Journal of Emerging Technologies in Web Intelligence Contents

More documents

Recommendations

Info

112 JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 2, NO. 2, MAY 2010IV. IMPLEMENTATIONThe proposed architecture has been implemented inRed Hat Linux environment. Our architecture does notemphasis on underlying technology used by host basedintrusion detection system to detect intrusion. Rather thanconstruct a HIDS from scratch, we decided to leverage anHIDS within current implementation of our architecture.The two hypotheses that underlie this dissertation arepractical in nature. First, they intend to show that it isfeasible to protect HIDS using proposed architecture.Second, proposed architecture does not affect systemperformance adversely. Therefore, an implementationwas a center point for the development of this dissertationand was used both for practical verification of theintended features of the architecture and for aiding inreasoning about and experimenting with itscharacteristics.V. NEW PROCESSES PROPOSED INARCHITECTUREPractically MonitorIDS process (introduced in ourproposed architecture) has implemented with two subprocesses :1. MonitorProcesses2. MonitorFilesTo ensure that MoitorIDS processes live forever werun these processes as system processes. When theadversary tries to kill this process kernel automaticallyrestarts it. A respawn labeled entry related to theseprocesses has been written in system file ‘\etc\inittab’ torun these processes as system processes.MonitorProcesses process ensures that all processesrelated to OSSEC are always running. If it found anyprocess dead it restarts the process corresponding HIDSprocess. MonitorProcesses also prevents modificationrelated to these entries in ‘\etc\inittab’ file. In case ofdeletion or modification of these entries from‘\etc\inittab’ file, this process writes new entries. Thepurpose of MonitorFiles sub-process is to protect HIDSfiles from unauthorized modification. If it detects anymodification or deletion, it restores the victim file withgenuine file from backup directory.VI. AFFECTS ON PERFORMANCE OF THESYSTEMTo evaluate the affects on the performance on systemfollowing steps are carried out :1. To evaluate the affects on execution time of basicLinux commands, some time measurementswere carried out.2. System Monitoring Utility was used to check thechanges in utilization of processor due toprocesses related to our proposed architecture.A. Affects on execution of Linux commandsFor this purpose, most of the time measurements werecarried out regarding basic Linux commands (ps, find,who). Each Command was executed 100 times and allcorresponding 100 execution times were recorded. Theaverage of these timings has been considered as theAverage Execution Time(ATE). Average Execution Time(AET) was calculated twice. In first run, we calculateexecution time (ATE1) without running processes (suchas MonitorIDS process) related to our architecture. Andin second run we calculate execution time (ATE2) whileprocesses related to our architecture were running.Table-1 Average Execution Time in millisecondsCommand ps –ef find / >/dev/nullNumber of systemcalls 536 10055(a) Average Execution Time(AET 1) 25.9 63.1(time required to executeon machine while not runningprocesses related to proposedarchitecture )(b)Average Execution Time(AET 2) 30.1 65.5(time required to executeon machine while processesrelated to proposed architectureare running )Overhead relative to (a) 0.16% 0.03%Table 1 represents average execution time (inmilliseconds) and corresponding overhead. Very smallfraction of time was observed as overhead due to theMonitorIDS process.B. Changes in processor utilization due MonitorIDSProcessMonitorIDS process is a very lightweight processthat works in iterative manner. In each iteration checksthe state (process terminated or running) of HIDSprocesses and integrity of HIDS related files. Oneiteration requires approximately .001 Second time forexecution.Figure 3 represents the CPU utilization graph whenMonitorIDS process was not running. Because theprocessor in use is Dual Core two lines representsutilizations of processor. As shown in the graph CPUutilization is between 0% to 20%. Most of the time theCPU utilization is below 10%.Figure 3: Graph showing CPU utilization while MonitorIDS not running© 2010 ACADEMY PUBLISHER
