Major Project Report 7th Semester

Embed Size (px)

Citation preview

  • 8/3/2019 Major Project Report 7th Semester

    1/61

    NETWORK INTRUSION DETECTION SYSTEMBased on

    IP Packets

    A Project Report Submitted at

    Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal

    In partial fulfillment of the degree

    Of

    Bachelor of Engineering

    In

    Computer Science & Engineering

    Department of Computer Science and Engineering

    Vindhya Institute of Technology and Science

    Indore2011-2012

    1

  • 8/3/2019 Major Project Report 7th Semester

    2/61

    NETWORK INTRUSION DETECTION SYSTEMBased On

    IP Packets

    A Project Report Submitted at

    Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal

    In partial fulfillment of the degree

    of

    Bachelor of Engineering

    In

    Computer Science & Engineering

    Guided By: Submitted By:

    Mr. Pankaj Patel Kunal Ahuja (0839CS081046)

    Vijay Khatri (0839CS081114)

    Gaurav Pagare (0839CS081031)

    Department of Computer Science and Engineering

    Vindhya Institute of Technology and Science

    Indore2011-2012

    2

  • 8/3/2019 Major Project Report 7th Semester

    3/61

    ACKNOWLEDGEMENT

    One of the sanguine parts of the project is to express heart-felt gratitude towards all those who

    have provided their invaluable support and kind cooperation in the successful completion of the

    project.

    With profound gratitude we owe our enshrined respect and indebtedness to Dr. D.P. Kothari the

    honorable Director General of our institute.

    Our sincere thanks to Mr. Ashish Tiwari HOD (Computer Science & Engineering

    Department) for his support.

    Our heart-felt thanks are due to Mr. Pankaj Patel our project guide in the lack of whose

    guidance it would be impossible to complete the project successfully.

    We would also like to convey our sincere thanks to the management and staff for helping us in

    successful development of the project.

    Words fall short of expression when it comes to expressing thanks to our family and friends

    whose support and encouragement have been valuable to help us throughout the project.

    Kunal Ahuja [0839CS081046]

    Vijay Khatri [0839CS081114]

    Gaurav Pagare [0839CS081031]

    3

  • 8/3/2019 Major Project Report 7th Semester

    4/61

    CERTIFICATE

    This is to certify that

    Kunal Ahuja [0839CS081046]

    Vijay Khatri [0839CS081114]

    Gaurav Pagare [0839CS081031]

    have completed their Major Project work titled NetworkIntrusion Detection System Based

    on IP Packets as per the syllabus and have submitted a satisfactory report on this project as a part

    of fulfillment towards the degree of Bachelor of Engineering in Computer Science &

    Engineering from Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal.

    Signature:

    Name: _______________

    (Project Guide)

    Signature: Signature:

    _______________ __

    Name: __________________ Name:___________________

    (Internal Examiner) (External Examiner)

    4

  • 8/3/2019 Major Project Report 7th Semester

    5/61

    LIST OF FIGURES AND TABLES

    FIGURES/TABLES Page No.DATA FLOW DIAGRAM

    USE CASE DIAGRAM

    SEQUENCE DIAGRAM

    STATE CHART DIAGRAM

    CLASS DIAGRAM

    ARCHITECTURAL CONTEXT DIAGRAM

    ARCHITECTURAL BEHAVIOURAL DIAGRAM

    SYSTEM ARCHITECTURE DIAGRAM

    CONTROL HIERARCHY DIAGRAM

    I/O FORMS

    5

  • 8/3/2019 Major Project Report 7th Semester

    6/61

    TABLE OF CONTENTS

    NETWORK INTRUSION DETECTION SYSTEM .......................................................................1

    NETWORK INTRUSION DETECTION SYSTEM ......................................................................2

    TABLE OF CONTENTS .................................................................................................................6

    ABSTRACT ..................................................................................................................................... 82.4.1 Hardware Tools: ............................................................................................................14

    2.4.2 Software Tools: .............................................................................................................14............................................................................................................................................... 16

    . SYSTEM REQUIREMENT ANALYSIS ....................................................................................19

    3.1 Information Gathering .........................................................................................................20

    System Feasibility .....................................................................................................................203.2.1 Economical Feasibility .................................................................................................20

    3.2.2 Technical Feasibility ....................................................................................................21

    3.2.3 Behavioral Feasibility ..................................................................................................21Name: .............................................................................................................................................23

    Aliases: ...........................................................................................................................................23

    Where/How Used: ..........................................................................................................................23

    Description: ....................................................................................................................................23Format: ...........................................................................................................................................23

    5. DESIGN .....................................................................................................................................35

    5.1 Architectural design .............................................................................................................365.1.1 Architectural Context Diagram .....................................................................................37

    5.1.3 Description of Architectural Design .............................................................................39

    5.1.4 Control Hierarchy ......................................................................................................... 40Definitions, Acronyms, and Abbreviations ...............................................................................60

    6

  • 8/3/2019 Major Project Report 7th Semester

    7/61

    1.1. ABSTRACTABSTRACT

    7

  • 8/3/2019 Major Project Report 7th Semester

    8/61

    ABSTRACT

    Intrusion detection has traditionally been performed at the operating system level by

    comparing expected and observed system resource usage. Operating system intrusion

    detection systems can only detect intruders, internal or external, who perform specific system

    actions in a specific sequence or those intruders whose behavior pattern statistically varies

    from a norm. Internal intruders are said to comprise at least fifty percent of intruders but

    Operating system intrusion detection systems are frequently not sufficient to catch such

    intruders since they neither significantly deviate from expected behavior, nor perform the

    specific intrusive actions because they are already legitimate users of the system.

