Upload
priya-sharma
View
223
Download
0
Embed Size (px)
Citation preview
8/3/2019 Major Project Report 7th Semester
1/61
NETWORK INTRUSION DETECTION SYSTEMBased on
IP Packets
A Project Report Submitted at
Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal
In partial fulfillment of the degree
Of
Bachelor of Engineering
In
Computer Science & Engineering
Department of Computer Science and Engineering
Vindhya Institute of Technology and Science
Indore2011-2012
1
8/3/2019 Major Project Report 7th Semester
2/61
NETWORK INTRUSION DETECTION SYSTEMBased On
IP Packets
A Project Report Submitted at
Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal
In partial fulfillment of the degree
of
Bachelor of Engineering
In
Computer Science & Engineering
Guided By: Submitted By:
Mr. Pankaj Patel Kunal Ahuja (0839CS081046)
Vijay Khatri (0839CS081114)
Gaurav Pagare (0839CS081031)
Department of Computer Science and Engineering
Vindhya Institute of Technology and Science
Indore2011-2012
2
8/3/2019 Major Project Report 7th Semester
3/61
ACKNOWLEDGEMENT
One of the sanguine parts of the project is to express heart-felt gratitude towards all those who
have provided their invaluable support and kind cooperation in the successful completion of the
project.
With profound gratitude we owe our enshrined respect and indebtedness to Dr. D.P. Kothari the
honorable Director General of our institute.
Our sincere thanks to Mr. Ashish Tiwari HOD (Computer Science & Engineering
Department) for his support.
Our heart-felt thanks are due to Mr. Pankaj Patel our project guide in the lack of whose
guidance it would be impossible to complete the project successfully.
We would also like to convey our sincere thanks to the management and staff for helping us in
successful development of the project.
Words fall short of expression when it comes to expressing thanks to our family and friends
whose support and encouragement have been valuable to help us throughout the project.
Kunal Ahuja [0839CS081046]
Vijay Khatri [0839CS081114]
Gaurav Pagare [0839CS081031]
3
8/3/2019 Major Project Report 7th Semester
4/61
CERTIFICATE
This is to certify that
Kunal Ahuja [0839CS081046]
Vijay Khatri [0839CS081114]
Gaurav Pagare [0839CS081031]
have completed their Major Project work titled NetworkIntrusion Detection System Based
on IP Packets as per the syllabus and have submitted a satisfactory report on this project as a part
of fulfillment towards the degree of Bachelor of Engineering in Computer Science &
Engineering from Rajiv Gandhi Proudyogiki Vishwavidyalaya, Bhopal.
Signature:
Name: _______________
(Project Guide)
Signature: Signature:
_______________ __
Name: __________________ Name:___________________
(Internal Examiner) (External Examiner)
4
8/3/2019 Major Project Report 7th Semester
5/61
LIST OF FIGURES AND TABLES
FIGURES/TABLES Page No.DATA FLOW DIAGRAM
USE CASE DIAGRAM
SEQUENCE DIAGRAM
STATE CHART DIAGRAM
CLASS DIAGRAM
ARCHITECTURAL CONTEXT DIAGRAM
ARCHITECTURAL BEHAVIOURAL DIAGRAM
SYSTEM ARCHITECTURE DIAGRAM
CONTROL HIERARCHY DIAGRAM
I/O FORMS
5
8/3/2019 Major Project Report 7th Semester
6/61
TABLE OF CONTENTS
NETWORK INTRUSION DETECTION SYSTEM .......................................................................1
NETWORK INTRUSION DETECTION SYSTEM ......................................................................2
TABLE OF CONTENTS .................................................................................................................6
ABSTRACT ..................................................................................................................................... 82.4.1 Hardware Tools: ............................................................................................................14
2.4.2 Software Tools: .............................................................................................................14............................................................................................................................................... 16
. SYSTEM REQUIREMENT ANALYSIS ....................................................................................19
3.1 Information Gathering .........................................................................................................20
System Feasibility .....................................................................................................................203.2.1 Economical Feasibility .................................................................................................20
3.2.2 Technical Feasibility ....................................................................................................21
3.2.3 Behavioral Feasibility ..................................................................................................21Name: .............................................................................................................................................23
Aliases: ...........................................................................................................................................23
Where/How Used: ..........................................................................................................................23
Description: ....................................................................................................................................23Format: ...........................................................................................................................................23
5. DESIGN .....................................................................................................................................35
5.1 Architectural design .............................................................................................................365.1.1 Architectural Context Diagram .....................................................................................37
5.1.3 Description of Architectural Design .............................................................................39
5.1.4 Control Hierarchy ......................................................................................................... 40Definitions, Acronyms, and Abbreviations ...............................................................................60
6
8/3/2019 Major Project Report 7th Semester
7/61
1.1. ABSTRACTABSTRACT
7
8/3/2019 Major Project Report 7th Semester
8/61
ABSTRACT
Intrusion detection has traditionally been performed at the operating system level by
comparing expected and observed system resource usage. Operating system intrusion
detection systems can only detect intruders, internal or external, who perform specific system
actions in a specific sequence or those intruders whose behavior pattern statistically varies
from a norm. Internal intruders are said to comprise at least fifty percent of intruders but
Operating system intrusion detection systems are frequently not sufficient to catch such
intruders since they neither significantly deviate from expected behavior, nor perform the
specific intrusive actions because they are already legitimate users of the system.
