Eun-Yeung Choi, Kee-Young Yoo
Department of Computer Engineering
Kyungpook National University, Korea
and
Hyun-Sung Kim
Department of Computer Engineering
Kyungil University, Korea
email: kim@kiu.ac.kr
There are increasing numbers of bypassing attacks using malformed packets as well as the hacking techniques are becoming intelligent and skillful. Especially, most of the previous IDSs could not detect attacks using IP fragmentation because they does not support the packet reassemble method.
To cope with these problems, this paper proposes a network-based IDS over a distributed environment, which could efficiently detect attacks with malformed packets. Our system works over an intranet and has two main parts, a local part (local agent) and a central part (central agent). In the local part, local agent stores features extracted from packets and analyzes them to detect simple attacks. If packets are suspicious, local agent sends all data to a central agent for further analysis. Our system is mainly composed of 4 components : Feature Selector(FS), Simple-Analyzer(SA), Fragment -Analyzer(FA), and Decision Engine(DE). The local agent has FS, SA, and FA and the central agent has DE. The main function of these components are ¡FS extracts the important features (parameters) from network packets. The set of features is in the form of 8-tuples of parameters (total length of IP datagram, header length, destination IP address, source IP address, destination port number, identification, flag, and offset) which are main characteristics required to detect attacks with malformed packets. FS stores features related to packet fragmentation in data structure to detect fragmentation attack at FA. SA analyzes simple attacks with packet header information. Fragmentation attack is difficult to detect in real-time because the engine requires system resources like memory for processing the function. SA checks firstly if a packet has invalid range of packet size. Secondly if the packet has the same source and destination IP address, it detects attacks by analyzing events with a set of detection rules. FA is able to detect attacks using IP fragmentation. FA can find the second fragment by comparing with the stored minimum offset. Thereby FA can detect fragment attack without reassembling. A central agent is activated when a local agent calls. DE does overall decisions co-operated with system manager.