    We hypothesize that application specific intrusion detection systems can use the

    semantics of the application to detect more subtle, stealth-like attacks such as those carried

    out by internal intruders who possess legitimate access to the system and its data and act

    within their bounds of normal behavior, but who are actually abusing the system. To test this

    hypothesis, we developed two extensive case studies to explore what opportunities exist for

    detecting intrusions at the application level, how effectively an application intrusion

    detection system can detect the intrusions, and the possibility of cooperation between an

    application intrusion detection system and an Operating system intrusion detection systems

    to detect intrusions.

    8

  • 8/3/2019 Major Project Report 7th Semester

    9/61

    1.1. INTRODUCTIONINTRODUCTION

    9

  • 8/3/2019 Major Project Report 7th Semester

    10/61

    2. INTRODUCTION

    What is an IDS?

    Intrusion is any set of actions that threaten the integrity, availability, or confidentiality of a

    network resource. An intrusion detection system (IDS) monitors network traffic andmonitors

    for suspicious activity and alerts the system or network administrator. In somecases the IDS

    may also respond to anomalous or malicious traffic by taking action such asblocking the

    user or source IP address from accessing the network.IDS come in a variety of flavors and

    approach the goal of detecting suspicious traffic in different ways. There are network based

    (NIDS) and host based (HIDS) intrusion detection.

    a) NIDS: Network Intrusion Detection Systems (NIDS) are a subset of security management

    systems that are used to discover inappropriate, incorrect, or anomalous activities within

    networks.

    b) HIDS: Host-based intrusion detection system (HIDS) monitors and analyzes the internals

    of a computing system rather than the network packets on its external interfaces.

    There are IDS that detect based on looking for specific signatures of known threats similar to

    the way antivirus software typically detects and protects against malware- and there are IDSthat detect based on comparing traffic patterns against a baseline and looking for anomalies.

    a. Signature Based: A signature based IDS will monitor packets on the network and

    compare them against a database of signatures or attributes from known malicious

    threats. This is similar to the way most antivirus software detects malware. The

    10

  • 8/3/2019 Major Project Report 7th Semester

    11/61

    issue is that there will be a lag between a new threat being discovered and the

    signature for detecting that threat being applied to the IDS. During that lag time,

    the IDS would be unable to detect the new threat. The limitation of this approach

    lies in its dependence on frequent updates of the signature database and its

    inability to generalize and detect novel or unknown intrusions.

    b. Anomaly Based: An IDS which is anomaly based will monitor network traffic

    and compare it against an established baseline. The baseline will identify what is

    normal for that network- what sort of bandwidth is generally used, what

    protocols are used, what ports and devices generally connect to each other- and

    alert the administrator or user when traffic is detected which is anomalous, or

    significantly different, than the baseline. However, statistical anomaly detection is

    not based on an adaptive intelligent model and cannot learn from normal and

    malicious traffic patterns.

    There are IDS that simply monitor and alert and there are IDS that perform an action or

    actions in response to a detected threat.

    a) Passive IDS: A passive IDS simply detects and alerts. When suspicious or malicious

    traffic is detected an alert is generated and sent to the administrator or user and it is up to

    them to take action to block the activity or respond in some way.

    b) Reactive IDS: Reactive IDS will not only detect suspicious or malicious traffic and alert

    the administrator, but will take pre-defined proactive actions to respond to the threat.

    Typically this means blocking any further network traffic from the source IP address or

    user.

    Intrusion detection systems help network administrators prepare for and deal with network

    security attacks. These systems collect information from a variety of systems and network

    sources, and analyze them for signs of intrusion and misuse. A variety of techniques have

    been employed for analysis ranging from traditional statistical methods to new machine

    11

  • 8/3/2019 Major Project Report 7th Semester

    12/61

    learning approaches.

    2.1 OBJECTIVE

    The main objectives are:

    To make an attempt to detect a suspected intrusion in the monitored system and then alert

    a system administrator.

    To determine that some entity, an intruder, has attempted to gain, or worse, has gained

    unauthorized access to the system.

    To protect secure information of an organization from outside and inside intruders, to

    detect novel or unknown intrusions in real-time.

    To take actions to prevent intrusion. These can include requiring passwords to be

    submitted before a user can gain any access to the system, fixing known vulnerabilities

    that an intruder might try to exploit in order to gain unauthorized access, blocking some

    or all network access, as well as restriction of physical access.

    2.2 SCOPE

    Intrusion detection involves determining that some entity, an intruder, has attempted to gain, or

    worse, has gained unauthorized access to the system. Casual observation shows that none of the

    automated detection approaches seek to identify an intruder before that intruder initiates

    interaction with the system. System administrators routinely take actions to prevent intrusion.

