An Investigation on Detecting Malicious TCP/IP Network Packet`s Fields using Protocol Analysis

An Investigation on Detecting Malicious TCP /IP Network Packets Fields using Protocol Analysis

1 Abstract

This dissertation is a survey of the research in the field of Intrusion Detection Systems using protocol analysis . These network intrusion detection systems rely on protocol-specific analyzers to extract the higher-level semantic context from a traffic stream . Traditional systems use ports to identify malicious TCP /IP network packets , but here is the design , implementation of network intrusion detection systems , which will perform dynamic application layer protocol analysis . It will also discuss the two major approaches

, anomaly based and signature based intrusion detection . It will see the future prospects of Network Intrusion Detection System (NIDS ) and discuss the case study of some highly reliable intrusion detection systems . Anomaly dispersion scheme (ADS ) is one of the widely used to monitor malicious TCP /IP network packets . It will discuss this scheme as to how these malicious packets use Attach-Hidding techniques and how attack programs create packet fields . The quality of a network intrusion detection systems is described by the percentage of true attacks detected combined with the number of false alerts . If the processing cost of NIDS is too high , a high- quality NIDS algorithm is also not effective . The longer it takes to process the probability of loosing the detected packets increase thereby decreasing the chances of true detection . This study will also provide valuable guidelines for NIDS developers for choosing a suitable platform and considering processing cost when developing and evaluating NIDS techniques

2 Introduction

Network Intrusion Detection System (NIDS ) are the most used mechanism to detect attacks and analyze their proceeding and purpose . They are controlled and maintained at a central point and are not visible to the surrounding network . They monitor the whole data exchange between the internal and external network and scan the data stream for significant attack patterns . Typical NIDS use a signature-matching unit to find previously defined attack patterns , usually given as regular expressions , in a network conversation . More sophisticated systems search for malicious behaviour in network connections through the technique of protocol analyzing . This requires the system to decode protocols . This approach offers two different kinds of attack detection On the one hand the NIDS may detect violations in a protocol session and on the other it is possible to perform signature matching leveraging the results of the protocol analysis . But such a NIDS has to fulfil one condition to perform application layer analysis : it must classify data by their protocol . Therefore , a method to identify those protocols is required . Current systems make this decision by ports . But this is not as reliable as it should be . More an more protocols either do not use fixed ports , e .g . some peer-to-peer protocols , or use unprivileged ports , e .g . IRC , which might also utilized by other protocols like e .g FTP-DATA connections . Thus , a connection might be analysed by an inappropriate module or not at all . In this work we propose a design of architecture for NIDS that may integrate far...