Embed Size (px)
Citation preview
Secure IT - 2005 1
A Wavelet Approach to A Wavelet Approach to Network Intrusion Network Intrusion
DetectionDetection
W. Oblitey & S. EzekielW. Oblitey & S. Ezekiel
IUP Computer Science Dept.IUP Computer Science Dept.
Secure IT - 2005 2
Intrusion Detection: Intrusion Detection: Provides monitoring of system resources to Provides monitoring of system resources to
help detect intrusion and/or identify attacks.help detect intrusion and/or identify attacks. Complimentary to blocking devices. Complimentary to blocking devices.
Insider attacks.Insider attacks. Attacks that use traffic permitted by the firewall.Attacks that use traffic permitted by the firewall.
Can monitor the attack after it crosses through Can monitor the attack after it crosses through the firewall. the firewall.
Helps gather useful information forHelps gather useful information for Detecting attackers,Detecting attackers, Identifying attackers,Identifying attackers, Reveal new attack strategies.Reveal new attack strategies.
Secure IT - 2005 3
Classification:Classification:
Intrusion Detection Systems classified Intrusion Detection Systems classified according to how they detect malicious according to how they detect malicious activity:activity: Signature detection systemsSignature detection systems
Also called Misuse detection systemsAlso called Misuse detection systems Anomaly detection systemsAnomaly detection systems
Also classified as:Also classified as: Network-based intrusion detection systemsNetwork-based intrusion detection systems
Monitor network trafficMonitor network traffic Host-based intrusion detection systems.Host-based intrusion detection systems.
Monitor activity on host machinesMonitor activity on host machines
Secure IT - 2005 4
Signature Detection:Signature Detection:
Achieved by creating signatures:Achieved by creating signatures: Models of attackModels of attack
Monitored events compared to models to Monitored events compared to models to determine qualification as attacks.determine qualification as attacks.
Excellent at detecting known attacks.Excellent at detecting known attacks. Requires the signatures to be created and entered Requires the signatures to be created and entered
into the sensor’s database before operation.into the sensor’s database before operation. May generate false alarms (False Positives). May generate false alarms (False Positives). Problem:Problem:
Needs a large number of signatures for effective Needs a large number of signatures for effective detection.detection.
The database can grow very massive.The database can grow very massive.
Secure IT - 2005 5
Anomaly Detection:Anomaly Detection:
Creates a model of normal use and Creates a model of normal use and looks for activity that does not looks for activity that does not conform to the model.conform to the model.
Problems with this method:Problems with this method: Difficulty in creating the model of Difficulty in creating the model of
normal activitynormal activity If the network already had malicious If the network already had malicious
activity on it, is it ‘normal activity’?activity on it, is it ‘normal activity’? Some patterns classified as anomalies Some patterns classified as anomalies
may not be malicious.may not be malicious.
Secure IT - 2005 6
Network-Based IDSNetwork-Based IDS
By far the most commonly employed By far the most commonly employed form of Intrusion Detection Systems.form of Intrusion Detection Systems.
To many people, “IDS” is To many people, “IDS” is synonymous with “NIDS”.synonymous with “NIDS”.
Matured more quickly than the host-Matured more quickly than the host-based equivalents.based equivalents.
Large number of NIDS products Large number of NIDS products available on the market.available on the market.
Secure IT - 2005 7
Deploying NIDSDeploying NIDS
Points to consider:Points to consider: Where do sensors belong in the network?Where do sensors belong in the network? What is to be protected the most?What is to be protected the most? Which devices hold critical information assets?Which devices hold critical information assets?
Cost effectiveness;Cost effectiveness; We cannot deploy sensors on all network We cannot deploy sensors on all network
segments.segments. Even not manageable.Even not manageable. We need to carefully consider where sensors We need to carefully consider where sensors
are to be deployed.are to be deployed.
Secure IT - 2005 8
Locations for IDS SensorsLocations for IDS Sensors Just inside the firewall.Just inside the firewall.
The firewall is a bottleneck for all traffic.The firewall is a bottleneck for all traffic. All inbound/outbound traffic pass here.All inbound/outbound traffic pass here. The sensor can inspect all incoming and outgoing traffic.The sensor can inspect all incoming and outgoing traffic.
On the DMZ.On the DMZ. The publicly reachable hosts located here are often get The publicly reachable hosts located here are often get
attacked.attacked. The DMZ is usually the attacker’s first point of entry into The DMZ is usually the attacker’s first point of entry into
the network.the network. On the server farm segment.On the server farm segment.
We can monitor mission-critical application servers.We can monitor mission-critical application servers. Example: Financial, Logistical, Human Resources functions.Example: Financial, Logistical, Human Resources functions.
Also monitors insider attacks.Also monitors insider attacks. On the network segments connecting the On the network segments connecting the
mainframe or midrange hosts.mainframe or midrange hosts. Monitor mission-critical devises.Monitor mission-critical devises.
Secure IT - 2005 9
The Network Monitoring ProblemThe Network Monitoring Problem
Network-based IDS sensors employ sniffing Network-based IDS sensors employ sniffing to monitor the network traffic.to monitor the network traffic.
Networks using hubs:Networks using hubs: Can monitor all packets.Can monitor all packets. Hubs transmit every packet out of every Hubs transmit every packet out of every
connected interface.connected interface. Switched networks:Switched networks:
The sensor must be able to sniff the passing The sensor must be able to sniff the passing traffic.traffic.
Switches forward packets only to ports Switches forward packets only to ports connected to destination hosts.connected to destination hosts.