    These can include requiring passwords to be submitted before a user can gain any access to the

    system, fixing known vulnerabilities that an intruder might try to exploit in order to gain

    12

  • 8/3/2019 Major Project Report 7th Semester

    13/61

    unauthorized access, blocking some or all network access, as well as restriction of physical

    access. Intrusion detection systems are used in addition to such preventative measures.

    2.3 PROBLEMS IN EXISTING SYSTEM

    There is an existing Intrusion Detection System which is classical signature based. Existing

    system has many problems which are discussed below.

    The classical signature-based approach:

    Cannot detect unknown or new intrusions.

    Patches and regular updates are required.

    The statistical anomaly-based approach:

    Not based on an adaptive intelligent model.

    Cannot learn from normal and malicious traffic patterns.

    13

  • 8/3/2019 Major Project Report 7th Semester

    14/61

    2.4 PLATFORM SPECIFICATION

    2.4.1 Hardware Tools:

    Minimum Configuration:

    1. Processor : Pentium IV

    2. Processor Frequency : 233 MHz

    3. Memory : 64 MB, RAM

    4. Video Adapter & Monitor : Super VGA ( 800 X 600 )

    5. Hard Drive Disk Free Space : 1.5 GB

    6. Input Devices : Keyboard & Mouse

    Recommended Configuration:

    1. Processor : Pentium III or Higher

    2. Processor Frequency : 300 MHz or Higher

    3. Memory : 128 MB, RAM or Higher

    4. Video Adapter & Monitor : Super VGA (800 X 600) or Higher

    5. Hard Drive Disk Free Space : 1.5 GB

    6. Input Devices : Keyboard & Mouse

    2.4.2 Software Tools:

    Front End

    1. Operating System Windows Family

    2. Net Beans 6.9 IDE

    3. Java 6u21

    14

  • 8/3/2019 Major Project Report 7th Semester

    15/61

    Back End

    1. MySql

    2. SQLyog

    Report Generation

    1. Visual Paradigm 7.2 EE

    2. Microsoft Word 2003/2007

    Technology & Platform: Java

    Java has gained enormous popularity since it first appeared. Its rapid ascension and wide

    acceptance can be traced to its design and programming features, particularly in its promise that

    you can write a program once, and run it anywhere. Java was chosen as the programming

    language for network computers (NC) and has been perceived as a universal front end for the

    enterprise database.

    The computer world currently has many platforms. This has its pros and cons. On the one

    hand it gives more choices to people; on the other hand it becomes more and more difficult to

    produce software that runs on all platforms. With its Java Virtual Machine and API, the Java

    Platform provides an ideal solution to this. The Java Platform is designed for running highly

    interactive, dynamic, and secure applets and applications on networked computer systems. Being

    interactive, dynamic and architecture-neutral, the Java Platform has benefits not only for the

    developer and support personnel, but also for the end user.

    For the end users, the platform provides live, interactive content on the World Wide Web,

    with just-in-time software access. Applications are readily available on all operating

    systems at once. Users do not have to choose operating systems based on the

    applications; they can run the applications on their favorite machines.

    Developers can develop applications on one platform to deliver to that same platform --

    the Java Platform, which is available on a wide variety of OS and hardware platforms.

    This much reduces the developing cost.

    For support personnel, version control and upgrades are much simplified because Java-

    enabled application can be kept in a central repository and served from there for each

    individual use.

    15

  • 8/3/2019 Major Project Report 7th Semester

    16/61

    MySQL as Backend:

    MySQL Database Management takes care of the complex data storage and retrieval

    systems without the help of conventional programming. It supports extremely large databases

    and the size of database for examination software is likely to be large. The structured query

    language which is used in MySQL is extremely useful for easy data retrieval. MySQL database

    management keeps track of its computer data storage with the help of information stored in the

    system table space. The system table space contains the data dictionary which consists of a

    special collection of tables that contains information about all user-object in the database.

    Purpose of Database:

    Before database management system came along, organizations usually stored

    information in file-processing systems. Keeping organizations information in a file-processing

    system has a number of major disadvantages:

    1. Data Redundancy & Inconsistency: The redundancy leads to higher storage and access

    cost. In addition, it leads to data inconsistency.

    2. Difficulty in Accessing Data: The conventional file processing environment does not

    allow needed data to be retrieved in a convenient and efficient manner.

    3. Data Isolation: Data are scattered in various files, and files may of different formats,thus retrieval of data becomes difficult.

    4. Integrity Problems: The data values stored in the database must satisfy certain types of

    consistency constraints.

    16

  • 8/3/2019 Major Project Report 7th Semester

    17/61

    5. Atomicity Problems: It is difficult to ensure atomicity in a conventional file processing

    system.

    6. Concurrent Access Anomalies: For the sake of overall performance of the system and

    faster response, many systems allow multiple users to update the data simultaneously.

    7. Security Problems: Since, application program are added to the file-processing system

    in an ad-hoc manner. Enforcing security constraints is difficult.

    Features & Abilities of Database Management System:

    1. Query Ability: A database query language and report writer to allow users to

    interactively interrogate the database, analyze its data and update it according to the

    users privileges on data. It also controls the security of the database. Data security

    prevents unauthorized users from viewing or updating the database. Using passwords,

    users are allowed access to the entire database or subsets of it called subschemas.