We hypothesize that application specific intrusion detection systems can use the
semantics of the application to detect more subtle, stealth-like attacks such as those carried
out by internal intruders who possess legitimate access to the system and its data and act
within their bounds of normal behavior, but who are actually abusing the system. To test this
hypothesis, we developed two extensive case studies to explore what opportunities exist for
detecting intrusions at the application level, how effectively an application intrusion
detection system can detect the intrusions, and the possibility of cooperation between an
application intrusion detection system and an Operating system intrusion detection systems
to detect intrusions.
8
8/3/2019 Major Project Report 7th Semester
9/61
1.1. INTRODUCTIONINTRODUCTION
9
8/3/2019 Major Project Report 7th Semester
10/61
2. INTRODUCTION
What is an IDS?
Intrusion is any set of actions that threaten the integrity, availability, or confidentiality of a
network resource. An intrusion detection system (IDS) monitors network traffic andmonitors
for suspicious activity and alerts the system or network administrator. In somecases the IDS
may also respond to anomalous or malicious traffic by taking action such asblocking the
user or source IP address from accessing the network.IDS come in a variety of flavors and
approach the goal of detecting suspicious traffic in different ways. There are network based
(NIDS) and host based (HIDS) intrusion detection.
a) NIDS: Network Intrusion Detection Systems (NIDS) are a subset of security management
systems that are used to discover inappropriate, incorrect, or anomalous activities within
networks.
b) HIDS: Host-based intrusion detection system (HIDS) monitors and analyzes the internals
of a computing system rather than the network packets on its external interfaces.
There are IDS that detect based on looking for specific signatures of known threats similar to
the way antivirus software typically detects and protects against malware- and there are IDSthat detect based on comparing traffic patterns against a baseline and looking for anomalies.
a. Signature Based: A signature based IDS will monitor packets on the network and
compare them against a database of signatures or attributes from known malicious
threats. This is similar to the way most antivirus software detects malware. The
10
8/3/2019 Major Project Report 7th Semester
11/61
issue is that there will be a lag between a new threat being discovered and the
signature for detecting that threat being applied to the IDS. During that lag time,
the IDS would be unable to detect the new threat. The limitation of this approach
lies in its dependence on frequent updates of the signature database and its
inability to generalize and detect novel or unknown intrusions.
b. Anomaly Based: An IDS which is anomaly based will monitor network traffic
and compare it against an established baseline. The baseline will identify what is
normal for that network- what sort of bandwidth is generally used, what
protocols are used, what ports and devices generally connect to each other- and
alert the administrator or user when traffic is detected which is anomalous, or
significantly different, than the baseline. However, statistical anomaly detection is
not based on an adaptive intelligent model and cannot learn from normal and
malicious traffic patterns.
There are IDS that simply monitor and alert and there are IDS that perform an action or
actions in response to a detected threat.
a) Passive IDS: A passive IDS simply detects and alerts. When suspicious or malicious
traffic is detected an alert is generated and sent to the administrator or user and it is up to
them to take action to block the activity or respond in some way.
b) Reactive IDS: Reactive IDS will not only detect suspicious or malicious traffic and alert
the administrator, but will take pre-defined proactive actions to respond to the threat.
Typically this means blocking any further network traffic from the source IP address or
user.
Intrusion detection systems help network administrators prepare for and deal with network
security attacks. These systems collect information from a variety of systems and network
sources, and analyze them for signs of intrusion and misuse. A variety of techniques have
been employed for analysis ranging from traditional statistical methods to new machine
11
8/3/2019 Major Project Report 7th Semester
12/61
learning approaches.