Secure IT - 2005 10
Monitoring Switched NetworksMonitoring Switched Networks
Use of Switch Port Analyzer (SPAN) Use of Switch Port Analyzer (SPAN) configurations.configurations. Causes switch to copy all packets destined to a Causes switch to copy all packets destined to a
given interface.given interface. Transmits packets to the modified port.Transmits packets to the modified port.
Use of hubs in conjunction with the Use of hubs in conjunction with the switches.switches. The hub must be a fault-tolerant one.The hub must be a fault-tolerant one.
Use of taps in conjunction with the switches.Use of taps in conjunction with the switches. Fault-tolerant hub-like devices.Fault-tolerant hub-like devices. Permit only one-way transmission of data out of Permit only one-way transmission of data out of
the monitoring port.the monitoring port.
Secure IT - 2005 11
NIDS Signature TypesNIDS Signature Types
These look for patterns in packet These look for patterns in packet payloads that indicate possible payloads that indicate possible attacks.attacks.
Port signaturesPort signatures Watch for connection attempts to a Watch for connection attempts to a
known or frequently attacked ports.known or frequently attacked ports. Header signaturesHeader signatures
These watch for dangerous or illogical These watch for dangerous or illogical combinations in packet headers.combinations in packet headers.
Secure IT - 2005 12
Network IDS Reactions TypesNetwork IDS Reactions Types
Typical reactions of network-based Typical reactions of network-based IDS with active monitoring upon IDS with active monitoring upon detection of attack in progress:detection of attack in progress: TCP resetsTCP resets IP session loggingIP session logging Shunning or blockingShunning or blocking
Capabilities are configurable on per-Capabilities are configurable on per-signature basis:signature basis: Sensor responds based on configuration.Sensor responds based on configuration.
Secure IT - 2005 13
TCP Reset ReactionTCP Reset Reaction
Operates by sending a TCP reset Operates by sending a TCP reset packet to the victim host.packet to the victim host. This terminates the TCP session.This terminates the TCP session.
Spoofs the IP address of the attacker.Spoofs the IP address of the attacker. Resets are sent from the sensor’s Resets are sent from the sensor’s
monitoring/sniffing interface.monitoring/sniffing interface. It can terminate an attack in progress It can terminate an attack in progress
but cannot stop the initial attack but cannot stop the initial attack packet from reaching the victim.packet from reaching the victim.
Secure IT - 2005 14
IP Session LoggingIP Session Logging
The sensor records traffic passing between The sensor records traffic passing between the attacker and the victim.the attacker and the victim. Can be very useful in analyzing the attack.Can be very useful in analyzing the attack. Can be used to prevent future attacks.Can be used to prevent future attacks.
Limitation:Limitation: Only the trigger and the subsequent packets Only the trigger and the subsequent packets
are logged.are logged. Preceding packets are lost.Preceding packets are lost.
Can impact sensor performance.Can impact sensor performance. Quickly consumes large amounts of disk Quickly consumes large amounts of disk
space.space.
Secure IT - 2005 15
Shunning/BlockingShunning/Blocking
Sensor connects to the firewall or a packet-Sensor connects to the firewall or a packet-filtering router.filtering router.
Configures filtering rulesConfigures filtering rules Blocks packets from the attackerBlocks packets from the attacker
Needs arrangement of proper authentication:Needs arrangement of proper authentication: Ensures that the sensor can securely log into the Ensures that the sensor can securely log into the
firewall or router.firewall or router. A temporary measure that buy time for the A temporary measure that buy time for the
administrator.administrator. The problem with spoofed source addresses.The problem with spoofed source addresses.
Secure IT - 2005 16
Host-based IDSHost-based IDS
Started in the early 1980s when networks Started in the early 1980s when networks were not do prevalent.were not do prevalent.
Primarily used to protect only critical serversPrimarily used to protect only critical servers Software agent resides on the protected Software agent resides on the protected
systemsystem Signature based:Signature based:
Detects intrusions by analyzing logs of operating Detects intrusions by analyzing logs of operating systems and applications, resource utilization, systems and applications, resource utilization, and other system activityand other system activity
Use of resources can have impact on system Use of resources can have impact on system performanceperformance
Secure IT - 2005 17
HIDS Methods of OperationHIDS Methods of Operation
Auditing logs:Auditing logs: system logs, event logs, security logs, syslogsystem logs, event logs, security logs, syslog
Monitoring file checksums to identify Monitoring file checksums to identify changeschanges
Elementary network-based signature Elementary network-based signature techniques including port activitytechniques including port activity
Intercepting and evaluating requests by Intercepting and evaluating requests by applications for system resources before applications for system resources before they are processedthey are processed
Monitoring of system processes for Monitoring of system processes for suspicious activitysuspicious activity
Secure IT - 2005 18
Log File AuditingLog File Auditing
Detects past activityDetects past activity Cannot stop the action that set off the Cannot stop the action that set off the
alarm from taking place.alarm from taking place. Log Files:Log Files:
Monitor changes in the log files.Monitor changes in the log files. New entries for changes logs are compared New entries for changes logs are compared
with HIDS attack signature patterns for with HIDS attack signature patterns for matchmatch
If match is detected, administrator is If match is detected, administrator is alertedalerted
Secure IT - 2005 19
File Checksum ExaminationFile Checksum Examination
Detects past activity:Detects past activity: Cannot stop the action that set off the Cannot stop the action that set off the
alarm from taking place.alarm from taking place. Hashes created only for system files Hashes created only for system files
that should not change or change that should not change or change infrequently.infrequently.
Inclusion of frequently changing files Inclusion of frequently changing files is a huge disturbance.is a huge disturbance.
File checksum systems, like Tripwire, File checksum systems, like Tripwire, may also be employed.may also be employed.