    2. Backup & Replication: Copies of attributes need to be made regularly in case primary

    disks or other equipment fails. A periodic copy of attributes may also be created for a

    distant organization that cannot readily access the original. DBMS usually provide

    utilities to facilitate the process of extracting and disseminating attribute sets. When data

    is replicated between database servers, so that the information remains consistent

    throughout the database system and users cannot tell or even know which server in the

    DBMS they are using, the system is said to exhibit replication transparency.

    3. Rule Enforcement: Often one wants to apply rules to attributes so that the attributes are

    clean and reliable. For example, we may have a rule that says each car can have only one

    engine associated with it (identified by Engine Number). If somebody tries to associate a

    second engine with a given car, we want the DBMS to deny such a request and display an

    error message. However, with changes in the model specification such as, in this

    example, hybrid gas-electric cars, rules may need to change. Ideally such rules should be

    able to be added and removed as needed without significant data layout redesign.

    17

  • 8/3/2019 Major Project Report 7th Semester

    18/61

    4. Security: Often it is desirable to limit who can see or change which attributes or groups

    of attributes. This may be managed directly by individual, or by the assignment of

    individuals and privileges to groups, or (in the most elaborate models) through the

    assignment of individuals and groups to roles which are then granted entitlements.

    5. Computation: There are common computations requested on attributes such as counting,

    summing, averaging, sorting, grouping, cross-referencing, etc. Rather than have each

    computer application implement these from scratch, they can rely on the DBMS to supply

    such calculations.

    6. Change & Access Logging: Often one wants to know who accessed what attributes,

    what was changed, and when it was changed. Logging services allow this by keeping a

    record of access occurrences and changes.

    7. Automated Optimization: If there are frequently occurring usage patterns or requests,

    some DBMS can adjust themselves to improve the speed of those interactions. In some

    cases the DBMS will merely provide tools to monitor performance, allowing a human

    expert to make the necessary adjustments after reviewing the statistics collected.

    18

  • 8/3/2019 Major Project Report 7th Semester

    19/61

    . SYSTEM REQUIREMENT. SYSTEM REQUIREMENT

    ANALYSISANALYSIS

    19

  • 8/3/2019 Major Project Report 7th Semester

    20/61

    3.1 Information Gathering

    Information gathering is one of the most important steps in the development of any project or

    software and it is the part of project and software which actually starts before the project actually

    starts. It includes questionnaires with client and other people involved in the system under

    consideration.

    Now, since our system is not being developed considering a particular client in mind,

    questionnaires and interviews etc. cannot be carried out. As our project is related to a Intrusion

    Detection System so we started information gathering phase with understanding what basically

    the Intrusion Detection System is, what are its basic requirements and in which environment it

    will be implemented and deployed.

    In our project information gathering mainly includes analyzing different Intrusion Detection

    System software in order to gather information about different fields.

    It mainly includes:

    About Functionalities: Here we analyze the functionalities of Intrusion Detection System.

    About Front-End Design: Analyze different Intrusion Detection System software to take an

    idea about better interaction & help us make a user friendly interface. It also helps to

    maintain a proper flow throughout our project

    System Feasibility

    System feasibility deals with the utility, efficiency and quality of the system (Project).

    Feasibility study is done to find out whether the system will be beneficial for the concerned

    user and the organization or not.

    3.2.1 Economical Feasibility

    Economic feasibility check is an evaluation process carried out to determine development

    cost and profit incurred after deployment.

    In our project:

    20

  • 8/3/2019 Major Project Report 7th Semester

    21/61

    Software: The softwares used in developing this project is either provided by the

    college or are provided as freeware by software websites.

    Hardware: The configuration cost for the system is negligible as all the hardware

    needed is already being provided to us by the college.

    3.2.2 Technical Feasibility

    All projects are feasible, given unlimited resources and infinite time. Our project uses

    Microsoft Windows Platform, J2SE as the implementation language, it needs the

    following resources:

    Operating System Windows, Linux Family

    Net Beans IDE 6.8

    Java 6u20

    jNetCap API Library

    Visual Paradigm 7.2 EE

    MySQL/ SQLyog

    Microsoft Word 2003/2007

    Any processor of Pentium family Above P-III

    Minimum 64 MB or above RAM

    Since the resources demanded are easily available and are compatible with each other,

    hence our project is technically feasible.

    3.2.3 Behavioral Feasibility

    People are inherently resistant to change, and computers have been known to facilitate

    change. All estimates regarding reaction, comfort and ease of use for the people it is

    meant for, should be made in prior. Our project has all this; hence our project is

    behaviourally feasible.

    21

  • 8/3/2019 Major Project Report 7th Semester

    22/61

    4. SYSTEM ANALYSIS

    22

  • 8/3/2019 Major Project Report 7th Semester

    23/61

    4.1 Information Flow Representation

    4.1.1 Data Dictionary

    A data dictionary is a structured repository of the data about the data. The advantages of data

    dictionary are:

    1. It provides documentation of the entire available data.2. It provides consistent definition of various elements, terms and procedures etc.