JOURNAL OF EMERGING TECHNOLOGIES IN WEB INTELLIGENCE, VOL. 2, NO. 2, MAY 2010 113But as shown in graph given in figure 4, whileMonitorIDS process has been running the CPU use isincreased to some extent. Most of the time one of theCPU utilization lies between 15 to 20 % and other CPUutilization lies between 5 to 15%.even more time for execution as in comparison to time itrequires to execute on a normal machine.Table-2 Virtual Machine Overhead on execution timeCommand ps –ef find / >/dev/nullNumber of system calls 536 10055(a) Host Time 25 125(time required to executeOn real machine )(b) Guest Time 68 484(time required to executeOn real machine )Overhead relative to (a) 172% 287%Figure 4 Graph showing CPU utilization while MonitorIDS running.As in comparison to graph in figure3 the CPU use isincreased about approximately 8 to 10% of total CPUutilization while MonitorIDS process has been running.VII. RELATED WORKTo protect the HIDS many researchers have given theproposals. In [2], Laureano and Jamhour define the use ofvirtual machine to protect the HIDS. Virtual machine isused because of its inherent properties like separation ofexecution space. Other benefits [3] of virtual machine,that are useful in system security are isolation (a processrunning outside the VM cannot be accessed internalprocess of VM), inspection (VM state can be accessed byVM Monitor), and interposition (any operation issued byVM can be modified by VM Monitor). The idea behindthe architecture is to encapsulate the system activities(both user and guest activities) in virtual machine andplace the Intrusion Detection System outside the scope ofvirtual machine. Now any process has not been able toaccess the IDS. IDS monitors the activities performed inthe virtual machine and identify the intrusive activities.Their approach use type II virtual machine. Thearchitecture protects the IDS from attacks by placing itout from the scope of other processes. However, thisapproach has one basic problem regarding withtheperformance issue. The overhead due to virtualmachine degrades the system performance to very worsestatus. As results given by them if we compare theexecution timings of basic routines under an actualmachine and virtual environment, there is a largevariation. The time taken by routines under virtualmachine is much more than time taken on an actualmachine.Table 2 represents a subset of results given byLaureano and Jamhour in [2]. The virtual machineoverhead is so high that each routine requires double orThe architecture also affects the networkperformance. The performance of applications such asFTP and HTML etc. is also turned down.The work in [4] represents the use of virtual machinetype-I. The basic idea is same as to run the HIDS inexecution space that cannot be accessible by otherprocesses. However, virtual machine overheads alsoaffect this architecture.The use of virtual machines for the security ofsystems has defined by G. Dunlap & et. al.[6]. Theproposal defines an intermediate layer between themonitor and the host system, called Revirt. This layercaptures the data sent through the syslog process (thestandard UNIX logging daemon) of the virtual machineand sends it to the host system for storing and lateranalysis. However, if the virtual system is compromised,the guest syslog process can be terminated and/or the logmessages can be manipulated. by the intruder, andconsequently they are no longer reliable.VIII. FUTURE WORKStill there are many issues to be addressed about howthe proposed architecture can be best implemented andused. MonitorIDS process checks HIDS continuouslyin iterative way. To check HIDS in an iterationMonitorIDS process requires .001 seconds.On an average, the adversary has .0005 (.0001/2)seconds to disable our architecture and HIDS byexecuting following steps :1. Terminate the MonitorIDS process2. Remove the entry related to MonitorIDS processfrom /etc/inittab file to stop the Operating systemto restart MonitorIDS process.3. Terminate HIDS processes or change files relatedto HIDS.A DFA (Deterministic Finite Automata) shown inFigure 4, represent such sequences of steps. State q1 isthe initial healthy state and q4 is the final state. Afterreaching at q4 state attacker can tamper the HIDS. Toavoid this case, there should be some mechanism that© 2010 ACADEMY PUBLISHER
Page 1 and 2: Journal of Emerging Technologies in
Page 3 and 4: JOURNAL OF EMERGING TECHNOLOGIES IN
Page 6 and 7: 82 JOURNAL OF EMERGING TECHNOLOGIES
Page 24 and 25: 100 JOURNAL OF EMERGING TECHNOLOGIE
Page 81 and 82: Aims and ScopeCall for Papers and S

Journal of Emerging Technologies in Web Intelligence Contents

Create successful ePaper yourself

Delete template?

Save as template?