Building Network Response System of Real Time in E-Learning System Lin Yu Da Institute of Information, Computer and Education, National Kaohsiung Normal University f1239marklin@icemail.nknu.edu.tw the school or a company, its superior in-time Abstract Along with the rapid development of internet, internet security becomes more and more important. In this study, we adopt Snort to build a protection system which integrates E-learning platform in order to detect the invaders from the internet. In addition to that, through the convenience and in-time property that the internet possesses, we are able to provide services such as immediate notification and trouble shooting, etc., in order to facilitate the knowledge on internet security and maintain the normal operation of E-learning platform. Keyword: E-learning, NIDS, network security Preface In Jan. 2003, the OECD-APEC Global Forum on Policy Frameworks for the Digital Economy held at Honolulu, its security agenda has pointed out the importance of internet security and its related policies(OECD2003); the key infrastructure protection center under FBI, USA, has issued a report named “National policy concerning the security in the Cyber Space ”,it promotes precisely for the first time the internet security to a military strategy level related to national security, it encloses for the first time the internet security into the overall thinking regarding to national security .Some internet experts think, behind the internet security fever, there are still lots of people that are equipped with immature recognition or still in the infant stage understanding on internet security, the leader Barbara Fraser of IP security protocol task force of IETF pointed out that the insecurity of internet is because of the lack of professional knowledge on internet security and the bias on the recognition of internet, internet security should start from each person . The software of the detection and response system of internet invasion we developed is a software in the application layer, the advantage of this system is on its real time function, this system can fully detect the internet access condition from the connection of the learner’s computer to the teaching system, the system automatically provides a solution to the learners on the computer security issues, it aspires the learners attention on the internet security. This system can also be used by the web managers in property make the web managers know better about the learner’s internet access situation, the overall working efficiency is therefore enhanced and inappropriate information can be prevented . Background knowledge 1. Provide safe platform for the internet learner No matter it’s personal operation platform or traditional Client/Server architecture, or multiple layer architecture, Internet platform, etc., Anti-virus software and fire wall play an important role here; however, the study shows internet learner usually has low alertness and no computer related knowledge and is thus under the attacking risk by the invasion of virus or hacker, some learners even don’t know they are invaded by hacker or are infected by internet virus, the virus then is passed to internet learning platform or other learner’s computer which could further leads to the malfunction of teaching platform .If we take an overview on the current E-learning platform, system manager usually uses fire wall and anti-virus software to stop the internet danger, it is however a passive prevention and cure. Here the researchers think that E-learning platform, in addition to providing E-learning service, should have the responsibility to inform the learning condition that the learners might encounter and the procedures to handle it, internet virus and internet hacker is not formidable, the formidable thing is to let it spread without stopping it which could lead to serious result . Therefore, internet safety notification mechanism is important in the teaching platform, it allows the learner to understand the current computer situation and awake the learner’s alertness(As shown in Figure 1). Figure 1. Internet notification and access mode 2. Winpcap Winpcap is a function base which could be used to acquire internet packet under Windows environment. It allows simultaneously the user to use higher level application software to execute some lower level functions, therefore Winpcap function base is the most important basic tool in this detection system. As shown in Figure 2, Winpcap has a basic architecture which can be divided into three parts, they are display layer, core layer and hardware layer. The lowest level hardware layer is network interface card, it is used to acquire the packet transferred in the internet. This layer provides packet acquisition without losing it, it uses the lowest amount of network resources, it is also universal and flexible and can be used by different kinds of application software. The last layer is core layer, its main job is to transfer the acquired internet packet by hardware layer to the application layer, the program can therefore handle the data, it can be read and written in as a file. The usage layer can process the transferred packet and convert it into useful output information to the user; therefore, it is easy to use and to be modularized, it is also expandable and supports multiple protocols. Figure 2. Winpcap basic architecture The packet.dll in the usage layer is a dynamic link function base, it allows the Windump program to execute under Windows environment without any re-coding. However, libpcap is a static function base in the acquisition program, the function it provides is not related to the hardware or operation system, it provides a high level and convenient path for performing low level work such as packet acquisition, it is therefore suitable for the network software development of other system, for example, TcpDump program can Libpcap to acquire packet under Unix . 