Secure IT - 2005 20
Network-Based TechniquesNetwork-Based Techniques
The IDS product monitors packets The IDS product monitors packets entering and leaving the host’s NIC for entering and leaving the host’s NIC for signs of malicious activity.signs of malicious activity.
Designed to protect only the host in Designed to protect only the host in question.question.
The attack signatures used are not as The attack signatures used are not as sophisticated as those used in NIDs.sophisticated as those used in NIDs.
Provides rudimentary network-based Provides rudimentary network-based protections.protections.
Secure IT - 2005 21
Intercepting RequestsIntercepting Requests
Intercepts calls to the operating Intercepts calls to the operating system before they are processed.system before they are processed.
Is able to validate software calls Is able to validate software calls made to the operating system and made to the operating system and kernel.kernel.
Validation is accomplished by:Validation is accomplished by: Generic rules about what processes may Generic rules about what processes may
have access to resources.have access to resources. Matching calls to system resources with Matching calls to system resources with
predefined models which identify predefined models which identify malicious activity.malicious activity.
Secure IT - 2005 22
System MonitoringSystem Monitoring
Can preempt attacks before they are executed.Can preempt attacks before they are executed. This type of monitoring can:This type of monitoring can:
Prevent files from being modified.Prevent files from being modified. Allow access to data files only to a predefined set of Allow access to data files only to a predefined set of
processes.processes. Protect system registry settings from modification.Protect system registry settings from modification. Prevent critical system services from being stopped.Prevent critical system services from being stopped. Protect settings for users from being modified.Protect settings for users from being modified. Stop exploitation of application vulnerabilities.Stop exploitation of application vulnerabilities.
Secure IT - 2005 23
HIDS SoftwareHIDS Software
Deployed by installing agent software on Deployed by installing agent software on the system.the system.
Effective for detecting insider-attacks.Effective for detecting insider-attacks. Host wrappers:Host wrappers:
Inexpensive and deployable on all machinesInexpensive and deployable on all machines Do not provide in-depth, active monitoring Do not provide in-depth, active monitoring
measures of agent-based HIDS productsmeasures of agent-based HIDS products Sometimes referred to as personal firewallsSometimes referred to as personal firewalls
Agent-based software:Agent-based software: More suited for single purpose serversMore suited for single purpose servers
Secure IT - 2005 24
HIDS Active Monitoring CapabilitiesHIDS Active Monitoring Capabilities
Options commonly used:Options commonly used: Log the eventLog the event
Very good for post mortem analysisVery good for post mortem analysis Alert the administratorAlert the administrator
Through email or SNMP trapsThrough email or SNMP traps Terminate the user loginTerminate the user login
Perhaps with a warning messagePerhaps with a warning message Disable the user accountDisable the user account
Preventing access to memory, processor Preventing access to memory, processor time, or disk space.time, or disk space.
Secure IT - 2005 25
Advantages of Host-based IDSAdvantages of Host-based IDS Can verify success or failure of attackCan verify success or failure of attack
By reviewing log entriesBy reviewing log entries Monitors user and system activitiesMonitors user and system activities
Useful in forensic analysis of the attackUseful in forensic analysis of the attack Can protect against non-network-based attacksCan protect against non-network-based attacks Reacts very quickly to intrusionsReacts very quickly to intrusions
By preventing access to system resourcesBy preventing access to system resources By immediately identifying a breach when it occursBy immediately identifying a breach when it occurs
Does not rely on particular network infrastructureDoes not rely on particular network infrastructure Not limited by switched infrastructuresNot limited by switched infrastructures
Installed on the protected server itselfInstalled on the protected server itself Does not require additional hardware to deployDoes not require additional hardware to deploy Needs no changes to the network infrastructureNeeds no changes to the network infrastructure
Secure IT - 2005 26
Active/Passive DetectionActive/Passive Detection The ability of an IDS to take action when The ability of an IDS to take action when
they detect suspicious activity.they detect suspicious activity. Passive Systems:Passive Systems:
Take no action to stop or prevent the activity.Take no action to stop or prevent the activity. They log events.They log events. They alert administrators.They alert administrators. They record the traffic for analysis.They record the traffic for analysis.
Active Systems:Active Systems: They do all the recordings that passive systems They do all the recordings that passive systems
do,do, They interoperate with firewalls and routersThey interoperate with firewalls and routers
Can cause blocking or shunningCan cause blocking or shunning They can send TCP resets.They can send TCP resets.
Secure IT - 2005 27
Our ApproachOur Approach
We present a variant but novel We present a variant but novel approach of the anomaly detection approach of the anomaly detection scheme.scheme.
We show how to detect attacks We show how to detect attacks without the use of data banks.without the use of data banks.
We show how to correlate multiple We show how to correlate multiple inputs to define the basis of a new inputs to define the basis of a new generation analysis engine.generation analysis engine.
Secure IT - 2005 28
Signals and signal Processing:Signals and signal Processing:
Signal definition:Signal definition: A function of independent variables like time, A function of independent variables like time,
distance, position, temperature, and pressure. distance, position, temperature, and pressure. Signals play important part in our daily livesSignals play important part in our daily lives
Examples: speech, music, picture, and video.Examples: speech, music, picture, and video. Signal Classification:Signal Classification:
Analog – the independent variable on which the Analog – the independent variable on which the signal depends is continuous.signal depends is continuous.
Digital – the independent variable is discrete.Digital – the independent variable is discrete. Digital signals are presented a a sequence of Digital signals are presented a a sequence of
numbers (samples).numbers (samples). Signals carry informationSignals carry information
The objective of signal processing is to extract this The objective of signal processing is to extract this useful information.useful information.
