ETHICAL CONSIDERATIONS

0x0030: 00 00 00 00 00 00 20 45 45 46 44 46 44 45 46 43 ...EEFDFDEFC 0x0040: 41 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43 ACACACACACACACAC 0x0050: 41 43 41 43 41 42 4C 00 00 20 00 01 ACACABL .. ..

2.6.2 Dynamic Packet Handling Ability

Although a firewall is able to control a network and maintain its connectivity, it handles packets only statically. Through open ports, a firewall would not inspect/control packets willingly. According to the analysis of distributed denial of service attack tools, it is well known how to use tools such as TFN [Dittrich(1999c)], TFN2K, Trinoo [Dittrich(1999a)]

and Stacheldraht [Dittrich(1999b)]. These programs use not only TCP and UDP packets but also ICMP packets. Moreover, because the programs use ICMP ECHOREPLY packets for communication, it would be very difficult to block attacks without breaking most Internet programs that rely on ICMP. Since TFN, TFN2K and Stacheldraht use ICMP packets, it is much more difficult to detect them in action, and packets will go right through most firewalls. The current only sure way to destroy this channel is to deny all ICMP ECHO traffic into the network. Furthermore, the tools mentioned above use any port randomly; it is hard to prevent the port from an attack in advance using the fixed port close scheme in current firewalls. Therefore, to prevent degradation of service on the network and to deny this kind of malicious packet, dynamic packet handling on the level of firewalls is crucial [Ultes-Nitsche and Yoo(2003), Yoo and Ultes-Nitsche(2003), Ultes-Nitsche and Yoo(2004), Yoo(2004a)].

2.7 Proposed Firewall Architecture

Janus project intends to extend packet-filter firewalls with intelligent components. The firewall model has packet-based components: a packet verifier, a packet-based classifica-tion engine, a smart detecclassifica-tion engine, and a policy interpreter. The architectural firewall model is depicted in Figure 2.2. This architectural firewall model has been developed in the MPhil thesis [Yoo(2004b)].

Figure 2.2: Packet-Based Detection Components in the intelligent firewall.

Decoded packets pass into the packet verifier and the packet-based classification engine in parallel. The packet verifier checks all protocols’ sanity and validates expected usage of protocols. The packet-based classification engine aims to classify packets, which could be malicious and estimate the probability of their maliciousness. On the other hand, the smart detection engine aims at recognizing malicious patterns in data packets that have a certain probability of being malicious. The smart detection engine analyses the payload of the packets and aims to detect anomalous patterns in the payload. Finally, the policy interpreter analyses the information it gets from the two engines and decides on whether to drop the packet or let it pass through the firewall based on its specific security policy [Yoo and Ultes-Nitsche(2003), Ultes-Nitsche and Yoo(2003), Yoo(2004a)].

2.7.1 Packet Verifier

The purposes of the packet verifier are validating compliance to standards, and vali-dating expected usage of protocols e.g. protocol anomaly detection. It aims to cover the TCP/IP/ICMP protocols. The packet verifier checks the protocol header part of packets, verifies packet’ size, checks TCP/UDP header length, verifies TCP flags and all packet parameters, does TCP protocol type verification, and analyses TCP protocol header and TCP protocol flags. In the IP protocol, according to the Internet Protocol Standard [Postel(1981b)], an IP header length should always be greater than or equal to the minimal Internet header length (20 octets) and a packet’s total length should always be greater than its header length. IP address checks are also important since land attacks use the same IP address for source and destination. According to the TCP standard [Postel(1981c)], neither the source nor the destination TCP port number can be zero, and

TCP flags, e.g. URG and PSH flags, can be only used when a packet carries data. Thus, for instance, combinations of SYN and URG or SYN and PSH become invalid. In addi-tion, any combination of more than one of the SYN, RST, and FIN flags is also invalid.

Finally, the packet verifier sends the result of validation to the packet-based classification engine [Yoo and Ultes-Nitsche(2004b), Ultes-Nitsche and Yoo(2004), Yoo(2004c)].

2.7.2 Packet-Based Classification Engine

The purpose of the packet-based classification engine is to make a decision whether the packet classes are filtered into the smart detection engine or are dropped accord-ing to their probabilities of beaccord-ing malicious. This classification is based on a struc-tural analysis of data packets. The strucstruc-tural analysis is mainly concerned with in-formation that can be obtained from a packet’s header plus certain inin-formation in its payload. To make a statistical relation between interesting events among incomplete data, Bayesian networks [Pearl(1988)] or probabilistic graphical models have been cho-sen, in particular the Naive Bayesian network [Langley and Sage(1994)] among several Bayesian network models. In the MPhil thesis, certain packet characteristics has been analysed that allows me to attach to packets probabilities of their maliciousness. The analysed file characteristics are used as the parameters of the Naive Bayesian network [Yoo and Ultes-Nitsche(2004b), Ultes-Nitsche and Yoo(2004), Yoo(2004c)].

2.7.3 Smart Detection Engine

The smart detection engine deals with the filtered packets, which have a high probabil-ity of being malicious, selected from the packet-based classification engine. The smart detection engine aims to learn to distinguish anomalous data packets from normal pack-ets [Cannady and Mahaffey(1998), Lee and Heinbuch(2001)]. However, unlike anti-virus software, this engine does not need to match the infected part of a program exactly [G. Tesauro and Sorkin(1996)]. Detecting known viruses in a system or file is a role of anti-virus software. Note that the smart detection engine deals with virus-infected files rather than file worms. In the file worm case, the packet-based classification engine aims to classify this file worm based on the context information. Currently Self-Organizing Maps (SOMs) [Kohonen(1995)] are applied to the smart detection engine to detect bad patterns. It is aimed to design the SOM in a way that neurons will flag the presence of peculiar patterns in data packets and that the position of the active neurons reflects the position of potentially malicious content in the packet. Basically, all packets with a probability of being malicious above a certain threshold is filtered into the smart de-tection engine for examination [Yoo(2004d)]. The threshold has to be set in a relatively arbitrary fashion first and then be adapted when fine-tuning is applied to the decision procedures.