3. Snort detection principle Snort is a convenient network invasion detection system, this system is developed based on Libpcap, it can record and analyze the network flow rate immediately, it also performs testing on the IP packet registration in the internet, it can complete deal analysis, content search/match, it can be used to probe multiple attacks and detections ( such as buffer zone overflow, CGI attack, SMB detection, etc.). There are five main reasons we use Snort as the invasion detection system, first is its low load : Although Snort is powerful, it is very neat and compact in the source code, the source code compression file has a size of only 110KB. The second is its high transplantation property:Snort has high cross-platform function, meanwhile, it currently supports systems such as Linux, Solaris, BSD, IRIX,HP-UX, WinY2K, etc., it is thus suitable for all kinds of E-learning system platform .The third is it is powerful: It has the capability to analyze the flow rate and the IP network data packet . It can rapidly detect network attack .The fourth is its excellent expandability, it responds rapidly to new attack and threat : Snort can analyze protocols such as : TCP, UDP and ICMP. In the future, it can provide support for protocols such as: ARP, ICRP,GRE, OSPF, RIP, IPX, etc. The fifth is it complies with universal permission : Snort follows GPL, therefore, general company, enterprise, person or organization can use it as its own NIDS ( Network invasion detection system)for free. Figure 3 shows three major parts of Snort, the first is packet decoder:It takes charge of packet collection and decoding; the second is detection engine: It detects if the packet is abnormal according to the rule database; the third is logging and alerting subsystem: it records the related content of the abnormal packet and output it in appropriate format. Therefore, after the packet is received, Snort performs packet decoding immediately, it detects according to rule database to see if any abnormal packet exists, if it does exist, then outputs it as recorded file format or records it in the database . Figure 3. Snort invasion detection principle 4. Response system architecture The system is built on 2-Tier architecture (as shown in Figure 4), it can be divided into three layers such as : user interface, processing layer and solid layer ; the usage layer mainly uses WEB interface and EMAIL to inform learner and system manager current network situation and related solution ; processing layer is mainly made up of Snort, it outputs the packet it analyzes to the database to facilitates program access and mutual interaction ; solid layer mainly stores and outputs the analysis data of abnormal packet, it uses information exploring method to extract related information and solution based on analysis data . society, therefore, lots of the learners are not familiar with internet security, or even don’t have the capability to self-maintain the computer, adding of detection mode into the system in order to provide the learners with in-time network status of computer access, it lets the learner understand the importance of internet security in addition to the learning courses. For the system manager, the use of invasion detection can reduce the system maintenance difficulty and keep the time effectiveness of answering the questions from the learners, it also allows the learners to understand the potential threats of virus or the type of Trojan horse that might threaten the system currently in the internet so that the learner may perform immediate reaction. The following Figure shows an Web in-time response mechanism prepared by internet university by using the detection system ( Figure 6 ) and a mail notification mechanism(Figure 7) . Figure 4. System architecture Realization and application of invasion detection system As shown in the system flow chart of Figure 5, Winpcap and Snort 2.0 software are first installed into the E-learning system, it targets at the output information to develop an in-time response system by using the ASP.NET program of Microsoft, it also targets at abnormal packet record, verifies and gives immediate response to the registration letter and access content in the remote teaching system according to the IP computer of the learner. Figure 5. System flow chart This system is applied in a three credits class of special education general theory in the National KaoHsiung Normal University. The main targets of the internet university are on-job teachers, students and normal people in the Figure 6 Web notification interface Figure 7 Mail notification interface Test of the system To verify its function and feasibility, 264 learners join the three credits class of special education general theory and a questionnaire survey was performed after the completion of the courses, the result is used as functional evaluation of the system, and the questionnaire survey result is as shown in Table 1. Table 1. The questionnaire survey result of system usage (Effective questionnaire number: 245) Conclusion Build invasion detection response system in the E-learning platform by using the Snort, it not only has low cost but also put low load to the system, a system test after the introduction of E-learning platform shows the enhancement of system stability and usability, it allows each learner to enjoy better and safer learning platform ; in addition, the system’s high transplantation property makes it suitable for the E-learning platform set up by any system . Meanwhile, there are many output formats such as : general system documents, Tcpdump format, XML format and database format, it can be designed according to specific requirements, since it can be output to the database, it can be used to analyze the correlation between related internet packets and the users. Reference [1] 中國科技訊息- OECD2003 年資訊系 統及網路安全會議, http://www.chinainfo.gov.cn/data/200401/1_200 40103_72053.html [2] 中國科技訊息-美國國家科學基金會 資助三千萬加強網路安全, http://www.chinainfo.gov.cn/data/200401/1_200 40103_72045.html [3] 中山大學-網路教學概論, http://cu.nsysu.edu.tw/10001door/book/a04.htm [4] 林濤(民 88):科技的迷惘。中央日報, 7 月 6 日。 [5] 特殊教育通論三學分班, http://nu.nknu.edu.tw/spc [6] 微軟資訊安全首頁, http://www.microsoft.com/taiwan/security/ [7] AirSnort, http://airsnort.shmoo.com/ [8] Snort FAQ, http://www.snort.org/docs/faq.html [9] Snort users manual , http://www.snort.org/docs/writing_rules/ [10] Snort.org Web site: http://www.snort.org [11] The Snort drinking game , http://www.theadamsfamily.net/~erek/snort/drin king_game.txt [12] The snort user’s mailing list, http://lists.sourceforge.net/lists/listinfo/snort-use rs