Base Paper presented by - Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar At 2010 6th International Conference on Emerging Technologies (ICET)
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Disha Bedi
Base Paper presented by - Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar At 2010 6th International Conference on Emerging Technologies (ICET)
Final Year Engineering Internship Report for Internship at Siemens Information Systems Ltd. Project : Network Intrusion Detection And Prevention Using Snort And Iptables
Using Genetic algorithm for Network Intrusion DetectionSagar Uday Kumar
Using Genetic algorithm for Network Intrusion Detection : Genetic Algorithm IDS involves detecting the intrusion based on the log history, possible intrusions that are likely to occur. In Genetic Algorithm, each connection will be considered as a chromosome” which consists of many “genes” ( properties of the connection like : sourceIP, targetIP, port no., protocol …), One has to find the fitness value of each such chromosomes to detect intrusion.
Network Intrusion Prevention by Configuring ACLs on the Routers, based on Sno...Disha Bedi
Base Paper presented by - Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar At 2010 6th International Conference on Emerging Technologies (ICET)
Final Year Engineering Internship Report for Internship at Siemens Information Systems Ltd. Project : Network Intrusion Detection And Prevention Using Snort And Iptables
Using Genetic algorithm for Network Intrusion DetectionSagar Uday Kumar
Using Genetic algorithm for Network Intrusion Detection : Genetic Algorithm IDS involves detecting the intrusion based on the log history, possible intrusions that are likely to occur. In Genetic Algorithm, each connection will be considered as a chromosome” which consists of many “genes” ( properties of the connection like : sourceIP, targetIP, port no., protocol …), One has to find the fitness value of each such chromosomes to detect intrusion.
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
The objective of the proposed system is to integrate the high volume of data along with the important
considerations like monitoring a wide array of heterogeneous security. When a real time cyber attack
occurred, the Intrusion Detection System automatically store the log in distributed environment and
monitor the log with existing intrusion dictionary. At the same time the system will check and categorize the
severity of the log to high, medium, and low respectively. After the categorization, the system will
automatically take necessary action against the user-unit with respect to the severity of the log. The
advantage of the system is that it utilize anomaly detection, evaluates data and issue alert message or
reports based on abnormal behaviour.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
In order to resolve huge amount of anomaly
information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique,
named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes
the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the
performance of ICAS is suitable for analyzing and reducing large alerts.
In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted.
Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.
It tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
With the growth of computer networking, electronic commerce and web services, security networking systems have become very important to protect infomation and networks againts malicious usage or attacks. In this report, it is designed an Intrusion Detection System using two artificial neural networks: one for Intrusion Detection and the another for Attack Classification.
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
Seminar Report : Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : November 2019
Detecting Anomaly IDS in Network using Bayesian NetworkIOSR Journals
In a hostile area of network, it is a severe challenge to protect sink, developing flexible and adaptive
security oriented approaches against malicious activities. Intrusion detection is the act of detecting, monitoring
unwanted activity and traffic on a network or a device, which violates security policy. This paper begins with a
review of the most well-known anomaly based intrusion detection techniques. AIDS is a system for detecting
computer intrusions, type of misuse that falls out of normal operation by monitoring system activity and
classifying it as either normal or anomalous .It is based on Machine Learning AIDS schemes model that allows
the attacks analyzed to be categorized and find probabilistic relationships among attacks using Bayesian
network.
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
The objective of the proposed system is to integrate the high volume of data along with the important
considerations like monitoring a wide array of heterogeneous security. When a real time cyber attack
occurred, the Intrusion Detection System automatically store the log in distributed environment and
monitor the log with existing intrusion dictionary. At the same time the system will check and categorize the
severity of the log to high, medium, and low respectively. After the categorization, the system will
automatically take necessary action against the user-unit with respect to the severity of the log. The
advantage of the system is that it utilize anomaly detection, evaluates data and issue alert message or
reports based on abnormal behaviour.
Database firewall is a useful tool that monitor databases to identify and protect against database specific attacks that mostly seek to access sensitive information stored in the databases. However the commercial database firewalls are expensive and needs specific product knowledge, while the opensource database firewalls are designed for specific opensource database servers.
