Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr.

Slides:



Advertisements
Similar presentations
Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.
Advertisements

Airline Reservation System
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 14, 2015 DRAFT1.
CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.
1 Reading Log Files. 2 Segment Format
IDPS (Intrusion Detection & Prevention System )
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Client Server Model The client machine (or the client process) makes the request for some resource or service, and the server machine (the server process)
Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Custom DE Domain Block - uEngine Other Script Languages or C/C++ lack Block Level integration, or similar abstraction with the Modeling Environment.
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase I MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr. Rodney.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
TCP/IP Networking sections 13.2,3,4,5 Road map: TCP, provide connection-oriented service IP, route data packets from one machine to another (RFC 791) ICMP,
BRUE Behavioral Reverse Engineering in UML as Eclipse Plugin MSE Presentation 1 Sri Raguraman.
Unit 4, Lesson 11 How Data Travels the Internet
CIS 895 – MSE Project KDD-Research Entity Search Tool (KREST) Presentation 1 Eric Davis
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
AgentTool (III) Dynamic MSE Presentation 1 Binti Sepaha.
© Ericsson Interception Management Systems, 2000 CELLNET Drop Administering IMS Module Objectives Manage the directory structure and files Manage.
Sequence Diagram Generator Presentation II MSE Project / Fall, 2005 Samer AliSaleh Major Advisor: Bill Hankley.
MSE Presentation 3 By Padmaja Havaldar- Graduate Student
KONOE, a toolkit for an object- oriented online environment, with Gate Package M.Abe,Y.Nagasaka,F.Fujiwara, T.Tamura,I.Nakano,H.Sakamoto, Y.Sakamoto,S.Enomoto,
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
Designing Common Core Assessment Questions for Educators Creating Type II and Type III Assessments.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
WIPO Pilot Project - Assisting Member States to Create an Adequate Innovation Infrastructure to Support University – Industry Collaboration.
REAL TIME GPS TRACKING SYSTEM MSE PROJECT PHASE I PRESENTATION Bakor Kamal CIS 895.
Environment Model Building Tool MSE Presentation 1 Esteban Guillen.
Application Block Diagram III. SOFTWARE PLATFORM Figure above shows a network protocol stack for a computer that connects to an Ethernet network and.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Module 5: Designing Security for Internal Networks.
Presented by Rebecca Meinhold But How Does the Internet Work?
Network Analyzer :- Introduction to Wireshark. What is Wireshark ? Ethereal Formerly known as Ethereal GUINetwork Protocol Analyzer Wireshark is a GUI.
Socket Programming Introduction. Socket Definition A network socket is one endpoint in a two-way communication flow between two programs running over.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
1 Adaptive Case-Based Reasoning Architectures for Critical Infrastructure Protection Dr. Dan Schwartz Dr. Sara Stoecklin Mr. Erbil Yilmaz Ms. Mimi Xu Florida.
Computer Communication: An example What happens when I click on
An Internet Voting System Manager Yonghua Li Kansas State University March 28, 2002 MSE Project - Phase 2.
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
ELP H ELPER MSE Project Presentation III Aghsan Ahmad Major Professor: Dr. Bill Hankley.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)
MSE Presentation 3 By Lakshmikanth Ganti Under the Guidance of Dr. Virgil Wallentine – Major Professor Dr. Paul Smith – Committee Member Dr. Mitch Neilsen.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
Il-Ahn Cheong Linux Security Research Center Chonnam National University, Korea.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.
An Internet Voting System Manager Yonghua Li Kansas State University October 14, 2002 MSE Project - Phase 3.
Network Analyzer :- Introduction to Ethereal Computer Networking (Graduate Class)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
The purpose of a CPU is to process data Custom written software is created for a user to meet exact purpose Off the shelf software is developed by a software.
Firewalls and DMZ Dr. X. Firewalls Filtering traffic based on policy Policy determines what is acceptable traffic Access control over traffic Accept or.
A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.
Binary Lesson 4 Classful IP Addresses
A Quick Guide to Ethereal/Wireshark
Binary Lesson 5 Classful IP Addresses
RealProct: Reliable Protocol Conformance Testing with Real Nodes for Wireless Sensor Networks Junjie Xiong
Human (user) behavior patterns and analytics
Game Mark Shtern.
Lecture 3: Secure Network Architecture
Network Analyzer :- Introduction to Wireshark
Jincheng Gao CIS895 – MSE Project
Chapter 24 Mobile IP.
Presentation transcript:

Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr. Rodney Howell Dr. Mitchell Nielsen

Phase Deliverables  Action Items  Assessment Evaluation  Project Evaluation  User Manual

Network Data Model Action Items

Packet Data Model

OCL for CLIPNIDS Context Packet def: syn: Boolean = self.tcp.syn = true and self.tcp.ack = false def: synAck: Boolean = self.tcp.syn = true and self.tcp.ack = true def: oppositeIPFlow( p: Packet):Boolean = self.ip.sourceAddr = p.ip.destAddr and self.ip.destAddr = p.ip.sourceAddr def: oppositeTCPFlow( p: Packet):Boolean = self.oppositeIPFlow(p) and self.tcp.sourcePort = p.tcp.destPort and self.tcp.destPort = p.tcp.sourcePort def: occuredWithin( t: Integer, p:Packet):Boolean = self.timeStamp > p.timestamp and ((self.timeStamp – p.timeStamp) < t)

Context Packet Inv OpenPort: Packet.allInstances->forAll(p1, p2 | ( p1.syn and p2.synAck and p1.oppositeTCPFlow(p2) and p2.occuredWithin(2000,p1)) implies IPStack.allInstances->exists( i | i.ipAddr = p2.ip.sourceAddr and i.ports->exists( po : Port | po.state = PortState::Open and po.type = PortType::TCP and po.number = p2.tcp.sourcePort))) and Alarm.allInstances->exists(a | a. exploit->exists(e : Exploit | e.description = “Open Port Present”)) Context Session Inv Suspect: self. Packets.allInstances-> forAll( p: Packet | p.ip.sourceAddr = “ ” and p.ip.destAddr = “ ” implies self. alarm->exists( a: Alarm | a. exploit->exists(e : Exploit | e.description = “Packet from suspected host”))

Phase I

Phase II

Phase III

Lessons Learnt  Networking Domain Knowledge Packet, Protocols.  APIs used in Networking DAQ, pcap files  Linux, C, Bash Scripting, GDB  CLIPS expert system CLIPS rules and facts

Technical challenges  Compiling Errors  Debugging  Schedule

Execution and Testing  Specifying Source IP address of suspected machine in Clip  Display of alarm

Thank you!