Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Vision Document - People - Kansas State University

advertisement 
Vision Document
Using CLIPS to Detect Network Intrusions - (CLIPNIDS)
Submitted in the partial fulfillment of the requirements of the degree of Master of Software
Engineering
Sripriya Marry
CIS 895 – MSE Project
Department of Computing and Information Sciences
Kansas State University
Committee Members
Dr. David Gustafson (Major Professor)
Dr. Rodney Howell
Dr. Mitchell Nielsen.
1
Change Log
Version #
Changed By
Release Date
Change Description
-----------------------------------------------------------------------------------------------------------------Version 1.0
Sripriya Marry
02/20/2014
2
Initial Release
Table of Contents
1. Introduction......................................................................................................................... 4
1.1 Purpose and Motivation................................................................................................ 4
1.2 Project Overview .......................................................................................................... 4
1.3 References .................................................................................................................... 5
2. Product Description ............................................................................................................ 5
2.1 Product Perspective ...................................................................................................... 5
2.2 Product Features ........................................................................................................... 6
2.3 Assumption and Dependencies .................................................................................... 6
2.4 Environment ................................................................................................................. 6
2.5 Constraints.................................................................................................................... 6
3. Requirements Specification ................................................................................................ 7
3.1 Use Case name: IP Packets .......................................................................................... 7
3.2 Use Case name: Signature recognition ......................................................................... 7
3.3 Use Case name: Alert system ...................................................................................... 7
4. User Interface ...................................................................................................................... 7
3
1. Introduction
The main goal of the project is to update Clipnids with the signatures of latest network attacks.
Using these signatures Clipnids would detect and notify network administrators about any
unauthorized access to the network resources by intruders.
1.1. Purpose and Motivation
Motivation and purpose of this project is to study the performance of CLIPS in network intrusion
detection system (NIDS) with latest intrusion signatures. Clipnids was built in the year 2003 and
has been equipped with the attack signatures which were prevailing at that time. However,
network attacks are constantly evolving and the nature of attacks are also changing hence it is
mandatory to update Clipnids with latest attack signatures in order to pursue the motivation.
1.2. Project Overview
A system intrusion is any attempt to attack a system and compromise its security aspects such as
integrity, confidentiality, or availability. Intrusion Detection Systems (IDS) are implemented to
detect an intrusion when it occurs and on detection they should trigger appropriate recovery
measures. IDS monitor all traffic as it passes through a network, analyze it, reconstruct sessions
and detect predefined patterns of attack or abnormal behaviors that could be caused by system
attacks. Intrusion Detection Systems help information systems prepare for, and deal with attacks.
They accomplish this by collecting information from a variety of systems and network sources,
and then analyzing the information for possible security problems. Intrusion detection provides
the following:

