Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr. Rodney Howell Dr. Mitchell Nielsen
Phase Deliverables Action Items Assessment Evaluation Project Evaluation User Manual
Network Data Model Action Items
Packet Data Model
OCL for CLIPNIDS Context Packet def: syn: Boolean = self.tcp.syn = true and self.tcp.ack = false def: synAck: Boolean = self.tcp.syn = true and self.tcp.ack = true def: oppositeIPFlow( p: Packet):Boolean = self.ip.sourceAddr = p.ip.destAddr and self.ip.destAddr = p.ip.sourceAddr def: oppositeTCPFlow( p: Packet):Boolean = self.oppositeIPFlow(p) and self.tcp.sourcePort = p.tcp.destPort and self.tcp.destPort = p.tcp.sourcePort def: occuredWithin( t: Integer, p:Packet):Boolean = self.timeStamp > p.timestamp and ((self.timeStamp – p.timeStamp) < t)
Context Packet Inv OpenPort: Packet.allInstances->forAll(p1, p2 | ( p1.syn and p2.synAck and p1.oppositeTCPFlow(p2) and p2.occuredWithin(2000,p1)) implies IPStack.allInstances->exists( i | i.ipAddr = p2.ip.sourceAddr and i.ports->exists( po : Port | po.state = PortState::Open and po.type = PortType::TCP and po.number = p2.tcp.sourcePort))) and Alarm.allInstances->exists(a | a. exploit->exists(e : Exploit | e.description = “Open Port Present”)) Context Session Inv Suspect: self. Packets.allInstances-> forAll( p: Packet | p.ip.sourceAddr = “ ” and p.ip.destAddr = “ ” implies self. alarm->exists( a: Alarm | a. exploit->exists(e : Exploit | e.description = “Packet from suspected host”))
Phase I
Phase II
Phase III
Lessons Learnt Networking Domain Knowledge Packet, Protocols. APIs used in Networking DAQ, pcap files Linux, C, Bash Scripting, GDB CLIPS expert system CLIPS rules and facts
Technical challenges Compiling Errors Debugging Schedule
Execution and Testing Specifying Source IP address of suspected machine in Clip Display of alarm
Thank you!