In order to fulfill the need of inexpensive database firewall, Snort - an opensource IDS/IPS - is possible to achieve the goal in some scenarios with familiar rule writing. The paper will explain the limitation of Snort as a database firewall, constraints in commercial database statement and some example implementation.
Cloudslam09:Building a Cloud Computing Analysis System for Intrusion DetectionWei-Yu Chen
In order to resolve huge amount of anomaly
information generated by Intrusion Detection System (IDS), this paper presents and evaluates a log analysis system for IDS based on Cloud Computing technique,
named IDS Cloud Analysis System (ICAS). To achieve this, there are two basic components have to be designed. First is the regular parser, which normalizes
the raw log files. The other is the Analysis Procedure, which contains Data Mapper and Data Reducer. The Data Mapper is designed to anatomize alert messages and the Data Reducer is used to aggregates and merges. As a result, this paper will show that the
performance of ICAS is suitable for analyzing and reducing large alerts.
In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted.
Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.
It tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
With the growth of computer networking, electronic commerce and web services, security networking systems have become very important to protect infomation and networks againts malicious usage or attacks. In this report, it is designed an Intrusion Detection System using two artificial neural networks: one for Intrusion Detection and the another for Attack Classification.
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
Seminar Report : Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : November 2019
Detecting Anomaly IDS in Network using Bayesian NetworkIOSR Journals
In a hostile area of network, it is a severe challenge to protect sink, developing flexible and adaptive
security oriented approaches against malicious activities. Intrusion detection is the act of detecting, monitoring
unwanted activity and traffic on a network or a device, which violates security policy. This paper begins with a
review of the most well-known anomaly based intrusion detection techniques. AIDS is a system for detecting
computer intrusions, type of misuse that falls out of normal operation by monitoring system activity and
classifying it as either normal or anomalous .It is based on Machine Learning AIDS schemes model that allows
the attacks analyzed to be categorized and find probabilistic relationships among attacks using Bayesian
network.
Intrusion detection and prevention systemNikhil Raj
This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...IJCNCJournal
After tightening up network perimeter for dealing with external threats, organizations have woken up to the
threats from inside Local Area Networks (LAN) over the past several years. It is thus important to design
and implement LAN security strategies in order to secure assets on LAN by filtering traffic and thereby
protecting them from malicious access and insider attacks. Banking Financial Services and Insurance
(BFSI) industry is one such segment that faces increased risks and security challenges. The typical
architecture of this segment includes several thousands of users connecting from various branches over
Wide Area Network (WAN) links crossing national and international boundaries with varying network
speed to access data center resources. The objective of this work is to deploy LAN security solution to
protect the data center located at headquarters from the end user machines. A LAN security solution should
ideally provide Network Access Control (NAC) along with cleaning (securing) the traffic going through it.
Traffic cleaning itself includes various features like firewall, intrusion detection/prevention, traffic anomaly
detection, validation of asset ownership etc. LANenforcer (LE) is a device deployed in front of the data
center such that the traffic from end-user machines necessarily passes through it so that it can enforce
security. The goal of this system is to enhance the security features of a LANenforcer security system with
Intrusion Prevention System (IPS) to enable it to detect and prevent malicious network activities. IPS is
plugged into the packet path based on the configuration in such a way that the entire traffic passes through
the IPS on LE.
An analysis of Network Intrusion Detection System using SNORTijsrd.com
This paper describes the analysis of signature based intrusion detection systems. Snort which is a signature based intrusion detection system are used for this purpose. We use DARPA dataset for the evaluation of Intrusion detection system.
