r961.dvi Journal of Computing and Information Technology - CIT 15, 2007, 3, 227–235 doi:10.2498 /cit.1000961 227 An Expert System-based Site Security Officer Adesina Simon Sodiya1, Olusola Adeniran1 and Ronke Ikuomola2 1University of Agriculture, Abeokuta, Nigeria 2Federal College of Education, Akoka, Lagos, Nigeria A Site Security Officer (SSO) who is a network security staff that responds to alarms from an Intrusion Detection System (IDS), is always faced with the critical problem of low response time when the network becomes big. Even a skilled SSO is hard-pressed and less productive when collecting and analyzing IDS output manually as the frequency of intrusion increases. In this work, an Ex- pert System-based SSO (ExSSO) is designed to correct this problem. The design presents an architecture that en- codes associated expert rules for responding to different categories of intrusions into its rule-based component. The Intrusion Index (II), which determines the extent of intrusion, is calculated to classify intrusions into three categories namely low, high and very high. The inference engine component utilizes the encoded rules to interpret and respond to intrusions based on the Intrusion Index. Visual Basic 6.0 is used to implement the design because of its interactiveness and high ability to support database. Testing the new design with data from three different network environments, the result shows a system that can investigate and respond to an average of 57 intrusions per minute as against the maximum response time of 2 per three minutes in human-based SSO. Keywords: intrusion, IDS, network security, SSO, expert system, intrusion index 1. Introduction Systems and networks are subject to electronic intrusions. Computer intrusion has been a major concern in the computer security field for over two decades and it is certain that the problem is going to be on the increase. Since the prob- lem is everywhere, government agencies and commercial organizations are now implement- ing various intrusion detection systems that can monitor this computer security breaches. Intrusion detection systems (IDSs) are security tools that are used to detect traces of malicious activities which are targeted against networks and their resources (Toth and Kruegel, 2002). According to Sodiya et al. (2004), intrusion de- tection systems are systems that detect internal and external attack on computer systems and un- dertake some measures to eliminate them. An Intrusion Detection System (IDS) does not only helps the administrators to detect intrusions and limit damages, but also helps to identify the source of attacks, which sometimes acts as a deterrent, especially in case of insider attacks (Wang et al., 2006). Once intrusion detection systems have obtained information about the event, they analyzed it to find signs of intru- sion. Intrusion Response Systems (IRSs) take over after signs of an intrusion are identified and either record the attack or attempt to actively counter it. Although IRSs are tightly coupled with the ID systems themselves and also im- portant in defending against threats, not much research effort has been put into their study. Therefore, intrusion response, in most cases, remains a manual process, which has to be per- formed by the Site Security Officer (SSO). Every intrusion detection system needs to com- municate with the outside world. This may be done passively by notifying the SSO or actively by trying to hinder the intruder or striking back. It is often not possible to use active response since the IDSs generate too many false alarms and the response would hit innocent users or hosts. The only possible action is then to report what has happened to the SSO and perhaps pro- vide him with the means to investigate the event further. Toth and Kruegel (2002) mentioned that the current intrusion response systems can be di- vided into notification, manual response and 228 An Expert System-based Site Security Officer automatic response systems. Majority of IRSs operate as notification systems, which means that they simply display or forward output de- livered by the IDS (e.g. incident data) to the SSO. Usually, urgent notification is realized via e-mail or text message services over a mobile phone. Manual IRS allows the SSO to manu- ally launch countermeasures against a detected intrusion by choosing from a predetermined set of response mechanisms. With automated response, SSO gives the sys- tem power to take action upon detecting an in- trusion attempt or an intrusion. The techniques range from increasing response delays in TCP handshakes, to blocking IPs, to resetting con- nections, and removing routes. Ability of an IDS to automatically stop intrusions seems too good to be true, and, in fact, many experts see it as a sure way to shoot oneself in the foot. A typ- ical scenario might be a spoofed attack with the source address pointing at the DNS server. An automated system responding to an attack may block access to the DNS server, hence disabling the entire network (Dobruki, 2003). The two categories listed above are not