasets not only contain just Distributed Denial of Service (DDoS) attacks but also reflected simplified form of DDoS attacks involving many sources against a destination machine [3]. In other words, the datasets are not suitable for investigating DDoS attacks that originate from many sources against many targets.

IEEE CCECE 2011 - 001229

Data privacy issues such as security policies, risks and trust are critical factors that militate against attempts to share realistic datasets between users and the research community.

Essentially, intrusive dataset collected from a source is not rich enough to investigate incident of computer attacks due to diversity of patterns and complexity of computer attacks.

5. Detection of Failed Attacks (FA) and False Positives (FP)

Identification and causes of failed attacks are critical problems in network surveillance [6]. Failed attacks are other forms of alerts workload in the context of intrusion detections. Failed attacks are potential computer attacks that are not received by the destination hosts but they have serious negative consequences on the resources that are located on the networks. Failed attacks consume the processing hosts and router’s efficiency and processing time that should have been used for processing legitimate traffics. Failed attacks can also saturate the networks to increase competition for network resources such as competition for bandwidths, network protocol and services and they can eventually lead to denial of service. In addition, intensive resources are needed by human experts to accurately analyze failed attacks despite the fact that they are less critical when compared with successful attacks [6]. Therefore, attackers can launch failed attacks to cause digression of attentions of human experts from attending to realistic attacks.

Besides, there are contentions about the definition of false positive in IDS circle [1, 15, 17]. Hence, the extent at which some attacks are false and the extent at which attacks should be classified as false attacks are subjective over the years. The criticality of this problem often affects attempts to design effective countermeasures that will thwart attacks in progress. Thus, attackers often exploit this problem to evade early detections.

There are several causes of failed attacks in network forensics. Some failed attacks occur due to fragmentation errors during transition of suspicious packets to the designated systems. This is because there is a maximum quantity of data (Maximum Transfer Unit (MTU)) that can be transferred from a source machine to a designated machine across a computer network. So, the router (R1) divides migrating datagram that is bigger than the MTU into smaller fragments (figure 2). Each fragment contains sufficient information such as identification number, source and destination addresses about the originating packet to enable subsequent transmissions of each fragment to the destination machine [18]. Usually, each fragment has a flag and different networks architecture allow

different MTUs. Hence, fragmented packets that migrate through different networks can as well be defragmented if the MTU of the new network is also exceeded. Also, fragmented packets may travel through different routes to the same destination or reassemble host. The host must be able to distinguish between fragmented packets and packets that cannot be fragmented, recognize fragments of the same packet using the packet identification number, IP flags and fragment offset bit, number of fragments to be reassembled and their ordering precedence.

It has been established that the fragment can have a flag of 1 to indicate that there are more of the fragments that still exist and the flag can also be 0 to indicate the last fragment of datagram. Some intrusive packets that must be fragmented can also have a flag that indicates do not fragment bit. In this case, intermediate machine is completely disallowed to fragment the message [18]. Hence, the router or processing machine then sends an error message to the source machine if such datagram is received and the message or datagram will be dropped. Iimportantly, each fragment has the same identification number, a source and destination address so that the receiving machine then assigns reassemble time that is usually 60 seconds to each datagram to avoid prolong processing time for packets that are undergoing reassembling [18]. The fragmented time is recorded by the reassembly timer on the receipt of the first fragment of each datagram. All fragments of an intrusive datagram must arrive at the receiving host. The fragments must be completely and correctly processed within the reassembled or processing time before the datagram can be considered to be successfully received. Also, fragmented intrusive packets that are erroneously reassembled will be reported as fragmented error and hence, they will be blocked from accessing the designated machines [18]. Therefore, a network detector that notices any intrusive source would have raised alarm irrespective of whether the packet would be successfully processed or dropped by the destination machine [10].

Intrusion detectors flag alerts on intrusive packets that expire before they reach destination machines [17]. There are many reasons for dropping a packet. For instance, the propagation of a fragment may be delayed due to congestion on the network while some packets can arrive at the reassembling machine out of order [18]. Some packets may be completely lost in transits. However, the router or processing machine will stop further transmission of the entire packet if any of its fragments is lost or incomplete whenever the timer or fragmented time is exceeded. Hence, the entire fragments of the packet that have been received will be discarded completely.