In this research work an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) will be implemented to detect and prevent critical networks infrastructure from cyber-attacks. To strengthen network security and improve the network's active defense intrusion detection capabilities, this project will consist of intrusion detection system using honey token based encrypted pointers and intrusion prevention system which based on the mixed interactive honeypot. The Intrusion Detection System (IDS) is based on the novel approach of Honey Token based Encrypted Pointers. This honey token inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based per their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4 HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D contain 1 HT/frame. Moreover, every pool uses different types of encryption schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is under the umbrella of unified security provided by this single Network Intrusion Detection System (NIDS). After the design phase of IDS, we analyze the performance of IDS in terms of True Positives (TP) and False Negatives (FN). Finally, we test these IDS through Network Penetration Testing (NPT) phase. The detection rate depends on the number of honey tokens per frame. Our proposed IDS are a scalable solution and it can be implemented for any number of nodes in critical infrastructure network. However, in case of Intrusion Prevention System (IPS) we use Virtual honeypot technology which is the best active prevention technology among all honeypot technologies. By using the original operating system and virtual technology, the honeypot lures attackers in a pre-arranged manner, analyzes and audits various attacking behavior, tracks the attack source, obtains evidence, and finds effective solutions.
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
To improve network security different steps has been taken as size and importance of the network has
increases day by day. Then chances of a network attacks increases Network is mainly attacked by some
intrusions that are identified by network intrusion detection system. These intrusions are mainly present in data
packets and each packet has to scan for its detection. This paper works to develop a intrusion detection system
which utilizes the identity and signature of the intrusion for identifying different kinds of intrusions. As network
intrusion detection system need to be efficient enough that chance of false alarm generation should be less,
which means identifying as a intrusion but actually it is not an intrusion. Result obtained after analyzing this
system is quite good enough that nearly 90% of true alarms are generated. It detect intrusion for various
services like Dos, SSH, etc by neural network
Case Study : Dear Diary,My heart is racing to buy a car!
Decision making process, Utilitarian and Hedonic Needs, Balancing Utilitarian and Hedonic Needs
Market Research Report - Commercial Cinema vis-à-vis Art CinemaDisha Bedi
Market Research on Attitude towards Commercial Cinema vis-à-vis Art Cinema Among Youth in Metro Cities. Analysis done in SPSS. Research Questionnaire enclosed within.
Basic Idea of Strategic Communication, Barriers to Effective Communication, Benefits of Managers as Effective Communicators, The Seven Principles of Strategic Organizational Communications, Steps to Become a Good Strategic Communicator, 4 Step Model for Managers to be Strategic Communicators, Measuring Manager’s Communication Skills
E Procurement Explained, Need, Key Features, Benefits and Case Studies:
1. E-Procurement in Government of Andhra Pradesh, India
2. E-Procurement by Indian Railways
3. IBM's B2B e-Procurement
4. Rolls Royce e-Procurement
5. Hewlett-Packard’s e-Procurement System
E Procurement Explained, Need, Key Features, Benefits and Case Studies:
1. E-Procurement in Government of Andhra Pradesh, India
2. E-Procurement by Indian Railways
3. IBM's B2B e-Procurement
4. Rolls Royce e-Procurement
5. Hewlett-Packard’s e-Procurement System
SIEWIRE - Tool To Create DCS Wiring DiagramsDisha Bedi
SIEWIRE is a Tool To Create DCS(Distributed Control System) Wiring Diagrams I developed during my 2 years of Experience at Siemens Ltd. The tool is a pure work of innovation and hard work and has been implemented in Siemens projects - TATA Trombay, NTPC Korba , Korea Electric Power Corporation Samcheonpo and has managed to save considerable amount of engineering hours and money. I also won an Award for Best Graduate Trainee Engineer Project Presentation for this project.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Fundamentals of Electric Drives and its applications.pptx
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Routers, based on Snort IDS alerts
1. DEPARTMENT OF COMPUTER AND SCIENCE ENGINEERING
MANIPAL INSTITUTE OF TECHNOLOGY
(A Constituent College of Manipal University)
MANIPAL – 576104, KARNATAKA, INDIA
Seminar
On
Network Intrusion Prevention
by Configuring ACLs
on the Routers, based on Snort IDS alerts
Base Paper presented by-
Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar
At 2010 6th International Conference on Emerging Technologies (ICET)
By –
Disha Bedi
Roll no 104
Section B
2. CONTENTS
Abstract
Keywords
Introduction
Background
Motivation
Objective
Experimental setup
Methodology
Results
Analysisand discussion of results
Advantages of the presented system
Limitation
Possible improvements
Conclusion
References
3. Abstract
Intrusion detection and prevention is necessary for the security of any
network. Initiallyfirewallwas considered essential to provide security
for the network but now IDS (Intrusion Detection System) and IPS
(Intrusion Prevention System) are the mainstream devices along with
firewalls.