proac- tive in countering an intrusion. Even when signs of an intrusion have been detected, coun- termeasures are not triggered automatically and defending the network remains the task of the SSO. This opens a time window of vulnerability between the time when the intrusion has been detected and the time when the first countermea- sure is launched. Also, it is sometimes difficult for the SSO to collect each day the output from the detection system for signs of intrusion and respond to them quickly in a case where the number and frequency of intrusion increases rapidly. This makes the function of an SSO important and complex in intrusion detection. This leads to the objective of this work, which is to remove the human involvement in IDS response and reporting by building an Expert system-based Site Security Officer (ExSSO). It is hoped that this will help the organization in adopting a kind of site security policy that will protect their database fast enough without any downtime delay. 2. Literature Review Many attempts have been made over the past ten years to improve on intrusion detection and response system. These efforts have only made ways into the effectiveness of intrusion detec- tion and have not eliminated the requirement for human expert intervention. A classification of response functions in other IDSs is given in Carver et al. (2000). The re- sponse function in a detection system can be categorized as a notification system, manual re- sponse system, or automatic response system. According to the authors, most systems today are notification systems. In Carver (2001), an Adaptive Agent-based In- trusion Response System (AAIRS) was pro- posed for intrusion response. This was the first response system implementing a notion of learning. In this work, the interface relies on human action to update its IDS confidence met- ric. An adaptive intrusion detection system is de- scribed in Ragsdale et al. (2000). This system is used together with AAIRS to provide both adaptive detection and response. The response system is relatively advanced. It keeps track of previous alarms and classifies attacks on the basis of whether they are a continuation of an existing incident or it is a new attack. Alarms from different IDS agents in the system have dif- ferent confidence metrics according to previous detection results. The confidence in a suspected incident and the nature of the incident affects the course of action taken. A study in Toth et al. (2002) proposed yet an- other promising model for automating intrusion response. The authors suggested a way of ap- proaching the problem of response to network intrusions by constructing dependency trees that model configuration of the network. Another significant work in the area of IRS in- cludes a thorough consideration of some intru- sion detection and response cost modeling as- pect by Lee et al. (2002). They provided a good introduction to modeling costs in intrusion de- tection and responses. Carver (2000) did a comprehensive and thor- ough survey to investigate 56 IDSs. From his findings, there were no deducted solutions for intrusion response. There were, however, some responses implemented in a variety of IDSs. Most of the IDSs were notification and manual response systems, which are not preferable so- lutions. There were, however, some automatic response systems as well, but these were rather An Expert System-based Site Security Officer 229 immature. There is this possibility of having a delay between an alert and human reaction when manual system responds to attack and also an automated system responding to an attack may likely block access to the DNS server, hence disabling the entire network. In his survey of ten different IDSs, Fisch asserts that most of the existing IDSs had the ability to generate daily or weekly reports of suspicion events or users (Fisch, 1996). The focus of his research work is not on the user interface for reporting and notifying the Site Security Offi- cer, but, instead, relies on automatic response. It probably had some notification capabilities, although these are not described in detail. From the literature, so far no work has fully imple- mented completely automated intrusions analy- sis and response. 3. Architecture for Expert System-based Site Security Officer (ExSSO) The main task of intrusion detection system (IDS) is to monitor the events occurring in the network and then analyze them for signs of in- trusion. Once an intrusion has been detected, IDS issues alert notifying the SSO, who then responds to the IDS alarm to make appropriate measure. The components of ExSSO is pre- sented in Figure 1. 