2.1 OBJECTIVE
The main objectives are:
To make an attempt to detect a suspected intrusion in the monitored system and then alert
a system administrator.
To determine that some entity, an intruder, has attempted to gain, or worse, has gained
unauthorized access to the system.
To protect secure information of an organization from outside and inside intruders, to
detect novel or unknown intrusions in real-time.
To take actions to prevent intrusion. These can include requiring passwords to be
submitted before a user can gain any access to the system, fixing known vulnerabilities
that an intruder might try to exploit in order to gain unauthorized access, blocking some
or all network access, as well as restriction of physical access.
2.2 SCOPE
Intrusion detection involves determining that some entity, an intruder, has attempted to gain, or
worse, has gained unauthorized access to the system. Casual observation shows that none of the
automated detection approaches seek to identify an intruder before that intruder initiates
interaction with the system. System administrators routinely take actions to prevent intrusion.
These can include requiring passwords to be submitted before a user can gain any access to the
system, fixing known vulnerabilities that an intruder might try to exploit in order to gain
12
8/3/2019 Major Project Report 7th Semester
13/61
unauthorized access, blocking some or all network access, as well as restriction of physical
access. Intrusion detection systems are used in addition to such preventative measures.
2.3 PROBLEMS IN EXISTING SYSTEM
There is an existing Intrusion Detection System which is classical signature based. Existing
system has many problems which are discussed below.
The classical signature-based approach:
Cannot detect unknown or new intrusions.
Patches and regular updates are required.
The statistical anomaly-based approach:
Not based on an adaptive intelligent model.
Cannot learn from normal and malicious traffic patterns.
13
8/3/2019 Major Project Report 7th Semester
14/61
2.4 PLATFORM SPECIFICATION
2.4.1 Hardware Tools:
Minimum Configuration:
1. Processor : Pentium IV
2. Processor Frequency : 233 MHz
3. Memory : 64 MB, RAM
4. Video Adapter & Monitor : Super VGA ( 800 X 600 )
5. Hard Drive Disk Free Space : 1.5 GB
6. Input Devices : Keyboard & Mouse
Recommended Configuration:
1. Processor : Pentium III or Higher
2. Processor Frequency : 300 MHz or Higher
3. Memory : 128 MB, RAM or Higher
4. Video Adapter & Monitor : Super VGA (800 X 600) or Higher
5. Hard Drive Disk Free Space : 1.5 GB
6. Input Devices : Keyboard & Mouse
2.4.2 Software Tools:
Front End
1. Operating System Windows Family
2. Net Beans 6.9 IDE
3. Java 6u21
14
8/3/2019 Major Project Report 7th Semester
15/61
Back End
1. MySql
2. SQLyog
Report Generation
1. Visual Paradigm 7.2 EE
2. Microsoft Word 2003/2007
Technology & Platform: Java
Java has gained enormous popularity since it first appeared. Its rapid ascension and wide
acceptance can be traced to its design and programming features, particularly in its promise that
you can write a program once, and run it anywhere. Java was chosen as the programming
language for network computers (NC) and has been perceived as a universal front end for the
enterprise database.
The computer world currently has many platforms. This has its pros and cons. On the one
hand it gives more choices to people; on the other hand it becomes more and more difficult to
produce software that runs on all platforms. With its Java Virtual Machine and API, the Java
Platform provides an ideal solution to this. The Java Platform is designed for running highly
interactive, dynamic, and secure applets and applications on networked computer systems. Being
interactive, dynamic and architecture-neutral, the Java Platform has benefits not only for the
developer and support personnel, but also for the end user.
For the end users, the platform provides live, interactive content on the World Wide Web,
with just-in-time software access. Applications are readily available on all operating
systems at once. Users do not have to choose operating systems based on the
applications; they can run the applications on their favorite machines.
Developers can develop applications on one platform to deliver to that same platform --
the Java Platform, which is available on a wide variety of OS and hardware platforms.
This much reduces the developing cost.
For support personnel, version control and upgrades are much simplified because Java-
enabled application can be kept in a central repository and served from there for each
individual use.
15
8/3/2019 Major Project Report 7th Semester
16/61
MySQL as Backend:
MySQL Database Management takes care of the complex data storage and retrieval
systems without the help of conventional programming. It supports extremely large databases
and the size of database for examination software is likely to be large. The structured query
language which is used in MySQL is extremely useful for easy data retrieval. MySQL database
management keeps track of its computer data storage with the help of information stored in the
system table space. The system table space contains the data dictionary which consists of a
special collection of tables that contains information about all user-object in the database.
