DPI Based Forensic Analysis of Network Traffic Using Grid Infrastructure

Abstract

Security threats have evolved from simple attacks such as virus in-fections to more sophisticated ones like the Application-layer buffer overflow, DDoS, Phishing and many zero-day variants. Such threats have significantly altered the requirements for modern network security architecture. To detect and prevent these threats, a completely new kind of security system is required which is highly proactive as well as reactive. To protect a network from complex, sophisticated attacks, the security system should have the ability to learn from the behaviour of the past attacks and get prepared to thwart similar attacks or at- tacks from similar sources in the future. A quick response time for such a detection, analysis and learning system is the key to a strong and reliable security system.

Intrusion Detection systems(IDS) and Intrusion Prevention Systems (IPS) monitor network and/or host activities for anomalous behaviour and react in real-time to block or prevent them. Traditional IDS/IPS use signature matching or anomaly detection techniques which work fine for known attacks but fail to detect new attacks. Another draw- back is the generation of too many false positive alerts in which the IDS mistakes legitimate traffic for an attack. An Intrusion Detection System based on Deep Packet Inspection (DPI) technology, where the appliance has the mechanism to look within the application payload of the traffic by inspecting every byte of every packet, has the ability to detect intrusions which are more difficult to detect as compared to the detection of simple attacks. The real-time monitoring of the payload at any level requires signifi- cant human and hardware resources, and does not scale to networks larger than a single workgroup. It is more practical to archive all traffic and analyze subsets as necessary. The process, also known as recon- structive traffic analysis, or network forensics, can enhance the security of the network and also be useful for the investigation of the attacks. Forensic Analysis can analyze network traffic and lead to the source of attacks. The attribution of an attack to a host or a network helps in predicting and preventing future attacks. Attack patterns can be cre- ated from existing knowledge. The identification of attacks, and their categorization thereafter, followed by attack reconstruction can help to prevent a similar attack in the future. The traceback to the source of the attack also aids in criminal investigation and legal prosecution of the attackers. In this work a DPI based network forensics analysis framework has been proposed for performing reconstructive traffic analysis to analyze the traffic according to the user's needs and discover useful and interest- ing insights into the analyzed traffic to protect against future attacks. The network traffic is captured and DPI based intrusion detection is performed to identify attack and create evidence. This network based evidence alongwith the host based evidence(logs, file checksums), is used to create forensic profiles using the data mining tools. Bayesian algorithms and decision trees are used for the machine learning for cre- ating the forensic profiles. The essence of a pattern-recognition DPI model, is a multiple pattern-matching algorithm. where the payload is inspected to detect malicious patterns. Fast string matching is the key element to DPI based IDSs and is a vital component for earlier attack detection. The popular algorithms are studied so that the best possible pattern-matching algorithm for the work can be selected. The quest for the further improvement in the performance of the algorithm, led to the exploration of the possibilities of mapping the algorithm to a GPU and after a careful review of the related literature, the Rabin- Karp multiple pattern matching algorithm is found most suitable for this work. The implementation on the GPU is done in CUDA. The storage and processing requirements for analysis of the huge vol- ume of network traffic, are high. Large storage capacities are needed to store the captured traffic and high processing power is needed to process this huge volume of data. Adding special hardware translates to high costs as the data requirements for even medium size networks soon run into terabytes. Grid architectures are analyzed in the research that lead to the attempts for leveraging the Grid Service technology as an answer to the high storage and computational requirements of the framework. The convergence of web services and grid computing simplifies the design, development and deployment of grid services in virtual organizations with diverse compute and resource characteristics. Thesis work focuses on the realization of exible and scalable service offers in a Grid environment, therefore many technology frameworks are considered to find the best choice as the web service architecture for the proposed model. An established and well supported Service Oriented Architecture based on Web Services Resource Framework(WSRF) has been presented, which can ensure long term scalability and extensi- bility of the application. Thesis gives an overview of the many cur- rently available Grid service standards and supports the selection of the WSRF and describes the implementation of the WSRF compliant java web services on the Grid for the machine learning functions for the framework, such as classification and clustering. The forensic analysis framework is designed based on behaviour-based machine learning, also known as Statistical modeling. Supervised ma- chine learning is performed by training the classifier with the datasets created after the intrusion detection. The cross-validation techniques build a model which can be used to predict intrusions on newly cap- tured datasets. The classifier is trained with a labelled dataset and several machine learning algorithms are tested before selecting the one with the lowest error rate and moderate model building time. The model is validated with the standard measures like F-Measure, Accu- racy, Precision and Recall, on a Grid Prototype setup using Globus Toolkit 4.0 at the Thapar University Grid lab.