3.1. Inference Engine Inference Engine (IE) is the central processing unit of an expert system. It uses knowledge base to draw conclusions for each situation. In- ference engine can be thought of as the system software which stimulates a situation and actu- ally makes the decision. ExSSO inference engine uses two major com- ponents in making decision. These are intrusion index and interpreter. Intrusion Index: It is used to measure the ex- tent or gravity of attack/intrusion so as to deter- mine the action to be taken when an intrusion is detected. The intrusion index is then calculated as fol- lows: SSO Intrusion Index (II) = n∑ i=1 Xi n∑ i=1 Xi max() , where: n = 3 (because there are three variables considered). The variables considered for the calculation of II are: a) Attack Category Score Confidentiality 1 Integrity 2 Availability 3 Figure 1. Architecture of an Expert system-based Site Security Officer (ExSSO). 230 An Expert System-based Site Security Officer b) Attack Implication: this has to do with the possible consequence of the attack. It is di- vided into: Low 1 High 2 Very High 3 c) Security Violation Level: this has to do with the depth of the security violation. It can also be seen as the extent of circumven- tion. Security Violation Level Score Low 1 High 2 Very High 3 X = variables score Xi max() = represents maximum score obtain- able for variable i The maximum value of SSO Intrusion is 1 (SSO Intrusion Index (II) <= 1). This is then divided into 3 ratings as follows: Intrusion Index is low when 0≤ II<0.3 Intrusion Index is high when 0.3≤ II<0.7 Intrusion Index is very high when 0.7≤ II<1 This means that if the calculated index is be- tween 0 and 0.3, then II is low, and so on. Interpreter: The inference engine contains in- terpreter that decides how to apply rules to infer new knowledge. The interpreter scans the con- dition parts of each rule until one is found that can be fired. Then the next cycle starts, and the interpreter tries to find another rule that can be fired. The execution ends if no rules are applicable. 3.2. Rule Base The major actions that are invoked when an in- trusion is found are classified into three: Deflect: Send a warning message to the sus- pected intruder and then store information of the suspected intrusion in the database. If the same kind of suspicion is found in that terminal again, the action will turn to prevent. Prevent: Prevent the user from the network re- sources. Preempt: Strikes offensively against the likeli- hood of a particular intrusion occurring later. The rule base consists of the following set of rules: R1: IF II is low THEN Deflect R2: IF II is high THEN Prevent R3: IF II is very high THEN Preempt Deflect Algorithm Attack flag = .F. Check S /* S represents the network system */ If Attack flag = .T. Scan database If Terminal = N /* N represents the terminal where the attack is coming from */ Check Sup dat If found() Prevent() else enable audit() Notify user /* by sending an e-mail warn- ing message */ Endif Endif Function audit() Scan audit database For Terminal = N Enable reporting-window /* Display all the activities occurring in the user’s terminal */ Add to Sup dat /* where Sup dat is the database keeping records of intrusion */ End Prevent Algorithm Attack flag = .F. Check S /* S represents the network system */ If Attack flag = .T. Scan database If Terminal = N /* N represents the terminal where the attack is coming from */ Prevention () /* Prevent the users from cer- tain resources */ Endif Endif Function Prevent() Disconnect N /* Disconnect terminal N from Network resources */ End Preempt Algorithm Attack flag = .F. An Expert System-based Site Security Officer 231 Check S /* S represents the network system */ If Attack flag = .T. Scan database If Terminal = N /* N represents the terminal where the attack is coming from */ Close terminal /* Disable and shut down the user’s terminal */ Endif Endif 3.3. ExSSO Organization ExSSO is not an independent IDS component and it is designed to process IDS output im- mediately. Since intrusion detection activities are real-time events, ExSSO collects data (IDS alarms) continuously from IDS and responds to these alarms. The Intrusion Index calculated determines the nature of the response (Deflect, Prevent and Preempt). Figure 2. A representation of ExSSO inference engine. 232 An Expert System-based Site Security Officer 4. Implementation Procedure 4.1. Programming Language Visual Basic 6.0 was used as the programming language for the implementation of the design. The design can run under the Window XP and uses the output (alarm) generated by the intru- sion detection system as its input. 4.2. Data Source The data source to our design is the output in form of alarm from an IDS. We got the data used for the implementation from a network organi- zation in Lagos State, Nigeria. The output of the IDS contains the following information: time & date of attack, source and destination IP address and port number, security violation level, attack implication, attack types, and attack categories. Figure 3a. Figure 3b. An Expert System-based Site Security Officer 233 Figure 3c. Figure 3d. Figure 3 (a – d): Interface design of an ExSSO. 