    3. The system can be used to compare the existing and available.

    Name:Network Traffic

    Aliases:IP Packet

    Where/How Used:

    Traffic Analysis (Input)

    Description:Source IP Address

    Destination IP Address

    Type : Attack / Normal

    Format:IPv4 (Internet Protocol version 4)

    Table 1: Data Dictionary

    23

  • 8/3/2019 Major Project Report 7th Semester

    24/61

    4.1.2 Data Flow Diagram

    A graphical tool used to describe and analyze the moment of data through a system or automated

    including the processes, stores of data, and delays in the system. Data flow diagrams are the

    central tools and the basis from which other components are developed. The transformation of

    data from input to output, through processes, may be described logically and independently of

    the physically components associated with the system.

    Fig 1: DFD Level-0

    24

  • 8/3/2019 Major Project Report 7th Semester

    25/61

    Fig 2: DFD Level-1

    25

  • 8/3/2019 Major Project Report 7th Semester

    26/61

    Fig 3: DFD Level-2

    1. Traffic Analysis.

    2. Response.

    3. Add IP.

    4. View IP

    5. Update Data.

    6. Retrieve Data.

    26

  • 8/3/2019 Major Project Report 7th Semester

    27/61

    4.1.3 Use Case Diagram:

    A use case diagram is a type of behavioral diagram defined by the Unified Modeling Language

    (UML) and created from a Use-case analysis. Its purpose is to present a graphical overview of

    the functionality provided by a system in terms of actors, their goals (represented as use cases),

    and any dependencies between those use cases. The main purpose of a use case diagram is to

    show what system functions are performed for which actors. Roles of the actors in the system

    can be depicted.

    Use case diagrams depict:

    Use cases: A use case describes a sequence of actions that provide something of measurable

    value to an actor and is drawn as a horizontal ellipse.

    Actors: An actor is a person, organization, or external system that plays a role in one or more

    interactions with your system. Actors are drawn as stick figures.

    Associations: Associations between actors and use cases are indicated in use case diagrams by

    solid lines. An association exists whenever an actor is involved with an interaction described by

    a use case. Associations are modelled as lines connecting use cases and actors to one another,

    with an optional arrowhead on one end of the line.

    Fig 4: Use Case Diagram

    27

  • 8/3/2019 Major Project Report 7th Semester

    28/61

    4.1.4 Sequence Diagram:

    A sequence diagram is an interaction diagram in UML that emphasizes the time ordering of the

    message. It shows how processes operate one with another and in what order. It shows parallel

    vertical lines as different processes or objects that live simultaneously, and horizontal arrows as

    the messages exchanged between them, in the order in which they occurs.

    The boxes across the top of the diagram represent the use cases, object, classes, or actors. The

    dashed lines hanging from the boxes are called object lifelines, representing the life span of the

    object during the scenario being modeled. The long, thin boxes on the lifelines are activation

    boxes, also called method-invocation boxes, which indicate processing is being performed by the

    target object/class to fulfill a message. Message are indicate on UML sequence diagrams as

    labeled arrows, when the source and target of a message is an object or class the label is the

    signature of the method invoked in response to the message. Return values are optionally

    indicated using dashed arrows with a label indicating the return value.

    4.1.4.1 Login/Logout

    Fig 5: Login/Logout Sequence Diagram

    28

  • 8/3/2019 Major Project Report 7th Semester

    29/61

    4.1.4.2 Traffic Analysis

    Fig 6: Traffic Analysis Sequence Diagram

    4.1.4.3 View IP on Network

    Fig 7: View IP Sequence Diagram

    29

  • 8/3/2019 Major Project Report 7th Semester

    30/61

    4.1.4.4 Add New IP Address into Network

    Fig 8: Add New IP Sequence Diagram

    4.1.4.5 View Block List

    Fig 9: View Block List Sequence Diagram

    30

  • 8/3/2019 Major Project Report 7th Semester

    31/61

    4.1.4.6 Remove IP from Block List

    Fig 10: Remove IP from Block List Sequence Diagram

    4.1.4.7 Add New IP into Block List

    Fig 11: Add New IP into Block List Sequence Diagram

    31

  • 8/3/2019 Major Project Report 7th Semester

    32/61

    4.1.4.8 Change Password

    Fig 12: Change Password Sequence Diagram

    4.1.4.9 Remove IP from Network

    Fig 13: Remove IP Sequence Diagram

    32

  • 8/3/2019 Major Project Report 7th Semester

    33/61

    4.1.5 State Chart Diagram:

    Fig 14: State Chart Diagram

    33

  • 8/3/2019 Major Project Report 7th Semester

    34/61

    4.1.6 Class Diagram:

    The class diagram shows the building blocks of any object-oriented system. Class diagrams

    depict a static view of the model, or part of the model, describing what attributes and behavior it

    has rather than detailing the methods for achieving operations. Class diagrams are most useful in

    illustrating relationships between classes and interfaces. Generalizations, aggregations, and

    associations are all valuable in reflecting inheritance, composition or usage, and connections

    respectively.