Secure IT - 2005 29
Energy of a Signal:Energy of a Signal:
We can also define a signal as a function We can also define a signal as a function of varying amplitude through time.of varying amplitude through time.
The measure of a signal’s strength is the The measure of a signal’s strength is the area under the absolute value of the area under the absolute value of the curve.curve.
This measure is referred to as the energy This measure is referred to as the energy of the signal and is defined as:of the signal and is defined as: Energy of continuous signalEnergy of continuous signal
Energy of discrete signal Energy of discrete signal
2( )aE x t dt
2( )dt
E x t
Secure IT - 2005 30
What is Wavelet? ( Wavelet Analysis)What is Wavelet? ( Wavelet Analysis) Wavelets are functions that satisfy certain mathematical
requirements and are used to represent data or other functions
Idea is not new--- Joseph Fourier--- 1800's Wavelet-- the scale we use to see data plays an important
role FT non local -- very poor job on sharp spikes
Sine waveSine wave
WaveletWavelet db10db10
Secure IT - 2005 31
History of wavelets 1807 Joseph Fourier- theory of frequency analysis-- any 2pi functions f(x) is the
sum of its Fourier Series
1909 Alfred Haar-- PhD thesis-- defined Haar basis function---- it is compact support( vanish outside finite interval)
1930 Paul Levy-Physicist investigated Brownian motion ( random signal) and concluded Haar basis is better than FT
1930's Littlewood Paley, Stein ==> calculated the energy of the function 1960 Guido Weiss, Ronald Coifman-- studied simplest element of functions space called atom
1980 Grossman (physicist) Morlet( Engineer)-- broadly defined wavelet in terms of quantum mechanics
1985 Stephen Mallat--defined wavelet for his Digital Signal Processing work for his Ph.D.
Y Meyer constructed first non trivial wavelet 1988 Ingrid Daubechies-- used Mallat work constructed set of wavelets The name emerged from the literature of geophysics, by a route through France. The name emerged from the literature of geophysics, by a route through France.
The word The word ondeonde led to led to ondeletteondelette.. Translation Translation wavewave led to led to waveletwavelet
Secure IT - 2005 32
01
2
0
0
2
0
2
0
( ) ( cos sin )
where the coefficients are calculated by
1( )
2
1( )cos( )
1( )sin( )
k kk
k
k
f x a a kx b kx
a f x dx
a f x kx dx
b f x kx dx
22
0
Energy of a function ( )
1( )
2
f x
energy f x dx
Fourier Series and EnergyFourier Series and Energy
Secure IT - 2005 33
Functions (Science and Engg) often use time as Functions (Science and Engg) often use time as their parametertheir parameter
g(t)-> represent g(t)-> represent time domaintime domain since typical function oscillate – think it as since typical function oscillate – think it as
wave– so G(f) where f= frequency of the wave, wave– so G(f) where f= frequency of the wave, the function represented in the the function represented in the frequency frequency domaindomain
A function g(t) is periodic, there exits a nonzero A function g(t) is periodic, there exits a nonzero constant P s.t. g(t+P)=g(t) for all t, where P is constant P s.t. g(t+P)=g(t) for all t, where P is called periodcalled period periodic function has 4 important attributesperiodic function has 4 important attributes
Amplitude– max value it has in any periodAmplitude– max value it has in any period Period---2PPeriod---2P Frequency f=1/P(inverse)– cycles per second, HzFrequency f=1/P(inverse)– cycles per second, Hz Phase—Cos is a Sin function with a phase Phase—Cos is a Sin function with a phase
/ 2
FunctionsFunctions
Secure IT - 2005 34
Fourier, HaarFourier, Haar Amplitude, time Amplitude, time amplitude , amplitude ,
frequencyfrequency 1965 Cooley and Tukey – Fast Fourier 1965 Cooley and Tukey – Fast Fourier
TransformTransform Haar Haar
11 0 x<
21
( ) 1 <x 1 2
0 otherwise
x
( ),
(2 ), (2 1),
(4 ), (4 1), (4 2), (4 3),
x
x x
x x x x
Secure IT - 2005 35
continuous wavelet transform (CWT) of a continuous wavelet transform (CWT) of a function f(t) a mother wavelet function f(t) a mother wavelet mother wavelet may be real or complex with mother wavelet may be real or complex with
the following propertiesthe following properties 1.the total area under the curve=0, 1.the total area under the curve=0, 2. the total area of is finite 2. the total area of is finite 3. Admissible condition3. Admissible condition
oscillate above and below the t-axisoscillate above and below the t-axis energy of the function is finiteenergy of the function is finite function is localize function is localize
Infinite number of functions satisfies above Infinite number of functions satisfies above conditions– some of them used for wavelet conditions– some of them used for wavelet transformtransform
exampleexample Morlet waveletMorlet wavelet Mexican hat waveletMexican hat wavelet
( )t
( ) 0t dt
2| ( ) |t 2| ( ) |t dt
CWTCWT
Secure IT - 2005 36
once a wavelet has been chosen , once a wavelet has been chosen , the CWT of a square integrable the CWT of a square integrable function f(t) is defined as function f(t) is defined as
* * denotes denotes complex conjugatecomplex conjugate
For any For any aa, ,
Thus Thus bb is a translation parameter is a translation parameter
Setting Setting b=0b=0, ,