IEEE CCECE 2011 - 001230

Consequently, it will send an error message with fragment reassembly time to live (TTL) of zero to notify the source that the timer has been exceeded but this value is not the same thing as the actual time to live (TTL) of the original packet.

Figure2: Migration of fragmented attacks

The topological setup of realistic computer networks can contain forbidding and allowable operations as network packets migrate across the networks. Hence, an attack that matches such forbidden attributes will fail to succeed on the networks.

Figure 3 Blocked packets by a defensive device behind IDS

Besides, intrusive packets may be blocked from migrating in a computer network if the topology of the network does not support the protocols carrying the packets (figure3). Similarly, defensive mechanisms on the networks can block malformed packets such as intrusive packets with unknown destinations, inaccessible networks and crafted packets that contain embedded addresses that do not exist on the networks. Routers and firewalls can be configured to filter out illegitimate packets whereas the NIDS that is positioned in front of any of these devices tends to generate alerts that will be administratively blocked from reaching the designated addresses.

Some valid intrusive addresses or packets (S1) that have been reported by a detector can be accepted by one of the firewalls or routers such as in figure 4 while subsequent device can reject them completely [17].

In addition, it is possible that a detector has triggered alerts on intrusive packets that are not correctly received or acknowledged by the receiver during session’s handshake. It is also possible that crafted packets that are needed to be reassembled

by the detector and the target machine are not successfully reassembled by the receiving host [1, 18]. Some stealthy attackers are aware of limited capabilities of networks and receivers to process network traffics [5, 11]. Consequently, failed attacks can occur when a router is legitimately overflowed with congested packets to distort its functionality.

��R1

IDS

�

�R3

R2

TTL=0

Besides, some intrusive packets that have been already reported by a detector may be lost in transit before the packets arrive at their respective destinations for unknown reasons (figure 4). Similarly, some intrusive packets that were fragmented into smaller segments might encounter obstructions as they individually migrate through different routes towards their destinations [18].

Figure 4 Lost packets in Transits

For example, suppose router R1 in figure 4 above splits an incoming intrusive packets into three fragments but two of the packets migrate towards the same direction immediately the packets leave the IDS. At the end, only an intrusive packet that will eventually reach the destination machine if routers R2 and R3 block each of the packets. Intrusive packets will not be delivered if the default gateway machine fails while the attacks are in transits.

Finally, network forensics analyses are becoming more challenging due to aforementioned issues and other challenges that have not been covered in this paper [13]. The premise is that computer resources have inherent limitations. Hence, stealthy attacks often exhaust the intelligence of some networking resources. The buffer capacity of each network device to process traffics worth to be revisited to ascertain the extent at which each device misses intrusive packets.

6. Mitigation Strategies

This paper has reviewed some recent challenges in network forensics analysis. We will therefore suggest that data for evaluating IDS researches have to be extracted from multiple sources as much as possible to create more realistic datasets.

Capabilities of attributes of alerts to discriminate attacks have to be established with suitable mixed methods. Capability of NIDS to detect failed attacks is recommended as additional metrics for evaluating the efficacy of NIDS. Separate logs for intrusion redundancies and another log for failed

T2

T1S1IDS

Defensive system

R1 R2 I

DS

R3 T1

IEEE CCECE 2011 - 001231

attacks will enhance decision making and countermeasures. Similarly, researches are still needed to further discover patterns of failed attacks and how failed attacks can be used for quantify Business Impact Analysis (BIA). We also suggest that combination of pattern machine and attribute matching algorithms will help to reduce intrusion redundancies.

Extraction of intrusive datasets from diverse sources such as data extracted from Local Area Networks (LAN) specifically built to simulate some computer attacks, realistic networks and Internet trace files that are available in recognized public domains can be combined together to create a broad category of evaluative datasets. Expert systems need to be constantly debugged to improve on noisy and to design effective rules from equivalent rules as a means of reducing alerts workload due to intrusion redundancies [10].

