Network Intrusion Detection System (PP13)

advertisement
Software System Engineering
CmpE 202
Practice Problems
Practice Problem (13)
Network Intrusion Detection System
_________________________________________________________________________
Read the following problem statement and perform the following:
1. Use Case Diagrams and Use Cases. Use one or more diagrams to describe all the actors in
design session problem and how they will interact with the Use Cases of your system.
Provide Flow of Events for all of your Use Cases. Use associations, aggregations, and
generalization in the use case diagram(s) and don’t forget to use multiplicities. Use case
diagram(s) textual description is a must. Use the following template to document your use
cases.
1. Use Case Id.
2. Use Case Title
3. Actors & Corresponding Roles
4. Corresponding Classes
5. Corresponding Attributes
6. Corresponding Interfaces
(7. Class Classification: EBTs, Business Objects, and Industrial Objects for software
stability model)
8. Use Case Description
9. Alternatives
Evaluation: Use the model essentials to evaluate the use case models.
2. Document all the CRC cards for all the (classes) classes in the design session problems (CRC
stands for Class Responsibility and Collaborations)
Class Name (Role)
Collaborations
Responsibility
Clients
Servers
Evaluation: Use the model essentials to evaluate the CRC cards.
3. Class diagram (Traditional Model). Create a class diagram of the design session
problems based on the Traditional Model. Class diagram should include all attributes
and methods for the class. All class relationships (associations, aggregations,
dependencies, and specializations) should be included in the class diagram.
Association classes, interface classes, constraints, interfaces, tagged values and/or
stereotypes, and notes must be included in the class diagram.
Evaluation: Use the model essentials to evaluate the class diagram (Traditional).
4. Sequence diagrams. Sequence diagrams will be used to "realize" Use Cases. All Use
cases should be described through sequence diagrams. The sequence diagrams can
describe the same Use Cases that a flow of events was created for in the Use Case
portion of the assignment.
Evaluation: Use the model essentials to evaluate the sequence diagrams.
5. Activity Diagram. Activity diagram is similar to procedural flow charts except that
all activities are uniquely associated with objects. Activity diagrams support the
description of parallel activities. Activity diagrams: (a) Describes how activities are
coordinated; (b) Is particularly useful when you know that an operation has to achieve
a number of different things, and you want to model what the essential dependencies
between them are, before you decide in what order to do them; (c) Records the
dependencies between activities, such as which things can happen in parallel and
what must be finished before something else can start; and (4) Represents the
workflow of the process. Activities, transitions, decision diamond, constraints,
synchronization and splitting bars, boundaries, and start & stop markers must be
included in the class diagram.
Evaluation: Use the model essentials to evaluate the Activity diagrams.
Iterate: Redo 1, 2, 5, and 6 with stability in mind where:
Class diagram (Stability Model). Create a new Class diagram of the design session problems
based on the EBTs, BOs, and IOs. Class model should include all attributes and methods for the
class. All class relationships (associations, aggregations, dependencies, and specializations)
should be included in the Class diagram. Association classes, interface classes, constraints,
interfaces, tagged values and/or stereotypes, and notes must be included in the class diagram.
Evaluation: Use the model essentials to evaluate the class diagram (Stability Model).
_________________________________________________________________________
Network Intrusion Detection System
Abstract
The system detects any intrusion in the network by constantly monitoring the network traffic.
Network intrusion is a method in which a person exploits the software features and bugs to gain
unauthorized access to the system. In the extreme case, he/she may access well-known ports and
services to infect the system with viruses and worms bringing down the network performance.
Various sensors, like operating system sensors and network sensors, are installed at strategic
locations through out the enterprise network to monitor network performance.
Domain
In our system IDS is installed on the server side, which serves local hosts and users over internet
as shown in figure.1. There are four actors in the system namely monitor, user, network and
system administrator. User sends request to the server over the internet or LAN and IDS will
analyze the packets received by the server. This IDS detects both internal and external intrusions.
If it detects any intrusion then it alerts system administrator.
System
Administrator
Server
IDS
User App1
User App2
Router
Host1
Host2
Hostn
Internet
.
User Appn
System Description
Network Intrusion Detection system (NIDS) is a system which monitors network
intrusion. Intrusion may be detected by techniques like anomaly detection, signature
pattern matching etc. Anomaly detection is a method in which normal network behavior
is captured and any abnormality in the network is detected such as a sudden increase in
network traffic rate (number of IP packets per second). Signature pattern matching is a
method in which network data is compared with the known attack techniques that are
saved in a database. For example an IDS that watches web servers might be programmed
to look for string “phf” as an indicator for a CGI program attack.
Intrusion is detected and system administrator is alerted about the kind of intrusion when
any one of the following events takes place:
1. If a foreign entity has been detected in a log entry.
2. If user tries to access information which is beyond his/her access.
3. Baseline for critical system resources is measured such as cpu utilization, file entries,
disk activity, user logins etc. Then the system can trigger when there is a deviation
from this baseline.
Use Cases
Actors:
1) User
User sends request to server and server responds by providing the requested
service.
2) Network
Network carries the IP packets from source to destination.
3) IDS
IDS takes the packets from the network, analyses the packets.
4) System Administrator
System Administrator is alerted by the IDS of any suspicious activity or whenever
intrusion is detected.
Use Case Description
1) IP Packets
Network gives the IP Packets to IDS which does further processing of these packets.
2) Anomaly Detection
If IDS Detects any abnormality in the network traffic, then it triggers the alert system
3) Signature recognition
IDS examines the traffic looking for well-known patterns of attack, which are saved
in pattern database and triggers the alert system, if a match is found.
4) Alert System
Whenever triggered by anomaly detection or signature recognition, it alerts the
system administrator.
Use Case Diagram
Network
IDS
IP Packets
Login
User
Anomaly detection
Alert
Admin
Signature Recognition
Download