Here Here aa is a scaling parameter is a scaling parameter
a>1a>1 stretch the wavelet and stretch the wavelet and 0<a<10<a<1 shrink itshrink it
( )t
*1( , ) ( )
| |
t bW a b f t dt
aa
, ,0( ) is a copy of ( ) shifted b units along the time axisa b at t
,0
1( )
| |a
tt
aa
Secure IT - 2005 37
WaveletsWaveletsWaveletsWavelets( ) ( ) jwtF f t e dt
Fourier TransformFourier Transform
CWT = C( scale, position)=CWT = C( scale, position)= ( ) ( scale, position, t) f t dt
1 2 3 4 5 6
1.5
2
2.5
3
Scaling wave means simply Stretching Scaling wave means simply Stretching (or Shrinking) it (or Shrinking) it
2.5 5 7.5 10 12.5 15 17.5
-1
-0.5
0.5
1
ShiftingShiftingf (t) f(t-k)f (t) f(t-k)
Secure IT - 2005 38
Wavelets ContinueWavelets ContinueWavelets ContinueWavelets Continue Wavelets are basis functions in continuous timeWavelets are basis functions in continuous time A basis is a set of linearly independent function that A basis is a set of linearly independent function that
can be used to produce a function can be used to produce a function f(t)f(t) f(t)f(t) = combination of basis function = = combination of basis function = is constructed from a single mother wave w(t) is constructed from a single mother wave w(t)
-- normally it is a small wave-- it start at -- normally it is a small wave-- it start at 00 and ends at and ends at t=Nt=N
Shrunken ( scaled) Shrunken ( scaled) shifted shifted A typical wavelet compressed j times and shifted A typical wavelet compressed j times and shifted
k times is k times is
Property:- Remarkable property is orthogonality i.e. Property:- Remarkable property is orthogonality i.e. their inner-products are zerotheir inner-products are zero
This leads to a simple formula for bThis leads to a simple formula for bjkjk
( )jkw t
,
( )jk jkj k
b w t( )jkw t
0 (2 )jjw w t
0 ( ) ( )jw t w t k ( )jkw t
( ) (2 )jjkw t w t k
Secure IT - 2005 39
Haar TransformHaar Transform Digitized sound, image are discrete. Digitized sound, image are discrete. we need discrete we need discrete
waveletwavelet
where cwhere ckk and d and dj,kj,k are coefficients to be are coefficients to be calculatedcalculated
example:- consider the array of 8 values example:- consider the array of 8 values (1,2,3,4,5,6,7,8)(1,2,3,4,5,6,7,8)
4 average values4 average values 4 difference ( detail 4 difference ( detail coefficients) coefficients)
calculate average, and difference for 4 averagescalculate average, and difference for 4 averages continue this waycontinue this way Method is called PYRAMID DECOMPOSITIONMethod is called PYRAMID DECOMPOSITION
Haar transform depends on coeff ½, ½ Haar transform depends on coeff ½, ½ and ½, - ½ and ½, - ½
if we replace 2 by if we replace 2 by √2 then it is called √2 then it is called coarse detailcoarse detail and and fine detailfine detail
,0
( ) ( ) (2 )jk k j k
k k j
f t c t k c d t k
Secure IT - 2005 40
TransformsTransforms Transform of a signal is a new representation of Transform of a signal is a new representation of
that signalthat signal Example:- signal x0,x1,x2,x3 define Example:- signal x0,x1,x2,x3 define
y0,y1,y2,y3y0,y1,y2,y3 QuestionsQuestions
1. 1. What is the purpose of y'sWhat is the purpose of y's 2. 2. Can we get back x'sCan we get back x's
Answer for 2: The Transform is invertible-- Answer for 2: The Transform is invertible-- perfect reconstructionperfect reconstruction
Divide Transform in to 3 groupsDivide Transform in to 3 groups 1. Lossless( Orthogonal)-- Transformed Signal has 1. Lossless( Orthogonal)-- Transformed Signal has
the same lengththe same length 2. Invertible (bi-orthogonal)-- length and angle may 2. Invertible (bi-orthogonal)-- length and angle may
change-- no information lostchange-- no information lost 3. Lossy ( Not invertible)-- 3. Lossy ( Not invertible)--
Transform of a signal is a new representation of Transform of a signal is a new representation of that signalthat signal
Example:- signal x0,x1,x2,x3 define Example:- signal x0,x1,x2,x3 define y0,y1,y2,y3y0,y1,y2,y3
QuestionsQuestions 1. 1. What is the purpose of y'sWhat is the purpose of y's 2. 2. Can we get back x'sCan we get back x's
Answer for 2: The Transform is invertible-- Answer for 2: The Transform is invertible-- perfect reconstructionperfect reconstruction
Divide Transform in to 3 groupsDivide Transform in to 3 groups 1. Lossless( Orthogonal)-- Transformed Signal has 1. Lossless( Orthogonal)-- Transformed Signal has
the same lengththe same length 2. Invertible (bi-orthogonal)-- length and angle may 2. Invertible (bi-orthogonal)-- length and angle may
change-- no information lostchange-- no information lost 3. Lossy ( Not invertible)-- 3. Lossy ( Not invertible)--
Secure IT - 2005 41
Answer to Q1: PurposeAnswer to Q1: Purpose IT SEES LARGE vs SMALLIT SEES LARGE vs SMALL
X0=1.2, X1= 1.0, x2=-1.0, x3=-1.2 Y=[2.2 0 -2.2 0] Key idea for wavelets is the concept of " SCALESCALE" We can take sum and difference again==>
recursion => MultiresolutionMultiresolution Main idea of Wavelet analysis– analyze a Main idea of Wavelet analysis– analyze a
function at different scales– mother wavelet use function at different scales– mother wavelet use to construct wavelet in different scale and to construct wavelet in different scale and translate each relative to the function being translate each relative to the function being analyzedanalyzed