Monitoring and analysis of user and system activity

Auditing of system configurations and vulnerabilities

Assessing the integrity of critical system and data files

Statistical analysis of activity patterns based on the matching to known attacks

Abnormal activity analysis

Operating system audit
Clipnids is a Signature-based network intrusion detection system (NIDS). There are many
approaches of using Expert systems in NIDS, Clipnids is one of them, where CLIPS expert
system is used as detection engine in NIDS. Clipnids can also be viewed as rule-based system
where intrusion scenarios are encoded as rules in detection engine and the packets are matched
against the rules. Packet data is converted into a CLIPS’s fact and asserted into the fact list. The
rule set is then invoked to perform the detection process.
4
1.3.References
1. IEEE Recommended Practice for Software Requirements Specification.
2. Portfolio Requirements Page from CIS Webpage, Kansas State University.
3. Wikipedia
4. http://link.springer.com/chapter/10.1007%2F978-3-540-24580-3_40#page-1
2. Product Description
2.1. Product Perspective
Clipnids performs direct analysis of network traffic and searches network traffic for a series of
bytes or packet sequences known to be malicious. Signatures are easy to develop and understand
if we know what network behavior we're trying to identify. The events generated by Clipnids
communicates what caused the alert. Also, pattern matching is performed by looking for events or
sets of events that match a predefined pattern of events that describe a known attack. These
patterns are called signatures. Following are the logical components of Clipnids:
Packet Decoder:
The packets enter through the NIC and are decoded off the wire by the packet decoder, which
determines which protocol is in use for a given packet and matches the data against allowable
behavior for packets of their protocol. The packet decoder can generate alerts of its own based on
malformed protocol headers, overly long packets, unusual or incorrect TCP options that are set in
the headers, and other such behavior. After the packets are matched against the decoder, they are
then sent to the preprocessors.
Preprocessors:
Preprocessors are plug-ins to Clipnids that allows Engine to parse incoming data in different ways
that may be useful. If we run Clipnids without any preprocessors specified
in our conf.clp configuration file, we will only look at each individual packet as it comes in over
the wire. This is probably going to lead to missing some attacks, since many modern attacks
depend on things like overwriting data in overlapping fragments, deliberate IDS evasion
techniques like putting part of a malicious application request in one packet and the rest in
another packet, and other such practices. Data hits the preprocessors after it has been parsed by
the packet decoder.
Detection Engine:
CLIPS Expert system has been used as detection engine. Packet payload matching is done in
detection engine. Boyer-Moore algorithm is used for single pattern matching Single patter
5
matching is used to test a small number of bytes. Aho-Corasick algorithm is used for multiple
pattern matching which allows to simultaneously test several patterns against the packet payload,
increasing the detection performance.
2.2. Product Features
Following is the Use case diagrams for Clipnids:
Clipnids Use Case diagram:
2.3.Assumptions and Dependencies
The administrator is well versed with the network attack signatures and writing rules in CLIPS.
2.4. Environment
Clipnids is built on Linux operating systems using C language. GNU programming is used to
configure and build Clipnids system as a package. CLIPS language is used to write rules for
attack signatures.
2.5.Constraints
Clipnids currently can protect hosts that are running on Linux operating systems. SNORT
decoder and pre-processors are adapted in Clipnids. Only two pre-processors of SNORT are
6
adapted out of ten hence currently only threats pertaining to packet fragmentation and application
layer are detected by Clipnids.
3. Requirements Specification
Following are the actors identified for Clipnids:
 User: - User sends request to server and server responds by providing the requested
service.
 Network: - Network carries the IP packets from source to destination.
 Clipnids: - IDS takes the packets from the network, analyses the packets.
 System Administrator: -System Administrator is alerted by the IDS of any suspicious
activity or whenever intrusion is detected.
3.1.Use Case name: IP Packets
Purpose: Network gives the IP Packets to IDS which does further processing of these packets.
Actor: Network, Clipnids.
Input: IP packets are fed into network by internet.
Output: IP Packets are received by Clipnids and passed on to detection engine via Decoder and
pre-processor.
3.2.Use Case name: Signature recognition
Purpose: Clipnids examines the traffic looking for well-known patterns of attack, which are saved
in pattern database and triggers the alert system, if a match is found.
Actor: Clipnids
Input: IP packets that are received from the network by Clipnids.
Output: Information about the attack or intrusion is sent to the alert system to inform network
administrator.
3.3.Use Case name: Alert system
Purpose: Whenever triggered by signature recognition, alert system alerts the system
administrator.
Actor: System administrator.
Input: Clipnids sends information about the attack to alert system.
Output: Alert system alerts the system administrator about the attack.
7
4. User Interface
Clipnids is a console-based application. Only system administrators are the users who configures
Clipnids with the network to detect threats and attacks. Following are the commands to use
Clipnids by System administrator:
1. Specify command to capture live traffic directly off the wire (sudo ./clipnids -i eth0 ( if
ethernet connection is used))
2. System administrator would like to analyze traffic previously captured through pcap files
(sudo ./clipnids -r file-name).
3. System administrator may also want to filter the traffic (live or captured). BPF filters can
also be used.
8
Related documents
Warriors of the net questions 1. What three things are put on the
Warriors of the net questions 1. What three things are put on the
Algebra 1 Preparing for Success Packet
Algebra 1 Preparing for Success Packet
Sportfolio Criteria - JCB Physical Education
Sportfolio Criteria - JCB Physical Education
1-07 ICS2O3C - Warriors of the Net
1-07 ICS2O3C - Warriors of the Net
View File
View File
Summer Review Packet for Students Entering Algebra 1
Summer Review Packet for Students Entering Algebra 1
Broadcom-PacketAnalyzer
Broadcom-PacketAnalyzer
Warriors of the Net Questions:
Warriors of the Net Questions:
DOCX - Columbus State University
DOCX - Columbus State University
Download
advertisement