Snort is used as IDS and alerts are logged to a databasefrom where
they are read and router Access Control List (ACL) rules are generated
based on Snort intrusion alerts and then these ACL rules are configured
on the Cisco router to block the potentialintrusions.
5. Introduction
Intrusion prevention is very important for the defence in depth
approachto network security along with firewalls and intrusion
detection systems. Guardianis a software system which also provides a
mechanism for using Snort alerts for blocking the potentialintrusions,
but, the system can only work in Linux and FreeBSD.
Our proposed system is almost independentof the underlying
operating system and runs on every operating system. Snort can run on
many operating systems and also PHP and Perl are compatiblewith
nearly all operating systems. Guardianalso uses relatively complex
approach,with difficult configuration. The proposed approachis simple
and can be easily configured.
6. Background
Intrusion detection system
Intrusion detection system includesis a set of techniques and
methods that are used to detect suspiciousactivity both at the
network and host level.
Intruders have signatures that can be detected. Based upon a set
of signatures and rules, the intrusion detection system (IDS) is able
to find and log suspiciousactivity and generate alerts.
8. Snort
Snort is an open source network intrusion preventionsystem
(NIPS) and network intrusion detection system (NIDS).
It hasthe abilityto perform real-time traffic analysisand packet
logging on Internet Protocol (IP) networks.
Snort is primarily a rule-based IDS. Snort reads these rules at the
start-up time and buildsinternal data structures or chainsto apply
these rules to captured data.
Components of snort
9. Motivation
Almost all networks are potentiallyvulnerable to network
intrusionsdespite of all security measures. Thus good security
measures are needed to keep our system secured.
Also I did my summer internship on Network intrusiondetection
so I wanted to learn how Network intrusionprevention works.
10. Objective
Intrusion Prevention System provides the capabilityto prevent
intrusionsbut because of its cost, it is not the option for many
small businesses and home users.
Hence, using a lightweight and free Intrusion Detection System
such as Snort, integrating it with a Cisco router and enhancingits
abilityto provide a prevention mechanism provides a good
solutionfor this problem.
Router and computer (to be used as a sensor) are fundamental
componentsof every major network, so, the proposed system
does not need any additionalhardware.
This study proposes a very basic way to prevent intrusionswithout
any additionalcost.
11. Experimental Setup
The systems used for the implementationwas a Core 2 Duo computer
with 2 GB RAM and Cisco 2691 Router with standard hardware
configuration.Operating system installedon the computer was Fedora
12 x86_64 and router was installedwith Cisco IOS Software Version
12.4(13b).
The software was written in PHP and Perl, so PHP and Perl were also
installedon the system. Snort version installedwas Snort 2.8.6 (Build
38). As the main aim of the software was to configure ACL rules based
on the Snort alerts, so, we used 1998 MIT DARPA Intrusion detection
data to test the proposed system and it is sufficient to provide a valid
testing environment for our proposed idea in every aspect as the basic
traffic analysisand intrusiondetection is performed by Snort, which is
just used as a readymade IDS software.
Snort should be built with MySQL capabilityand then installedon the
system. Buildingwith MySQL capabilityintegrates MySQL to Snort and
enables Snort to log the alerts to a MySQL database,from where the
alerts can be used by our proposed system.
The experiments were performed using MIT DARPA 1998 intrusion
detection data to test our software.
12. Methodology
Whenever Snort will run in IDS mode all of the alerts will be logged to a
MySQL database. This database can be used to generate ACL rule for
every alert logged to the database, which in a fine tuned IDS system
represents a potentialattack. After generating the ACL rules the router
configurationmodule access the router automaticallyusing telnet and
configure the ACL rules on it. ACL rules can also be removed after the
attack is over or if the configured ACL rules have some undesired effect
on the network.