Z=[ 0 0 4.4 0 ] Reconstruct =====>compression 4:1
Secure IT - 2005 42
Secure IT - 2005 43
Secure IT - 2005 44
Secure IT - 2005 45
Secure IT - 2005 46
Secure IT - 2005 47
Secure IT - 2005 48
Secure IT - 2005 49
Real electricity consumptionReal electricity consumption peak in the center, followed by two drops, peak in the center, followed by two drops,
shallow drop, and then a considerably shallow drop, and then a considerably weaker peakweaker peak
d1 d2 shows the noised1 d2 shows the noise d3– presents high value in the beginning d3– presents high value in the beginning
and at the end of the main peak, thus and at the end of the main peak, thus allowing us to locate the corresponding allowing us to locate the corresponding peakpeak
d4 shows 3 successive peak– this fits the d4 shows 3 successive peak– this fits the shape of the curve remarkablyshape of the curve remarkably
a1,a2 strong resemblancea1,a2 strong resemblance a3 reasonable---- a4 lost lots of informationa3 reasonable---- a4 lost lots of information
Secure IT - 2005 50
Secure IT - 2005 51
Secure IT - 2005 52
Secure IT - 2005 53
Secure IT - 2005 54
JPEG (Joint Photographic Experts Group)JPEG (Joint Photographic Experts Group) 1. Color images ( RGB) change into luminance, chrominance, 1. Color images ( RGB) change into luminance, chrominance,
color space color space 2. color images are down sampled by creating low resolution 2. color images are down sampled by creating low resolution
pixels – not luminance part– horizontally and vertically, ( 2:1 pixels – not luminance part– horizontally and vertically, ( 2:1 or 2:1, 1:1)– 1/3 +(2/3)*(1/4)= ½ size of original sizeor 2:1, 1:1)– 1/3 +(2/3)*(1/4)= ½ size of original size
3. group 8x8 pixels called data sets– if not multiple of 8– 3. group 8x8 pixels called data sets– if not multiple of 8– bottom row and right col are duplicatedbottom row and right col are duplicated
4. apply DCT for each data set– 64 coefficients 4. apply DCT for each data set– 64 coefficients 5. each of 64 frequency components in a data unit is divided 5. each of 64 frequency components in a data unit is divided
by a separate number called quantization coefficients (QC) by a separate number called quantization coefficients (QC) and then rounded into integerand then rounded into integer
6. QC encode using RLE, Huffman encoding, Arithmetic 6. QC encode using RLE, Huffman encoding, Arithmetic Encoding ( QM coder)Encoding ( QM coder)
7. Add Headers, parameters, and output the result7. Add Headers, parameters, and output the result interchangeable format= compressed data + all tables need interchangeable format= compressed data + all tables need
for decoderfor decoder abbreviated format= compressed data+ not tables ( few abbreviated format= compressed data+ not tables ( few
tables)tables) abbreviated format =just tables + no compressed data abbreviated format =just tables + no compressed data
DECODER DO THE REVERSE OF THE ABOVE STEPSDECODER DO THE REVERSE OF THE ABOVE STEPS
Secure IT - 2005 55
JPEG 2000 or JPEG Y2kJPEG 2000 or JPEG Y2k divide into 3 colorsdivide into 3 colors each color is partitioned into rectangular, non-each color is partitioned into rectangular, non-
overlapping regions called tiles– that are compressed overlapping regions called tiles– that are compressed individuallyindividually
A tile is compressed into 4 main stepsA tile is compressed into 4 main steps 1. compute wavelet transform – sub band of wavelets– integer, 1. compute wavelet transform – sub band of wavelets– integer,
fp,---L+1 levels, L is the parameter determined by the encoderfp,---L+1 levels, L is the parameter determined by the encoder 2. wavelet coeff are quantized, -- depends on bit rate2. wavelet coeff are quantized, -- depends on bit rate 3. use arithmetic encoder for wavelet coefficients3. use arithmetic encoder for wavelet coefficients 4. construct bit stream– do certain region, no order4. construct bit stream– do certain region, no order
Bit streams are organized into layers, each layer Bit streams are organized into layers, each layer contains higher resolution image informationcontains higher resolution image information
thus decoding layer by layer is a natural way to achieve thus decoding layer by layer is a natural way to achieve progressive image transformation and decompressionprogressive image transformation and decompression
Secure IT - 2005 56
Secure IT - 2005 57
Secure IT - 2005 58
H
V D
A
Secure IT - 2005 59
Secure IT - 2005 60
Lowpass Filter = Moving AverageLowpass Filter = Moving AverageLowpass Filter = Moving AverageLowpass Filter = Moving Average y(n)= x(n)/2 + x(n-1)/2 here h(0)=1/2 and h(1)=1/2y(n)= x(n)/2 + x(n-1)/2 here h(0)=1/2 and h(1)=1/2 Fits standard form for k=0,1 x= unit impulseFits standard form for k=0,1 x= unit impulse x=(...0 0 0 0 1 0 0 0...) then y=(...0 0 1/2 1/2 0 0..)x=(...0 0 0 0 1 0 0 0...) then y=(...0 0 1/2 1/2 0 0..) average filter= 1/2 (identity) + 1/2 (delay)average filter= 1/2 (identity) + 1/2 (delay) Every linear operator acting on a single vector x can be Every linear operator acting on a single vector x can be
rep by y=Hx rep by y=Hx main diagonal come from identity--subdiagonal come main diagonal come from identity--subdiagonal come