Purpose of Database:
Before database management system came along, organizations usually stored
information in file-processing systems. Keeping organizations information in a file-processing
system has a number of major disadvantages:
1. Data Redundancy & Inconsistency: The redundancy leads to higher storage and access
cost. In addition, it leads to data inconsistency.
2. Difficulty in Accessing Data: The conventional file processing environment does not
allow needed data to be retrieved in a convenient and efficient manner.
3. Data Isolation: Data are scattered in various files, and files may of different formats,thus retrieval of data becomes difficult.
4. Integrity Problems: The data values stored in the database must satisfy certain types of
consistency constraints.
16
8/3/2019 Major Project Report 7th Semester
17/61
5. Atomicity Problems: It is difficult to ensure atomicity in a conventional file processing
system.
6. Concurrent Access Anomalies: For the sake of overall performance of the system and
faster response, many systems allow multiple users to update the data simultaneously.
7. Security Problems: Since, application program are added to the file-processing system
in an ad-hoc manner. Enforcing security constraints is difficult.
Features & Abilities of Database Management System:
1. Query Ability: A database query language and report writer to allow users to
interactively interrogate the database, analyze its data and update it according to the
users privileges on data. It also controls the security of the database. Data security
prevents unauthorized users from viewing or updating the database. Using passwords,
users are allowed access to the entire database or subsets of it called subschemas.
2. Backup & Replication: Copies of attributes need to be made regularly in case primary
disks or other equipment fails. A periodic copy of attributes may also be created for a
distant organization that cannot readily access the original. DBMS usually provide
utilities to facilitate the process of extracting and disseminating attribute sets. When data
is replicated between database servers, so that the information remains consistent
throughout the database system and users cannot tell or even know which server in the
DBMS they are using, the system is said to exhibit replication transparency.
3. Rule Enforcement: Often one wants to apply rules to attributes so that the attributes are
clean and reliable. For example, we may have a rule that says each car can have only one
engine associated with it (identified by Engine Number). If somebody tries to associate a
second engine with a given car, we want the DBMS to deny such a request and display an
error message. However, with changes in the model specification such as, in this
example, hybrid gas-electric cars, rules may need to change. Ideally such rules should be
able to be added and removed as needed without significant data layout redesign.
17
8/3/2019 Major Project Report 7th Semester
18/61
4. Security: Often it is desirable to limit who can see or change which attributes or groups
of attributes. This may be managed directly by individual, or by the assignment of
individuals and privileges to groups, or (in the most elaborate models) through the
assignment of individuals and groups to roles which are then granted entitlements.
5. Computation: There are common computations requested on attributes such as counting,
summing, averaging, sorting, grouping, cross-referencing, etc. Rather than have each
computer application implement these from scratch, they can rely on the DBMS to supply
such calculations.
6. Change & Access Logging: Often one wants to know who accessed what attributes,
what was changed, and when it was changed. Logging services allow this by keeping a
record of access occurrences and changes.
7. Automated Optimization: If there are frequently occurring usage patterns or requests,
some DBMS can adjust themselves to improve the speed of those interactions. In some
cases the DBMS will merely provide tools to monitor performance, allowing a human
expert to make the necessary adjustments after reviewing the statistics collected.
18
8/3/2019 Major Project Report 7th Semester
19/61
. SYSTEM REQUIREMENT. SYSTEM REQUIREMENT
ANALYSISANALYSIS
19
8/3/2019 Major Project Report 7th Semester
20/61
3.1 Information Gathering
Information gathering is one of the most important steps in the development of any project or
software and it is the part of project and software which actually starts before the project actually
starts. It includes questionnaires with client and other people involved in the system under
consideration.
Now, since our system is not being developed considering a particular client in mind,
questionnaires and interviews etc. cannot be carried out. As our project is related to a Intrusion
Detection System so we started information gathering phase with understanding what basically
the Intrusion Detection System is, what are its basic requirements and in which environment it
will be implemented and deployed.
In our project information gathering mainly includes analyzing different Intrusion Detection
System software in order to gather information about different fields.
It mainly includes:
About Functionalities: Here we analyze the functionalities of Intrusion Detection System.
About Front-End Design: Analyze different Intrusion Detection System software to take an
idea about better interaction & help us make a user friendly interface. It also helps to
maintain a proper flow throughout our project
System Feasibility
System feasibility deals with the utility, efficiency and quality of the system (Project).