    Fig 15: Class Diagram

    34

  • 8/3/2019 Major Project Report 7th Semester

    35/61

    5. DESIGN

    35

  • 8/3/2019 Major Project Report 7th Semester

    36/61

    5.1 Architectural design

    Architectural design represents the structure of data and program components that are required to

    build a computer based system. It considers the architectural styles that the system will take, the

    structure and properties of the components that constitute the system, and the interrelationshipsthat occurs among all architectural components of a system.

    Architectural design represents what are the classes used and how they interact with each other

    to provide full functionally. It can either 2 tier or 3 tier architecture. 2 tier architecture include a

    frontend and a backend. The 3 tier architecture includes a middle level also.

    Architectural Context Diagram

    Architectural Behavioral Diagram

    36

  • 8/3/2019 Major Project Report 7th Semester

    37/61

    5.1.1Architectural Context DiagramThe architectural design defines the relationship between major structural elements of the

    Intrusion Detection System, the design patterns that can be used to achieve the requirements

    that have been defined for the system, and the constraints that affect the way in which

    architectural design patterns can be applied. The architectural design representation, the

    framework, Intrusion Detection System can be derived from the system specification, the

    analysis model, and the interaction of subsystems defines within the analysis model.

    The main aspects that are considered during architectural design are:

    The primary objective of architectural design is to develop a modular program structure and

    represent the control relationships between modules.

    Secondly, architectural design melds program structure and data structure, defining interfaces

    that enable data to flow throughout the program.

    Fig 16: Architectural Context Diagram

    37

  • 8/3/2019 Major Project Report 7th Semester

    38/61

    5.1.2 Architectural Behavioral Diagram

    Behavior diagrams emphasize what must happen in the system being modeled:

    State machine diagram : standardized notation to describe many systems, from computer

    programs to business processes.

    Use case diagram : shows the functionality provided by a system in terms of actors, their

    goals represented as use cases, and any dependencies among those use cases.

    The state chart diagrams and the use case diagrams have been already showed in this document

    above.

    Fig 17: Architectural Behavioral Diagram

    38

  • 8/3/2019 Major Project Report 7th Semester

    39/61

    5.1.3 Description of Architectural Design

    Architectural Design represents the structure of data and program components that are required

    to build a computer-based system. It considers the architectural style that the system will take,

    the structure and properties of the components that constitute the system, and the

    interrelationships that occur among all architectural components of a system.

    Chosen System Architecture: Client Server Architecture

    The architectural design of a client/server system is often characterized as communicating

    processes style describing architecture in the following way: The goal is to achieve the quality of

    scalability. A server exists to serve data to one or more clients, which are typically located across

    a network. The client originates a call to the server, which works, synchronously or

    asynchronously, to serve the clients request. If the server works

    Fig 18: Architectural Design Diagram

    In our project the client is IDS and the server is a packet capturing tool (e.g. jNetpCap

    API).Client i.e. IDS will request for IP packets and Server will response by providing the list of

    captured IP packets

    39

  • 8/3/2019 Major Project Report 7th Semester

    40/61

    5.1.4 Control Hierarchy

    Control hierarchy, represents the organization of program components (modules) and implies a

    hierarchy of control. The most common notation is the three linked diagram that represents the

    hierarchical control. Depth and width provide an indication of the number of levels of control

    and overall span of control, respectively. Fan-out is a measure of the number of modules that are

    directly controlled by another module. Fan-in indicates how many modules directly control a

    given module.

    Control hierarchy also represents two subtly different characteristics of software architecture:

    Visibility

    Connectivity

    Fig 19: Control Hierarchy Diagram

    40

  • 8/3/2019 Major Project Report 7th Semester

    41/61

    5.2 Procedural / Modular Approach

    Object-oriented analysis and design (OOAD) is a software engineering approach that models a

    system as a group of interacting objects. Each object represents some entity of interest in the

    system being modeled, and is characterized by its class, its state (data elements), and its

    behavior. Various models can be created to show the static structure, dynamic behavior, and run-

    time deployment of these collaborating objects. There are a number of different notations for

    representing these models, such as the Unified Modeling Language (UML).

    Object-oriented analysis (OOA) applies object-modeling techniques to analyze the

    functional requirements for a system. Object-oriented design (OOD) elaborates the analysis

    models to produce implementation specifications. OOA focuses on what the system does, OOD

    on how the system does it.

    5.2.1 Modules Used

    LoginWindow.java: It is the window which allows the administrator to authenticate

    himself by making him logged in into the IDS.

    DetectionWindow.java: It is the window which allows the administrator to monitor the

    traffic and also provides the link to perform other operations like Check Network IP

    Details, View Block Listed IP, Change Password, Add IP to Block List and also can do

    logout after the end of session.

    ViewIPOnNetwork.java: It is the window which allows the administrator to view IP of

    all the systems which are directly connected to the network.

    AddNewIPIntoNetwork.java: It is the window which enables the administrator to insert

    new nodes into the network and add their details into database.

    ViewBlockList.java: It is the window whichallows the administrator to check the details

    of all blocked IP and he can also remove blocked IP from Block List if necessary.

    ChangePassword.java: It is the window which allows the administrator to change its

    password regularly to maintain its confidentiality.