from delayfrom delay we have finite (two) coefficients--> FIR we have finite (two) coefficients--> FIR finite impulse finite impulse
responseresponse low pass==> scaling functionlow pass==> scaling function It smooth out bumps in the signal(high freq componentIt smooth out bumps in the signal(high freq component
Secure IT - 2005 61
Highpass Filter Moving DifferenceHighpass Filter Moving DifferenceHighpass Filter Moving DifferenceHighpass Filter Moving Difference y(n)= 1/2[x(n)-x(n-1)]y(n)= 1/2[x(n)-x(n-1)] h(0)=1/2h(0)=1/2 h(1)=-1/2h(1)=-1/2 y=H1xy=H1x Filter Bank === Lowpass and HighpassFilter Bank === Lowpass and Highpass they separate the signal into frequency bank they separate the signal into frequency bank Problem:-- Signal length doubled, Problem:-- Signal length doubled, both are same size as signal ==> gives both are same size as signal ==> gives
double size of the original signaldouble size of the original signal Solution:-- Down SamplingSolution:-- Down Sampling
Secure IT - 2005 62
Down SamplingDown Sampling We can keep half of Ho and H1 and still We can keep half of Ho and H1 and still
recover xrecover x Save only even-numbered components Save only even-numbered components
( delete odd numbered elements) -- denoted ( delete odd numbered elements) -- denoted by (by (↓2)-- decimation↓2)-- decimation
((↓2)y = (... y(-4) y(-2)y(0)y(2).......)↓2)y = (... y(-4) y(-2)y(0)y(2).......) Filtering + Down samplingFiltering + Down sampling ==> Analysis Bank ==> Analysis Bank
( brings half size signal)( brings half size signal) Inverse of this process==> Inverse of this process==> Synthesis bankSynthesis bank i,e, i,e, Up sampling + FilteringUp sampling + Filtering Add even numbered components zeros ( It will Add even numbered components zeros ( It will
bring full size) denoted by (↑2)bring full size) denoted by (↑2) y = (y = (↓2 y)= (↓2 y)= (↑2)(↑2)(↓2 y)↓2 y)
Secure IT - 2005 63
Scaling function and WaveletsScaling function and Wavelets corresponding to low pass--> there is scaling function corresponding to low pass--> there is scaling function corresponding to high pass--> there is wavelet function corresponding to high pass--> there is wavelet function dilation equation--> scaling function dilation equation--> scaling function In terms of original low pass filtersIn terms of original low pass filters we have we have for h(0) and h(1) = 1/2 we have for h(0) and h(1) = 1/2 we have the graph compressed by 2 gives and the graph compressed by 2 gives and
shifted by 1/2 gives shifted by 1/2 gives
By similar way the wavelet equation By similar way the wavelet equation
( )t( )t
0
( ) 2 ( ) (2 )N
k
t c k t k
0
( ) 2 ( ) (2 )N
k
t h k t k
( ) (2 ) (2 1)t t t
( )t (2 )t(2 1)t
( ) (2 ) (2 1)t t t
Secure IT - 2005 64
Wavelet PacketWavelet PacketWavelet PacketWavelet Packet Walsh-Hadamard transform-- complete binary tree -->
wavelet packet "Hadamard matrix"==> all entries are 1 and -1 and all rows
are orthogonalorthogonal-- divide two time by sqrt(2)==> orthogonal orthogonal & symmetricsymmetric
Compare with wavelet-- computations
xx
sums y0 and y2sums y0 and y2
difference y1 and y3 difference y1 and y3
sums z0=0sums z0=0
sums z1=0.4sums z1=0.4
difference z2=4.4difference z2=4.4
difference z3=0difference z3=0
Secure IT - 2005 65
Filters and Filter BanksFilters and Filter Banks Filters and Filter BanksFilters and Filter Banks FilterFilter is a linear time-invariant operator It acts on input vector xx --- Out put vector yy is the
convolution of x with a fixed vector hh h--> contains filter coefficients-- our filters are digital
not analog-- h(n) are discrete time t= nT, T is sampling period assume it is 1 here x(n) and y(n) comes all the time t= 0, +_ 1.... y(n) = Σh(k) x(n-k) = convolution h* xh* x in the time
domain
Filter BankFilter Bank= Set of all filters Convolution by hand--- arrange it as ordinary multiplication -- but
don't carry digits from one column to another x= 3 2 4 h= 1 5 2 x * h = 3 17 20 24 8
Secure IT - 2005 66
Our Network Topology:Our Network Topology: We set up a star topology network;We set up a star topology network;
Four computers in an islandFour computers in an island Each running Linux RedHat 9.2Each running Linux RedHat 9.2 The machines are connected by a switchThe machines are connected by a switch The switch is connected to a PIX 515E FirewallThe switch is connected to a PIX 515E Firewall 3Com Ethernet Hub sits between the switch and the 3Com Ethernet Hub sits between the switch and the
firewall firewall For Sniffing and capturing packetsFor Sniffing and capturing packets
We duplicated this island six times and connected We duplicated this island six times and connected them with routers.them with routers.
We then connected the islands, via the routers, to We then connected the islands, via the routers, to a central Cisco switch.a central Cisco switch.
For simulation purposes, we installed For simulation purposes, we installed Windows XP on one machine in island one.Windows XP on one machine in island one.
Secure IT - 2005 67
DataData CollectionCollection:: We generated packets with a Perl script on a We generated packets with a Perl script on a
Linux system. Linux system. We used the three most common protocols for We used the three most common protocols for
our simulation:our simulation: HTTP, FTP, and SMTP.HTTP, FTP, and SMTP.