4.3. Interface design The boxes on the ExSSO interface screen rep- resent the 20 systems on the network (Figure 3a). The flashing red signal on system 3 is an alert signal indicating that system 3 has been attacked by an intruder. The design gives detailed information about the intruder, the level of attack and the attack sys- tem. The ExSSO design output contains the following intrusion analysis : — Security Violation Level: is the attack level given the strength of suspicion (the attack level can fall within the range of low, high and very high). — Attack Implication: is the type of loss ex- perienced as a result of the attack which is graded as low, high and very high. — Attack Categories: are attacks under the three computer security properties which are: attack due to confidentiality, integrity and availability. 234 An Expert System-based Site Security Officer — Source IP address: the IP address of the system where the attack is coming from. — Destination IP address: the IP address of the attacked system. — Time: identification of time of operation. — Date: identification of date of operation. 5. Evaluation of ExSSO 5.1. Summary of the Intrusive Event In this work, the running and testing of the de- sign was carried out and the summary of the intrusive event is shown in the table below. Attack Level IncidentLevel N1 Incident Level N2 Incident Level N3 Very High 27 10 20 High 64 55 50 Low 33 18 30 Table 1. Summary of the intrusive event level. It was discovered that the intrusive event that occurred on the network during the experiment, categorized as very high, high and low has an incident level of 27, 64 and 33 on network 1, an incident level of 20, 50 and 30 on network 2 and an incident level of 10, 55 and 15 on network 3. Therefore, we can say that a high level attack has the highest incident level on the network. As a result, most of the users are prevented from certain network resources. 5.2. Summary of the Attack Categories Attack Categories Incident Level N1 Incident Level N2 Incident Level N3 Availability 14 10 16 Confidentiality 35 28 20 Integrity 75 45 64 Table 2. Attack categories. Attack categories under integrity violation al- lowing the attacker to change the system state of data residing on or passing through a system have the highest incident level of 75 on network 1, an incident level of 45 on network 2 and an incident level of 64 on network 3. The attacks that fall under these categories are determent to the state of the network system. 5.3. Summary of the Attack Types Attack Types IncidentLevel N1 Incident Level N2 Incident Level N3 Penetration 76 60 70 Scanning 34 21 20 Dos 14 2 10 Table 3. Attack types. It was discovered that most of the attacks launched on the network are penetration attacks, whereby intruders gain control of the system by exploit- ing a variety of software flaws. The penetration attacks have an incident level of 74 out of the 124 attacks on network 1, an incident level of 60 out of 83 on network 2 and an incident level of 70 out of 100 attacks on network 3. 5.4. Summary of the Response Time Network No. of Attacks Time taken for response (minutes) Response time per attack (seconds) 1 124 2.18 1.055 2 83 1.50 1.080 3 100 1.70 1.020 Average response time 1.050 Table 4. Average response time. Consequently, the number of intrusions that the systems can respond to in a minute is equal to 60/1.05 = 57.14, approximately 57 intrusions. 6. Conclusion and Future Work Since human beings are incapable of dealing with the speed and amount of information gen- erated by intrusion detection systems, this has been successfully carried out to eliminate the problems with human intervention in IDS. We designed an ExSSO algorithm for responding to attacks in the intrusion database. An Expert System-based Site Security Officer 235 The direct application of this problem in the net- work environment warrants the significance of this research effort. Experimental evaluations bring promises to this area. Our algorithms successfully respond to malicious attacks on the network. It might also be necessary to design an agent-based SSO that will move around the network and respond to intrusion alarm. References [1] C. A. CARVER, Intrusion Response Systems: A survey. Department of Computer Science, Texas A & M University, College Station, TX, (2000). [2] C. A. CARVER, U. W. POOCH, An Intrusion Response Taxonomy and Its Role in Automatic Intrusion Re- sponse. IEEE Systems, Man and Cybernetics Infor- mation Assurance and Security Workshop, (2000) pp. 129–135. [3] C. A. CARVER, Adaptive Agent-based Intrusion Re- sponse. Ph. D. Dissertation, (2001), Department of Computer Science, Texas A & M University, College Station, TX. [4] M. DOBRUCKI, Priorities in the deployment of net- work intrusion detection systems. Master Thesis, (2002), Helsinki University of Technology, Depart- ment of Computer Science and Engineering. [5] E. A. FISCH, A Taxonomy and Implementation of Automated Responses to Intrusive Behavior. Ph. D. Thesis, (1996), Texas A & M University, College Station, Texas. [6] W. LEE, W. FAN, M. MILLER, S. STOLFO, E. ZADOK, Toward Cost-sensitive Modeling for Intrusion. it Journal of Computer Security, Vol. 10, No. 1 – 2, (2002). [7] D. J. RAGSDALE, C. A. CARVER, J. W. HUMPHRIES, U. W. POOCH, Adaptation Techniques for Intrusion Detection and Intrusion Response Systems. IEEE International Conference on Systems, Man, and Cybernetics, (2000), 4, pp. 2344–2349. http://www.itoc.usma.edu/ragsdale/pubs/ adapt.pdf [8] A. S. SODIYA, H. O. D. LONGE, A. T. AKINWALE, A New Two-tiered Strategy to Intrusion Detection. Information Management and Computer Security, 12(1), (2004). [9] T. TOTH, C. KRUEGEL, Evaluating the Impact of Automated Intrusion Response Mechanisms. Proc. of the 18th Annual Computer Security Applications Conference, (2002). [10] Y. WANG, S. R. BEHERA, J. WONG, G. HELMER, V. HONAVAR, L. MILLER, R. LUTZ, M. SLAGELL, To- wards the Automatic Generation of Mobile Agents for Distributed Intrusion Detection System. The Journal of Systems and Software, (2006), Depart- ment of Computer Science, Iowa State University, United States. www.elsevier.com/locate/jss Received: September, 2006 Revised: February, 2007 Accepted: May, 2007 Contact addresses: Adesina Simon Sodiya University of Agriculture Abeokuta, Nigeria e-mail: sinaronke@yahoo.co.uk Olusola Adeniran University of Agriculture Abeokuta, Nigeria e-mail: ojadeniran@yahoo.com Ronke Ikuomola Federal College of Education Akoka, Lagos, Nigeria e-mail: deronikng@yahoo.com DR. A. S. SODIYA is a lecturer of computer science, University of Agri- culture, Abeokuta, Nigeria. His research interests are computer security, artificial intelligence, network management, and information systems. He has published his papers in both local and international journals. OLUSOLA ADENIRAN is currently a Senior Lecturer at the Department of Mathematics, University of Agriculture, Abeokuta, Nigeria. His area of specialization is Loop Theory – an area which has been found to have a lot of applications in coding and cryptology. He has been involved in many projects in computer science. RONKE IKUOMOLA is a lecturer of computer science at Federal College of Education, Akoka, Lagos, Nigeria. She has just been awarded M. Sc. degree in computer science. Her areas of interest are network security and data mining. << /ASCII85EncodePages false /AllowTransparency false /AutoPositionEPSFiles true /AutoRotatePages /All /Binding /Left /CalGrayProfile (Dot Gain 20%) /CalRGBProfile (sRGB IEC61966-2.1) /CalCMYKProfile (U.S. Web Coated \050SWOP\051 v2) /sRGBProfile (sRGB IEC61966-2.1) /CannotEmbedFontPolicy /Warning /CompatibilityLevel 1.3 /CompressObjects /Tags /CompressPages true /ConvertImagesToIndexed true /PassThroughJPEGImages true /CreateJDFFile false /CreateJobTicket false /DefaultRenderingIntent /Default /DetectBlends true /DetectCurves 0.1000 /ColorConversionStrategy /LeaveColorUnchanged /DoThumbnails false /EmbedAllFonts true /EmbedOpenType false /ParseICCProfilesInComments true /EmbedJobOptions true /DSCReportingLevel 0 /EmitDSCWarnings false /EndPage -1 /ImageMemory 1048576 /LockDistillerParams false /MaxSubsetPct 100 /Optimize true /OPM 1 /ParseDSCComments true /ParseDSCCommentsForDocInfo true /PreserveCopyPage true /PreserveDICMYKValues true /PreserveEPSInfo true /PreserveFlatness true /PreserveHalftoneInfo false /PreserveOPIComments false /PreserveOverprintSettings true /StartPage 1 /SubsetFonts true /TransferFunctionInfo /Apply /UCRandBGInfo /Preserve /UsePrologue false /ColorSettingsFile () /AlwaysEmbed [ true ] /NeverEmbed [ true ] /AntiAliasColorImages false /CropColorImages true /ColorImageMinResolution 150 /ColorImageMinResolutionPolicy /OK /DownsampleColorImages true /ColorImageDownsampleType /Bicubic /ColorImageResolution 300 /ColorImageDepth -1 /ColorImageMinDownsampleDepth 1 /ColorImageDownsampleThreshold 1.50000 /EncodeColorImages true /ColorImageFilter /DCTEncode /AutoFilterColorImages true /ColorImageAutoFilterStrategy /JPEG /ColorACSImageDict << /QFactor 0.15 /HSamples [1 1 1 1] /VSamples [1 1 1 1] >> /ColorImageDict << /QFactor 0.15 /HSamples [1 1 1 1] /VSamples [1 1 1 1] >> /JPEG2000ColorACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 30 >> /JPEG2000ColorImageDict << /TileWidth 256 /TileHeight 256 /Quality 30 >> /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 150 /GrayImageMinResolutionPolicy /OK /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict << /QFactor 0.15 /HSamples [1 1 1 1] /VSamples [1 1 1 1] >> /GrayImageDict << /QFactor 0.15 /HSamples [1 1 1 1] /VSamples [1 1 1 1] >> /JPEG2000GrayACSImageDict << /TileWidth 256 /TileHeight 256 /Quality 30 >> /JPEG2000GrayImageDict << /TileWidth 256 /TileHeight 256 /Quality 30 >> /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 1200 /MonoImageMinResolutionPolicy /OK /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict << /K -1 >> /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName (http://www.color.org) /PDFXTrapped /Unknown /Description << /FRA /JPN /DEU /PTB /DAN /NLD /ESP /SUO /ITA /NOR /SVE /GRE /ARA /CZE /HUN /POL /RUS /TUR /HEB (Use these settings to create PDF documents with higher image resolution for improved printing quality. The PDF documents can be opened with Acrobat and Reader 5.0 and later.) /ENU (Use these settings to create PDF documents with higher image resolution for improved printing quality. The PDF documents can be opened with Acrobat and Reader 5.0 and later.) >> >> setdistillerparams << /HWResolution [2400 2400] /PageSize [666.142 926.929] >> setpagedevice