13. There are two stages of the complete process:
Intrusion detection
Intrusion prevention
A. Intrusion Detection
Snort is used as an intrusion detection system to provide alerts for the
potentialintrusions. The alerts are automaticallylogged by Snort to
MySQL database from where they are read by the proposed software
and are used to prevent the potentialintrusion. It was very important
that Snort should be fine tuned for the network because only then false
alarms will be minimum and almost all the alerts indicate potential
intrusions. Hence, proposed system can work at its best to block
illegitimatetraffic while allowinglegitimate traffic to enter network
easily.
B. Intrusion Prevention
This is the main part of the proposed system and it is made up of
following two modules which work together to prevent a potential
intrusion.
The study proposes software havingtwo modules:
ACL Generation Module
Router ConfigurationModule
14. ACL Generation Module
ACL Generation Moduleis written in PHP and is used to access the
database to read the alerts and based on the alerts generate Cisco ACL
rules. Snort’s databasehas source and destinationIP addresses and
ports for each and every alert generated by Snort. This informationcan
be easily accessed from the databaseand used to generate a specific
ACL rule to block the incoming packets from the potentialintruder.
Snort generates alerts whenever it detects a potentialintrusion and in
fine-tuned Snort deployment almost all of the alerts will indicatean
intrusion. These alerts can be logged to a MySQL databasethrough
proper configuration.ACL GenerationModule connects to this
database and check for any new alerts generated by Snort. If there is
any new alert it queries the database for the “iphdr” table in the
database, which containsinformationabout the IP header of the
packets that generated the alert. After query, IP header of every alert is
fetched. The “Protocol” field in the IP header is checked to find the
upper layer protocol and according to the value of the field and
corresponding upper layer protocol, table is selected to gather
additional informationaboutthe source of intrusion as shown. After
retrieving all the pertinent informationfrom the database, the
corresponding alert is marked as checked so it should not be processed
again. With all the relevant information,an extended Cisco ACL rule is
generated, and then Router ConfigurationModuleis used to connect
to the router and configure the ACL rule on it and hence block the
source of potentialintrusion.
The followingflow chart represents this process:
15.
16. Router Configuration Module
Router ConfigurationModuleis basicallydesigned to access the router
and configure it automatically.Routerconfiguration module is written
in Perl. For using telnet in a Perl script, Perl telnet module is needed. By
using this module, the router can be accessed and commandscan be
entered to configure the router.
Access lists that will be used to configure the router based on Snort
alerts should be already appliedto the interface connected to
untrusted networks. They should also be configured properly to permit
all traffic initiallyor according to network requirement can be initially
configured to block the known sources of dangerousor illegitimate
traffic.
The main aim of the study is to execute the ACL rules based on Snort
alerts on the router to stop the potentialintrusion.After ACL
Generation Modulegenerates an ACL rule based on the Snort alert, it
should be configured on the router. Router ConfigurationModuleis
used to access the router and configure the required ACL rule in the
correct mode. First of all we need to instantiate Net::Telnet object and
specify a timeout in case the expected prompt does not match to the
router prompt. All methods used in this module are of the Net::Telnet
object. To connect to router using telnet open() method is used. Router
ConfigurationModulethen waits for the vty (virtual terminal)
“Password: ” prompt on the router. Password is provided by the script
to the router and router enters into “User Mode”. In “User Mode” we
do not have access to configure the router, so, now we should switch
to “Privileged Mode”. Now the Router ConfigurationModulesends
“enable” command to the router to switch to “Privileged
Exec Mode”, the router asks for the “Privileged Exec Mode” password,
which the moduleprovides. Now we have to switch to “Global
ConfigurationMode”, using “configure terminal” command. Now, in
this mode the access list rule can be configured on the router by simply
sending the string (i.e. an extended ACL rule based on Snort alert)
passed to Router ConfigurationModuleby ACL GenerationModule to
the router and returning result of the operation to the ACL Generation
Module.The following flow chart represents this process:
17.
18. ACL Rules Removal Mechanism
ACL rules should be removed from the router in case of false alarms.
Furthermore, after the attack is over the administratormight want to
remove the ACL rules to prevent the router from unnecessary
processing.
Every ACL rule that needs to be configured on the router is saved in the
database and can be used later to remove the ACLs from the router.