For each protocol:For each protocol: We generated a constant traffic;We generated a constant traffic; We created 50 datasets each consisting of the number We created 50 datasets each consisting of the number
of packets transmitted over two minute intervals.of packets transmitted over two minute intervals. We executed the same traffic scripts with a random We executed the same traffic scripts with a random
pause between 0 and 60 seconds.pause between 0 and 60 seconds. We then rerun the traffic between 0 and 15 seconds to We then rerun the traffic between 0 and 15 seconds to
create additional datasets.create additional datasets. We collected all the 150 datasets by Ethereal for We collected all the 150 datasets by Ethereal for
further analysis.further analysis.
Secure IT - 2005 68
Results: Figure 1Results: Figure 1
Secure IT - 2005 69
Figure 2Figure 2
Secure IT - 2005 70
Figure 3Figure 3
Secure IT - 2005 71
Figure 4Figure 4
Secure IT - 2005 72
Figure 5Figure 5
Secure IT - 2005 73
Figure 6Figure 6
Secure IT - 2005 74
Conclusion & Future DirectionConclusion & Future Direction
We have presented:We have presented: A wavelet based – framework for A wavelet based – framework for
network monitoringnetwork monitoring This is our first phase for the This is our first phase for the
development of an engine for Network development of an engine for Network Intrusion Analysis Intrusion Analysis
This will not depend on databases and This will not depend on databases and thus will minimize false negatives and thus will minimize false negatives and false positivesfalse positives
Secure IT - 2005 75
ReferencesReferences [1] K. Ilgun, A real-time intrusion detection system [1] K. Ilgun, A real-time intrusion detection system
for UNIX, IEEE Symp. On Security and Privacy, 1993.for UNIX, IEEE Symp. On Security and Privacy, 1993. [2] P.Porras & R. Kemmerer, Penetration State [2] P.Porras & R. Kemmerer, Penetration State
Transition Analysis- A Rule Based Intrusion Detection Transition Analysis- A Rule Based Intrusion Detection Approach, Approach, Computer Security Applications Computer Security Applications ConferenceConference, 1992, 1992
[3]http://enterprisesecurity.symantec.com/content/ [3]http://enterprisesecurity.symantec.com/content/ productlink.cfmproductlink.cfm
[4] [4] http://newsroom.cisco.com/dlls/fspnisapi32b3.htmlhttp://newsroom.cisco.com/dlls/fspnisapi32b3.html
[5] http://www.iss.net [5] http://www.iss.net [6] A.Haar. Zur Theorie der orthogonalen [6] A.Haar. Zur Theorie der orthogonalen
Funktionensysteme. Mathematische Annalen, Funktionensysteme. Mathematische Annalen, 69:331-371, 1910. Also in PhD thesis. 69:331-371, 1910. Also in PhD thesis.
[7]A. Grossmann and J. Morlet, [7]A. Grossmann and J. Morlet, Decomposition of Decomposition of Hardy functions into square integrable wavelets of Hardy functions into square integrable wavelets of constant shapeconstant shape, SIAM J. Math. Phys., 15 (1984), pp , SIAM J. Math. Phys., 15 (1984), pp 723-736.723-736.
[8] Y.Meyer. Ondeletted et operatrurs[8] Y.Meyer. Ondeletted et operatrurs, Tome 1, Hermann , Tome 1, Hermann Ed., 1990Ed., 1990
Secure IT - 2005 76
ReferencesReferences [9] S. Mallat. A theory for multiresolution signal [9] S. Mallat. A theory for multiresolution signal
decomposition: the wavelet representation. IEEE decomposition: the wavelet representation. IEEE Transactions Transactions on pattern recognition and Machine Intelligenceon pattern recognition and Machine Intelligence, 11(7):674-, 11(7):674-693, July 1989.693, July 1989.
[10]I. Daubechies, Ten Lectures on Wavelets, no 61 in CBMS-[10]I. Daubechies, Ten Lectures on Wavelets, no 61 in CBMS-NSF Series in Applied Mathematics, SIAM, Philadelphia, 1992NSF Series in Applied Mathematics, SIAM, Philadelphia, 1992
[11]R. R. Coifman, [11]R. R. Coifman, A real variable characterization of Hp,A real variable characterization of Hp, Studia Math, 51 (1974).Studia Math, 51 (1974).
[12] R. R. Coifman, Y. Meyer, S. Quake, and M.V. [12] R. R. Coifman, Y. Meyer, S. Quake, and M.V. Wickerhauser, Wickerhauser, Signal Processing and compression with wave Signal Processing and compression with wave packetspackets, in Proceedings of the International Conference on , in Proceedings of the International Conference on Wavelets, Marseilles, 1989, Y. Meyer, ed., Masson, Paris.Wavelets, Marseilles, 1989, Y. Meyer, ed., Masson, Paris.
[13]S. Ezekiel, [13]S. Ezekiel, Low-dimensional chaotic signal characterization Low-dimensional chaotic signal characterization using approximate entropy, using approximate entropy, 3rd IASTED International 3rd IASTED International Conference Circuits, Signals, and Systems Cancun, May, 2003Conference Circuits, Signals, and Systems Cancun, May, 2003
[14] S. Ezekiel, [14] S. Ezekiel, Heart Rate Variability Signal Processing by Heart Rate Variability Signal Processing by Using Wavelet Based Multifractal AnalysisUsing Wavelet Based Multifractal Analysis, IASTED , IASTED International Conference, Digital Signal Processing and International Conference, Digital Signal Processing and Control, USA, May , 2001Control, USA, May , 2001
[15][15]C.E.Shannon "A Mathematical Theory of Communication", C.E.Shannon "A Mathematical Theory of Communication", Bell Syst. Tech. J., 27,379-423, 623-56.Bell Syst. Tech. J., 27,379-423, 623-56.