Finally, this paper is a useful guideline that can be used by vendors of IDS and Information System Auditors to enhance the efficacies of intrusion detection systems and to achieve high returns on investment. We agree that accurate monitoring, preserving and analyzing of network traffics are highly needed to safeguard computer resources and to secure useful information for litigation purpose. Nevertheless, there are insufficient research claims in this area despite the prevalent cases of computer misdemeanors across the globe. Therefore, we suggest further research in this respect.

Acknowledgment

Special thanks to my supervisor Dr. Paul Scott for feedbacks he gives on my research.

References

[1] A. Lazarevic, J. Srivastava and V. Kumar, “Intrusion detection: A survey”, Computer Science Department, University of Minnesota (2005).

[2] CTFC (Capture the flag contest) defcon datasets, http://cctf.shmoo.com/data/, 2011.Accessed 09 January 2011.

[3] DARPA Intrusion Detection Scenario Specific Datasets http://www.ll.mit.edu/mission/communications /ist/corpora/ideval/data/2000data.html, 2009.Accessed 09 January 2011.

[4] Han, J. and Kamber, M. “Data mining: concepts and techniques, 2nd edition, Morgan Kaufmann publisher, US, 2006

[5]. H. Debar and A. Wespi, “Aggregation and Correlation of Intrusion-Detection Alerts”, RecentAdvances in Intrusion Detection 2001, PP. 85-103. [6] J.O. Nehinbe, “, International Workshop on Cloud Privacy, Security, Risk & Trust (CPSRT 2010) in

conjunction with the CloudCom 2010”, Indiana University, USA.

[7] J.O. Nehinbe, “Critical Analyses of Alerts swamping and Intrusion Redundancy”, 4th International Conference for Internet and Secured Transactions (ICITST-2009), proceedings of IEEE, London, UK

[8] J.O. Nehinbe, “A method for investigating Distributed Denial of Service (DDoS) attacks", PhD Computer Science and Electronic Engineering Conference (PhD CEEC 2009), 3rd July, University of Essex, Colchester, UK.

[9] J.O. Nehinbe, “Automated Method for Reducing False Positives”, 1st International Conference on Intelligent Systems, Modelling and Simulations (ISMS2010), proceedings of IEEE Computer Society's Conference Publishing Services (CPS), London.

[10] J.O. Nehinbe., “Automated Technique for Debugging Intrusion Detection Systems”, 1st

International Conference on Intelligent Systems, Modelling and Simulations (ISMS2010), proceedings of IEEE Computer Society's Conference Publishing Services (CPS), London.

[11] K. Julish and M. Dacier, “Mining Intrusion Detection Alarms for Actionable Knowledge”, Proceed of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. ACM Press, July 2002.

[12] K. Scarfone and P. Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS)”, Recommendations of the National Institute of Standards and Technology, Special Publication 800-94, Technology Administration, Department of Commerce, USA, 2007.

[13] K. Nance, B. Hay and M. Bishop, “Digital Forensics: Defining a Research Agenda”, System Sciences, 42nd Hawaii International Conference on System Sciences (2009), PP. 1-6.

[14] M. Gluck and J. Corter, “Information, uncertainty and the utility of categories”, In Proceedings of the 7th

Annual Conference of the Cognitive Science Society, CA, 1985, pp. 283 -287

[15] M.S. Shin and K.H. Ryu, “Data Mining Methods for Alert Correlation Analysis”, Chungbuk National University, Korea; International Journal of Computer & Information Science, Volume 4, No. 4, December 2003.

[16] P. Pajek and E. Pimenidis, “Computer Anti-forenics Methods and their impact on Computer forensic investigation”, 5th International Conference (IGS3 2009), pp. 145-155

[17] R. Alder, A.R. Baker, E.F. Carter, J. Esler, J.C. Foster, M. Jonkman, C. Keefer, R. Marty and E.S. Seagren, “Snort: IDS and IPS Toolkit”, Syngress publishing, Burlington, Canada, 2007

[18] Shay, W. A, Understanding communications and networks, 3rd Edition, Brooks/Cole, Belmont, CA, 2004

IEEE CCECE 2011 - 001232