    41

  • 8/3/2019 Major Project Report 7th Semester

    42/61

    5.2.2 Internal Data Structures

    Internal Data structure is the structure of the data in the form of table which have been used in

    our project. There are three tables used by us in project namely Login Table, Network IP

    Details Table, Block IP Details Table.

    Name of Table Purpose

    Login_Table To store admin name and password

    Network_IP_Details_Table To store details of all the machines on the network

    Block_IP_Details_Table To store details of all the blocked machines

    Table 2: Internal Data Structure

    5.2.2.1 Login Table

    Fig 20: Login Table

    5.2.2.2 Network IP Details Table

    Fig 21: Network IP Details Table

    5.2.2.3 Block IP Details Table

    Fig 22: Block IP Details Table

    5.2.3 Algorithm Design for Operations

    42

  • 8/3/2019 Major Project Report 7th Semester

    43/61

    As the administrator enters on INTRUSION DETECTION SYSTEM he can simply analyze the

    network traffic by making an analysis of IP packets. He can view information of all the packets

    or only anomalous packets by selecting the appropriate radio button. He can also add new systeminto the network by just clicking the menu item Add New IP into the Networkand can view the

    details of all the systems on the network by clicking on the menu item View IP on Network. He

    canview details of blocked IP by just clicking on menu item View Blocked IP. He can alsochange his password and make him logoutby just clickingon the menu items Change Password

    and Logout. Administrator can also block any suspected or intruder IP by just selecting any row

    appeared on detection window after traffic analysis and clicking on the button Add IP to BlockList.

    Pseudo Code:

    Login Window

    1. {2. If (admin name and password got matched) then

    3. {4. Detection Window

    5. {6. want to analyze traffic

    7. then click on traffic analysis

    8. }9. if else

    10. {

    11. Want to add IP into block list12. then click on Add IP into Block List

    13. }

    14. if else15. {16. Want to add new IP address into database

    17. then click on Add New IP

    18. }19. If else

    20. {

    21. Want to view block list22. then click on View Block List

    23. if {

    24. want to remove IP from Block List

    25. then click on Remove From Block List26. }

    27. }

    28. else29. Admin Authentication Failed

    30. }

    5.3 Data Design

    43

  • 8/3/2019 Major Project Report 7th Semester

    44/61

    5.3.1 Data objects and resultant data structures

    The data design creates the model of data and information i.e. represented at a high level of

    abstraction. The data objects defined during software requirements analysis are modeled using

    ER diagrams and data dictionary (DD).The data design activity translates this element ofrequirement model into data structure at component data level

    5.4 Interface Design

    5.4.1 Human-machine interface design specification

    The interface design is the bridge for interaction between a human and a computer .It creates an

    effective communication between the human and the computer .The interface design begins with

    the identification of the user, task and environmental requirements .It is the information

    representation of the available data thus, if the representation is confusing or misleading users

    may misunderstand the meaning of the information. The best possible representation of the data

    or the easiest available interface is the Graphical User Interface (GUI). The GUI provides us with

    windows, icons, menus, pointers etc. The basic interface design principles are:

    User Familiarity: The interfaces in our project are easily understood by the user that is the

    interface has the user friendly terms. In our project we have used JFrame to build various

    interfaces so as to make the user much comfortable.

    Consistency: The project if requirement specific needs to be consistent and so is this project

    which satisfies the consistency criteria as a whole. It does not break down if any

    unconditional problem is there.

    Minimal Surprise: The user must not be surprised by the systems behavior .The system

    must be capable of handling the abrupt data. Even if the system shuts down that should not

    be abrupt. No abrupt switching off or anomalous behavior is there with the system.

    Interface design focuses on three areas of concern:

    The design of interface between software modules.

    44

  • 8/3/2019 Major Project Report 7th Semester

    45/61

    The design of interfaces between the software and other external entities.

    The design of interfaces between user and the computer.

    5.4.2 I/O Forms

    5.4.2.1 Login Window

    45

  • 8/3/2019 Major Project Report 7th Semester

    46/61

    Fig 23: Login Window

    5.4.2.2 Detection Window

    46

  • 8/3/2019 Major Project Report 7th Semester

    47/61

    Fig 24: Detection Window

    5.4.2.3 View IP on Network Window

    47

  • 8/3/2019 Major Project Report 7th Semester

    48/61

    Fig 25: View IP on Network Window

    5.4.2.4 Add IP into Network Window

    Fig 26: Add IP into Network Window

    5.4.2.5 View Block List Window

    48

  • 8/3/2019 Major Project Report 7th Semester

    49/61

    Fig 27: View Block List Window

    5.4.2.6 Change Password Window

    Fig 28: Change Password Window

    5.4.2.7 Add IP into Block List Window

    49

  • 8/3/2019 Major Project Report 7th Semester

    50/61

    Fig 29: Add IP into Block List Window

    50

  • 8/3/2019 Major Project Report 7th Semester

    51/61

    6. LIMITATION`S

    6. LIMITATIONS

    Although some intrusion detection systems have become very advanced, the data

    produced by software and the methods of the attackers are also becoming more complex

    51

  • 8/3/2019 Major Project Report 7th Semester

    52/61

    all the time. This makes it hard to distinguish legitimate use of a system from a possible

    intrusion.

