UCRL-CR-105095
B055743
/_eC_!:tT.:'_,/t
¢ f£o 0 6 199l
A NETWORKSECURITYMONITOR
",___ _.
L.Todd Hebeflein
Gihan V. Dias
Karl N. Levitt
Biswanath Mukherjee
Jeff Wood
David Wolber
Division of Computer Science
Department of Electrical Engineering & Computer Science
University of California
Davis, CA 95616
November 1989
DISTRIBUTION OF THIS DOOUMENT IS UNLIMITED
DISCLAIMER
Work I_rt"ormedundertheauspicesof the U.S. Depart-
sent of Energy by LawrenceLivermoreNttiomtl Labora-
tory undercontractnumber W-740._ENG.48.
This document was prepared as sn account of work
sponsored by en agency of the United States Government.
Neither the United States Government nor the University of
Calit_omis nor any of their employees, makes any warranty,
express or implied, or Jumumesany legalliability or respon-
sibility for the accuracy,completeness,or usefulnessof any
information, apparatus,product, or processdisclosed,or
representsthat its usewouldnot infringe privately owned
rights. Referenceherein li: any specificcommercial prod-
acts,process,or servicebytradename,trudemutrkqmanufac-
turer,or otherwise,doesnot necessarilyconstituteor imply
its endorsement, recommendttlon0 or favoring by the United
S_.ates Government or the University of California. The
views and opinions of authors exprem_ herein do not neces-
sarily sate or reflect those of the United States Government
or the University of California, and shall not be used for
advertising or product endorsement purposes.
ce
A NETWORK SECURITY MONITOR
L. Todd Heberle,'n
G,'han V. Dias
Karl N. Levitt UCRL-CR--105095
Biswanath Mukherjee DE91 007139
Jeff Wood
David Wolber
• Division of Computer Science,
Department of Electrical Engineering & Computer Science
" University of California
Davis, CA 95616
I
November 1989
....,...,,_,,-nt%NOF THIS DooUMENT tSUNLIMITED
I_)ID I I-liil,,t_-. ..... L.1.%,4.-
- 2 -
,lr
A NETWORK SECURITY MONITOR
4,
ABSTRACT
The study of security in computer networks is a rapidly growing area of interest because
of the proliferation of networks and the paucity of security measures in most current neb
works. Since most networks consist of a collection of inter-connected local area networks
(LANs), this paper concentrates on the security-related issues in a single broadcast tAN
• such as Ethernet. Specifically, we formalize various possible network attacks and outline
methods of detecting them. Our basic strategy is to develop profiles of usage of network
resources and then compare current usage patterns with the historical profile to deter-
mine possible security violations. Thus, our work is similar to the hosbbased intrusion-
detection systems such as SRI's IDES [LUNT88a]. Different from such systems, however,
is our use of a hierarchical model to refine the focus of the intrusi6n-detection mechan-
ism. We also report on the development of our experimental LAiN monitor currently
under implementation. Several network attacks have been simulated and results on how
the monitor has beeu able to detect these attacks are also analyzed. Initial results
demonstrate that many network attacks are detectable with our monitor, although it can
surely be defeated. Current work is focusing on the integration of network monitoring
with host,-based techniques.
I. INTRODUCTION
The study of security in computer networks is a rapidly growing area of interest
[NETW87, JSAC89, WALK89]. This activity has been fueled by several recent network
. attacks (or network intrusions). The task of providing and maintaining security in a
network is particularly challenging one because of the following facts. First, there is a
proliferation of local area networks (LANs) in academic, business, and research institu-
tions, and these LANs are in turn interconnected with the "outside world" via gateways
and wide area networks (WANs). Second, these networks and their associated equipment
(including LANs, WANs, and gateways), when they were developed, were don e so with
trusted users in mind; the issue was to solve the networking problem and very few, if
any, security measures were instituted. Consequently, network attacks or intrusions
such as eavesdropping on information meant for someone else, illegally accessing informa-
tion remotely, breaking into computers remotely, and flooding the network thereby
reducing its effective channel capacity are not uncommon (see, for example, [STOL88]).
To overcome these problems, several proposals suggest the deployment of new,
secure, and possibly closed systems by using methods that can prevent network attacks,
e.g., by using eucryption techniques [NE_,A,gcI87, NESH78, VOKE85, RUHO86, TENS87].
. But we recognize that these solutions will not work because of the tremendous invest-
ment already made in the existing infrastructure of open data networks, however
.J
insecure the latter might be. Furthermore, encryption techniques cannot protect against
stolen keys or legitimate users misusing their privileges. Hence, we approach the problem
from a different angle. Specifically, our goal is to develop monitoring techniques that
will enable us to maintain information of normal network activity (including those of the
network's individual nodes, their users, their offered services, etc.) The monitor will be
capable of observing current network activity, which, when compared with historical
behavior, will enable it to detect in real-time possible security violation on the network -