Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr.

Similar presentations


Presentation on theme: "Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr."— Presentation transcript:

1 Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr. Rodney Howell Dr. Mitchell Nielsen

2 Phase Deliverables  Action Items  Assessment Evaluation  Project Evaluation  User Manual

3 Network Data Model Action Items

4 Packet Data Model

5 OCL for CLIPNIDS Context Packet def: syn: Boolean = self.tcp.syn = true and self.tcp.ack = false def: synAck: Boolean = self.tcp.syn = true and self.tcp.ack = true def: oppositeIPFlow( p: Packet):Boolean = self.ip.sourceAddr = p.ip.destAddr and self.ip.destAddr = p.ip.sourceAddr def: oppositeTCPFlow( p: Packet):Boolean = self.oppositeIPFlow(p) and self.tcp.sourcePort = p.tcp.destPort and self.tcp.destPort = p.tcp.sourcePort def: occuredWithin( t: Integer, p:Packet):Boolean = self.timeStamp > p.timestamp and ((self.timeStamp – p.timeStamp) < t)

6 Context Packet Inv OpenPort: Packet.allInstances->forAll(p1, p2 | ( p1.syn and p2.synAck and p1.oppositeTCPFlow(p2) and p2.occuredWithin(2000,p1)) implies IPStack.allInstances->exists( i | i.ipAddr = p2.ip.sourceAddr and i.ports->exists( po : Port | po.state = PortState::Open and po.type = PortType::TCP and po.number = p2.tcp.sourcePort))) and Alarm.allInstances->exists(a | a. exploit->exists(e : Exploit | e.description = “Open Port Present”)) Context Session Inv Suspect: self. Packets.allInstances-> forAll( p: Packet | p.ip.sourceAddr = “210.233.108.255” and p.ip.destAddr = “78.89.242.182” implies self. alarm->exists( a: Alarm | a. exploit->exists(e : Exploit | e.description = “Packet from suspected host”))

7 Phase I

8 Phase II

9 Phase III

10 Lessons Learnt  Networking Domain Knowledge Packet, Protocols.  APIs used in Networking DAQ, pcap files  Linux, C, Bash Scripting, GDB  CLIPS expert system CLIPS rules and facts

11 Technical challenges  Compiling Errors  Debugging  Schedule

12 Execution and Testing  Specifying Source IP address of suspected machine in Clip  Display of alarm

13 Thank you!


Download ppt "Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr."

Similar presentations


Ads by Google