The ACL command when executed with “no” in start removes the
configured ACL rule. The web browser output showing the configured
ACL rules on the router have a hyperlinkin front of it, which
administratorcan use to remove the ACL rule. Hyperlinkjust callsa
script that in turn callsthe Router ConfigurationModule just like it is
called to configure ACL rule, but this time with “no” to remove the ACL
rule.
19. Interface Between ACL Generation Module and
Router Configuration Module
As ACL Generation Moduleis written in PHP while Router Configuration
Moduleis written in Perl, Router ConfigurationModuleshould be
integrated with the ACL Generation Moduleas the ACL rules are
generated by the ACL Generation Moduleand they are executed on the
router using Router ConfigurationModule. To integrate the Router
ConfigurationModulewith the ACL Generation Modulewe use php’s
shell_exec() method to access the shell and pass the string containing
Cisco ACL rule to the Router Configuration Module. PHP’s shell_exec()
method works as an interface between Router ConfigurationModule
and ACL Generation Modules.
20. RESULT
All the results were obtainedby blocking the source IP of the intrusive
packet of potentialintrusion for all destinations.
All the incoming traffic from the IP addresses, which are the source of
potentialintrusion will be blocked and hence our system has
successfully prevented intrusioninto the network.
21. Analysis and discussion of results
Results were obtainedusing 1998 MIT DARPA Intrusion Detection
Training data. The table shows the traffic statistics (breakdown by
protocol includingrebuild packets) as detected by the Snort.
Snort detected 871 alerts and all of the alerts were logged to the
database. Alerts statistics as given by Snort are shown by the following
table.
22. The next table shows the types of alerts logged by the Snort, listed with
corresponding Snort Signature ID and Signature Group ID. Alert
Classification column provides enough detailsto understandthe nature
of the each type of intrusion.
Cisco ACL rules executed on the router and obtainedfrom the router
using “show access-lists” command are as follows:
Extended IP access list 103
10 deny tcp host 197.218.177.69 any
20 deny tcp host 172.16.112.50 any
30 deny tcp host 196.227.33.189 any
40 deny tcp host 172.16.112.207 any
50 deny tcp host 172.16.113.84 any
60 deny tcp host 194.27.251.21 any
70 deny tcp host 135.13.216.191 any
80 deny tcp host 172.16.114.168 any
90 deny tcp host 195.73.151.50 any
100 deny tcp host 172.16.114.207 any
23. 110 deny tcp host 194.7.248.153 any
120 deny tcp host 197.182.91.233 any
130 deny tcp host 135.8.60.182 any
140 deny tcp host 172.16.114.148 any
150 deny tcp host 172.16.113.204 any
160 deny tcp host 152.169.215.104 any
170 deny tcp host 172.16.112.149 any
180 deny tcp host 172.16.113.105 any
190 deny tcp host 172.16.114.169 any
200 deny tcp host 172.16.113.50 any
210 deny tcp host 196.37.75.158 any
220 deny tcp host 195.115.218.108 any
230 deny tcp host 172.16.112.194 any
240 deny udp host 152.169.215.104 any
24. Advantages of the presented
system
The system can be implementedon a variety of platforms
Has a very simple approach
Is easy to configure
Does not incur any cost for implementation asboth routers and
computer are already there in the network
Does not need any specialized person for its operation.
25. Limitations
The system might not be suitablewith current implementationfor
networks using DHCP (Dynamic Host ConfigurationProtocol).
Intrusions containedin a single packet can intrude the network.
26. Possible improvement
The work can be extended from centralized to distributedsystem
to extend its capabilities.
The system can be modifiedto act as a host intrusion prevention
system and can work without any router to block intrusionson a
host.
The system can also be enhanced, so that it can be suitable for
networks using DHCP (Dynamic Host ConfigurationProtocol).
27. Conclusion
Using Snort as IDS to detect intrusionsand using Snort alerts to
generate Cisco ACL to block the potentialintrusionsprovides a very
cost effective way to prevent intrusion. The approachis very simple, it
does not need any special hardware and uses what is already present in
every major network i.e. a router and a computer which is used as an
intrusion sensor.
