Jesse Caulfield

Lately I’ve been working on Information security and Intrusion Detection Systems (IDS) and reliable methods for the extraction of meaningful information from the torrent of reporting data. The two most interesting techniques I’ve found include wavelets and artificial neural networks. Here we’ll discuss wavelets.

I’ll discuss ANNs at a later date.

There are a good number of rather sophisticated tools available to the educated user for all kinds of activity detection, collection, collation, and analysis. Unfortunately, most of these tools are number crunchers or simple regular expression pattern matchers and are very poor at presenting their results in visually meaningful ways.

For example, standard RRD flow charts do a nice job of plotting time sequenced data but require a well trained eye to recognize anomalous events or non-obvious structure.

One interesting approach for extracting hidden meaning from time-sequenced data employs signal analysis of network traffic statistics with wavelet filters, which are effective at exposing and separating ambient and anomalous traffic patterns.

Wavelet analysis organizes data into strata, or a heirarchy of component signals, analogous to a fourier decomposition but more sophisticated.

The following picture shows four panes. At the the top is the original data, followed by high, middle and low band wavelets. Grey boxes indicate soem anomalous bahavior, with is visible in the original data and could be recognized by a trained eye. However, anomalies become obvious to the casual observer when looking that the high and middle band wavelets.

One nice feature about wavelets is their relative insensitivity to data source. They can often achieve the same result (with varying levels of errors) from direct filtered packet capture or from SNMP statistics. Additionally, because wavelets are sensitive throught the “frequency” spectrum, they can detect both obvious, frontal network attacks and long term, subtle but un-usual changes in behavior.

A principal advantage to wavelets is that they are portable – they can be install installed into any network system without training, and are automated – they do not require operator input to function.

Wavelets provide the for signal decomposition and context, but must be combined with a viable triggering or threshold algorithm to create meaning. There are several popular thresholding methods, and one I especially like uses a deviation score. The deviation score is determined by calculating the variability in “high”, “medium” and “low” frequency signals within a moving window of sample data. Each frequency has its own moving window size, which can be adjusted to determine the sensitivity of the algorithm.

References

• Wikipedia – Wavelet
• Washington University – Time Series Analysis
• Rowan University – The Wavelet Tutorial

Intrusion detection software packages can be divided into two large groups: host based and network based.

In the open source community, the most popular host-based solution is Tripwire, while the most popular network-based solution is Snort.

Typically Snort keeps all of its data in flat files, which is OK but suboptimal if you wish to process and analyze the data with a separate application. Fortunately there are Debian forks which log all data to Mysql or PostgreSql.Here is how to install Snort-mysql in a Debian system.

Install mysql-server and mysql-client packages

% apt-get install mysql-server mysql-client

For convenience, also install the GUI tools Mysql Query Browser and Mysql Admin.

% apt-get install mysql-admin mysql-query-browser

Create the snort database and configure mysql users

% mysql -u root

mysql> create database snort;

mysql> grant *.* on snort.* to snort@localhost identified by "*********";

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| mysql |
| snort |
+--------------------+

mysql> show grants for 'snort'@'localhost';
+--------------------------------------------------------------------------------------------------------------+
| Grants for snort@localhost |
+--------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'snort'@'localhost' IDENTIFIED BY PASSWORD '***********************************' |
| GRANT ALL PRIVILEGES ON `snort`.* TO 'snort'@'localhost' |
+--------------------------------------------------------------------------------------------------------------+


Note: Use your own password!

Install snort-mysql

% apt-get install snort-mysql

Note: This will also install the snort-rules-default and snort-common packages, plus a few other dependencies.

Configure the snort-mysql package

% dpkg-reconfigure snort-mysql

Note: Run through the GUI to properly configure the snort software. Necessary information are the system Ethernet port (eth0, eth1, eth2, etc.) and the mysql host (localhost) database (snort) and user/password (snort/snort) information we created above.

Configure the mysql database for snort

The snort-mysql package includes a mysql script to create all the necessary tables within your snort database. Here is how to use it. (From the README file)

% cd /usr/share/doc/snort-mysql/
% zcat create_mysql.gz | mysql -u snort -h localhost -p snort

When prompted for a password enter the password you chose previously.

Run Snort

% /etc/init.d/snort start

You must manually start snort the first time. If you selected properly when reconfiguring the package earlier, snort will automatically start upon system boot in the future.

Use Mysql Admin tool to confirm all is working.

In this screenshort we see that user snort is connected and sleeping – there is no activity, but we know that the snort program has successfully connected to the database and thus everything is configured properly.

 Later I’ll discuss GUI tools for analyzing the collected data

When I first got it I installed Bootcamp and occassionally run Windows on my MacBook pro. Lately it’s been more often than not, since a recent OSX security update killed my installation (and re-installation) of MS Office.

The principal annoyance with this setup (Windows on an Apple PC) has been the Apple specific key locations. They make it difficult and non-intuitive to type quickly.

Earlier I wrote about how to disable the Windows key using scan mapping. It was a detailed, tedious process and not one to be done lightly.

Luckily there is a great piece of software that can manage this for you. It’s called Input Remapper, is written by Erik Olofsson, and is available here:

• Input Remapper

The software maps a number of useful keys, including correcting the Delete/Backspace reversal. Now the fn+F keys work as they would under OSX – adjusting volume and screen backlight, etc.

It’s great software. I highly recommend a PayPal donation.

Mike Milinkovich, executive director of the Eclipse Foundation, gives a very interesting interview for Java Developer’s Journal. Rather than rattle off the usual ones about the name, about why Swing wasn’t used, or how much influence IBM still has, Mike fielded questions on more topical subjects, as well as a discussion of his insights onto the future.

http://eclipse.sys-con.com/read/393353_p.htm

Most interesting is the discussion of JSR 291 and Equinox-based OSGi runtimes – such as Oracle’s EclipseLink persistence project.

Over the next 12-18 months we are going to see a lot of new stuff being built with Equinox.

Prior to kernel version 2.6 automounting USB devices in Linux was cumbersome at best.

The situation was greatly simplified withthe 2.6 Linux kernel and the inclusion of the udev device manager. udev manages device nodes in user-space, meaning that ordinary users (and not system administrators) can modify the system hardware (like adding USB drives.)

New installations of Debian Linux Etch start with the 2.4 series kernel and require upgrading. However, adding udev plus support for USB flash drives is a relatively straightforward procedure.

Upgrade to the 2.6 kernel and reboot.

Then install the udev and usbmount packags. You’re almost there.

Most USB flash drives are formatted with a Windows files system, either FAT16 [typical] or FAT32. Because FAT filesystems are less robust to un-prepared removal than the Linux EXT2 & 3, the usbmount package does not automout FAT by default. It’s a simple configuration edit to correct this.

% vi /etc/usbmount/usbmount.conf
// replace
FILESYSTEMS="ext2 ext3"
// with
FILESYSTEMS="ext2 ext3 vfat"

By default, usb disks will be mounted to /media/usb0 to usb7, if you want to change that replace :

MOUNTPOINTS="/media/usb0 /media/usb1 /media/usb2 /media/usb3
/media/usb4 /media/usb5 /media/usb6 /media/usb7"

with what you want (do not forget to create the directories)

Note: FAT filesystems require synchronization prior to removal. Either use the “Umount Drive” option in Nautilus or “sync and unmount” at the command prompt before removing FAT formatted USB disks from a Linux system.

References

• udev

Device manager for the Linux 2.6 kernel. Its primary function is managing device nodes in /dev. It is the successor of devfs and hotplug, and handles the /dev directory and all user space actions when adding/removing devices, including firmware load.