    When an IDS incorrectly identifies an activity as a possible intrusion it will results in a

    false alarm, also referred to as a false positive. Especially badly configured IDSs and

    behavior-based IDSs in particular can produce many false positives.

    Network-based IDS may not always be able to pick up and process all data in busy

    networks.

    Another challenge for a network-based IDS is encrypted data; most are able to inspect

    compressed data, but encrypted data remains an obstacle simply because the IDS does not

    have access to the keys of every devices in the network.

    Last but not least, an IDS is another possible target to attack, they also have

    bugs/exploits.

    52

  • 8/3/2019 Major Project Report 7th Semester

    53/61

    7. FUTURE SCOPE

    7. FUTURE SCOPE

    Our system will work only for IPv4 network. In future, it can be extended to IPv6 network. We

    have analyzed only packet header. So, our system could not detect Exploits intrusions. So, we

    53

  • 8/3/2019 Major Project Report 7th Semester

    54/61

    could add payload analyzing features in our system in future.

    Right now our system is capable to detect intrusion only but in future we may add some

    functionality in the current system in order to make it capable to prevent intrusion also along

    with the detection of intrusion.

    In future, system could be enhanced to be more efficient and accurate as in its current version it

    makes some compromises while detecting anomaly detection.

    54

  • 8/3/2019 Major Project Report 7th Semester

    55/61

    8. CONCLUSION

    8. CONCLUSION

    The completed project can detect the novel attacks with the learning techniques which were not

    55

  • 8/3/2019 Major Project Report 7th Semester

    56/61

    detected by the existing system, Snort. Comparing with snort, although it provides high

    accuracy, it was more time consuming requiring regular updates. Our system can detect the

    intrusions more efficiently with less time consuming.

    After completing this project we are able to do teamwork and knew the way to task dividing and

    cooperating in the task. Successful work not only made us feel proud but we also became good

    companions. In this way we completed our project successfully.

    56

  • 8/3/2019 Major Project Report 7th Semester

    57/61

    9. BIBLIOGRAPHY &

    REFERENCES

    9. BIBLIOGRAPHY AND REFERENCES

    Books:

    57

  • 8/3/2019 Major Project Report 7th Semester

    58/61

    [1] Bace R.G, Intrusion Detection, Technical Publishing ISBN 1-57870-185-6, 2002

    [2] Lunt. T., Detecting intruders in computer systems. Conference on auditing and

    computer technology, 1993.

    [3] Krister Johansen, Stephen Lee, Bayesian Network Intrusion Detection, 2003

    [4] MIT Lincolon Laboratory, 1999 DARPA intrusion detection evaluation design and

    procedure, DARPA Technical report Feb 2001

    [5] Weijie Chai, Li Li, Anomaly Detection Using TCP Header Information, April 26th

    , 2004

    Web Sites:

    [6] www.wikipedia.org

    [7] www.jnetpcap.com/node

    [8] www.netsecurity.about.com/cs/hackertools/a/aa121403.htm

    [9] www.MySQL.com/technetwork/java/javase/downloads/index.html

    [10] www.snort.org

    58

    http://www.wikipedia.org/http://www.jnetpcap.com/nodehttp://www.netsecurity.about.com/cs/hackertools/a/aa121403.htmhttp://www.oracle.com/technetwork/java/javase/downloads/index.htmlhttp://www.snort.org/http://www.wikipedia.org/http://www.jnetpcap.com/nodehttp://www.netsecurity.about.com/cs/hackertools/a/aa121403.htmhttp://www.oracle.com/technetwork/java/javase/downloads/index.htmlhttp://www.snort.org/
  • 8/3/2019 Major Project Report 7th Semester

    59/61

    10. APPENDICES

    10. APPENDICES

    59

  • 8/3/2019 Major Project Report 7th Semester

    60/61

    Definitions, Acronyms, and Abbreviations

    Acronyms

    API : Application Programming Interface

    DFDs : Data Flow Diagrams

    DNS : Domain Name System

    DoS : Denial-of-Service

    DS : Dataset

    GUI : Graphical User Interface

    HIDS : Host-based Intrusion Detection System

    IDS : Intrusion Detection System

    IP : Internet Protocol

    NIDS : Network Intrusion Detection System

    OS : Operating System

    TCP/IP : Transmission Control protocol / Internetworking Protocol

    UDP : User Datagram Protocol

    Definitions

    60

  • 8/3/2019 Major Project Report 7th Semester

    61/61

    IDS: An intrusion detection system (IDS) monitors network traffic and monitors for

    suspicious activity and alerts the system or network administrator. In some cases the IDS

    may also respond to anomalous or malicious traffic by taking action such as blocking the

    user or source IP address from accessing the network.

    NIDS: Network Intrusion Detection Systems (NIDS) are a subset of security management

    systems that are used to discover inappropriate, incorrect, or anomalous activities within

    networks.

    HIDS: Host-based intrusion detection system (HIDS) monitors and analyzes the internals

    of a computing system rather than the network packets on its external interfaces.

    EXPLOITS:These attacks take advantage of a known bug or design flaw in the system.

    Denial-of-Service (DoS): These attacks disrupt or deny access to a service or resource.