Provided Snort is fine-tuned for the network to be secured the
proposed system will provide very good performance to prevent
intrusionsinto the network.
28. References
[1]Aurobindo Sundaram, “An Introduction to Intrusion Detection,” 1996,
http://www.alexeng.edu.eg/~sghanem/network-security/IDS-Intro.pdf
[2] Karen Scarfone, Peter Mell, “Guide to Intrusion Detection and Prevention Systems (IDPS),” 2007, Special
Publication 800-94, Recommendations of the National Institute of Standards and Technology.
[3] Snort IDS Softwrae, “http://www.snort.org”
[4] Configuring IP Access Lists, Cisco Document ID: 23602
“http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.sht
ml”
[5] Net-Telnet-3.03 “http://search.cpan.org/~jrogers/Net-Telnet- 3.03/lib/Net/Telnet.pm”
[6] PHP Manual, shell_exec(), “http://php.net/manual/en/function.shellexec.php”
[7] 1998 DARPA Intrusion Detection Evaluation Data Set,
“http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html”
[8] Martuza Ahmed, Rima Pal, Md. Mojammel Hossain, Md. Abu Naser Bikas, and Abdullahil Baki Md.
Ruhunnabi, “PID: A packet based approach to network intrusion detection and prevention”, in Proc. Of
International Conference on Information Management and Engineering, 2009, pp. 124- 127
[9] Alexander Krizhanovsky and Alexander Marasanov, “An Approach for Adaptive Intrusion Prevention
Based on The Danger Theory”, in Proc. of The Second International Conference on Availability, Reliability
and Security, 2007, pp. 1135 - 1142.
[10] Xinyou Zhang and Chengzhong Li, Wenbin Zheng, "Intrusion Prevention System Design," cit, pp.386-
390, Fourth International Conference on Computer and Information Technology (CIT'04), 2004
[11] Kuo Zhao, Fei Ren, Nurbol and Liang Hu, “LDLB: A Light Intrusion Prevention System in Data Link
Layer”, in Proc. of 2nd International Confrerence on Anti-counterfeiting, Security and Identification, 2008,
pp. 112-122.
[12] H. Bos and Kaiming Huang, “Towards Software-Based Signature Detection for Intrusion Prevention on
the Network Card”, Springer- Verlag Berlin Heidelberg, 2006, vol LNCS 3858, pp. 102–123.
[13] Chih-Chiang Wu, Sung-Hua Wen, and Nen-Fu Huang, “HuangTowards Software-Based Signature
Detection for Intrusion Prevention on the Network Card”, Springer-Verlag Berlin Heidelberg, 2006, vol LNCS
4301, pp. 318–328..
[14] L. Tan, B. Brotherton and T. Sherwood, “Bit-split string-matching engines for intrusion detection and
prevention,” ACM Trans. Architecture and Code Optimization, vol. 3, no. 1, pp. 3-34, 2006.
[15] Y. Weinsberg, S. Tzur-David, D. Dolev and T. Anker, “High performance string matching algorithm for a
network intrusion prevention system (NIPS),” in Proc. IEEE 2006 workshop on high performance switching
and routing, 2006.
[16] L. Tan and T. Sherwood, “A high throughput string matching architecture for intrusion detection and
prevention,” in Proc. 32nd annual international symposium on computer architecture, 2005, pp.112-122.
[17] N. Weaver, V. Paxson and J. M. Gonzalez, “The shunt: an FPGAbased accelerator for network iintrusion
prevention,” in Proc. 2007 ACM/SIGDA 15th international symposium on field programmable gate arrays,
Monterey, California, USA, 2007, pp. 199-206.
[18] Nick Moore, “Snort 2.8.4 Installation on FC11” Snort setup guides,
http://www.snort.org/assets/110/Snort_2.8.4.1_FC11.pdf
[19] Patrick Harper, “Snort and BASE Install on CentOS 4, RHEL 4 or Fedora Core” Snort setup guides,
http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf
[20] Kerry J. Cox, Christopher Gerg, “Managing Security with Snort and IDS Tools”, O'Reilly, 2004, Chapter 3
[21] Guardian Active Response for Snort “http://www.chaotic.org/guardian/”