Feasibility study is done to find out whether the system will be beneficial for the concerned
user and the organization or not.
3.2.1 Economical Feasibility
Economic feasibility check is an evaluation process carried out to determine development
cost and profit incurred after deployment.
In our project:
20
8/3/2019 Major Project Report 7th Semester
21/61
Software: The softwares used in developing this project is either provided by the
college or are provided as freeware by software websites.
Hardware: The configuration cost for the system is negligible as all the hardware
needed is already being provided to us by the college.
3.2.2 Technical Feasibility
All projects are feasible, given unlimited resources and infinite time. Our project uses
Microsoft Windows Platform, J2SE as the implementation language, it needs the
following resources:
Operating System Windows, Linux Family
Net Beans IDE 6.8
Java 6u20
jNetCap API Library
Visual Paradigm 7.2 EE
MySQL/ SQLyog
Microsoft Word 2003/2007
Any processor of Pentium family Above P-III
Minimum 64 MB or above RAM
Since the resources demanded are easily available and are compatible with each other,
hence our project is technically feasible.
3.2.3 Behavioral Feasibility
People are inherently resistant to change, and computers have been known to facilitate
change. All estimates regarding reaction, comfort and ease of use for the people it is
meant for, should be made in prior. Our project has all this; hence our project is
behaviourally feasible.
21
8/3/2019 Major Project Report 7th Semester
22/61
4. SYSTEM ANALYSIS
22
8/3/2019 Major Project Report 7th Semester
23/61
4.1 Information Flow Representation
4.1.1 Data Dictionary
A data dictionary is a structured repository of the data about the data. The advantages of data
dictionary are:
1. It provides documentation of the entire available data.2. It provides consistent definition of various elements, terms and procedures etc.
3. The system can be used to compare the existing and available.
Name:Network Traffic
Aliases:IP Packet
Where/How Used:
Traffic Analysis (Input)
Description:Source IP Address
Destination IP Address
Type : Attack / Normal
Format:IPv4 (Internet Protocol version 4)
Table 1: Data Dictionary
23
8/3/2019 Major Project Report 7th Semester
24/61
4.1.2 Data Flow Diagram
A graphical tool used to describe and analyze the moment of data through a system or automated
including the processes, stores of data, and delays in the system. Data flow diagrams are the
central tools and the basis from which other components are developed. The transformation of
data from input to output, through processes, may be described logically and independently of
the physically components associated with the system.
Fig 1: DFD Level-0
24
8/3/2019 Major Project Report 7th Semester
25/61
Fig 2: DFD Level-1
25
8/3/2019 Major Project Report 7th Semester
26/61
Fig 3: DFD Level-2
1. Traffic Analysis.
2. Response.
3. Add IP.
4. View IP
5. Update Data.
6. Retrieve Data.
26
8/3/2019 Major Project Report 7th Semester
27/61
4.1.3 Use Case Diagram:
A use case diagram is a type of behavioral diagram defined by the Unified Modeling Language
(UML) and created from a Use-case analysis. Its purpose is to present a graphical overview of
the functionality provided by a system in terms of actors, their goals (represented as use cases),
and any dependencies between those use cases. The main purpose of a use case diagram is to
show what system functions are performed for which actors. Roles of the actors in the system
can be depicted.
Use case diagrams depict:
Use cases: A use case describes a sequence of actions that provide something of measurable
value to an actor and is drawn as a horizontal ellipse.
Actors: An actor is a person, organization, or external system that plays a role in one or more
interactions with your system. Actors are drawn as stick figures.
Associations: Associations between actors and use cases are indicated in use case diagrams by
solid lines. An association exists whenever an actor is involved with an interaction described by
a use case. Associations are modelled as lines connecting use cases and actors to one another,
with an optional arrowhead on one end of the line.
Fig 4: Use Case Diagram
27
8/3/2019 Major Project Report 7th Semester
28/61
4.1.4 Sequence Diagram:
A sequence diagram is an interaction diagram in UML that emphasizes the time ordering of the
message. It shows how processes operate one with another and in what order. It shows parallel
vertical lines as different processes or objects that live simultaneously, and horizontal arrows as
the messages exchanged between them, in the order in which they occurs.
The boxes across the top of the diagram represent the use cases, object, classes, or actors. The
dashed lines hanging from the boxes are called object lifelines, representing the life span of the
object during the scenario being modeled. The long, thin boxes on the lifelines are activation
boxes, also called method-invocation boxes, which indicate processing is being performed by the
target object/class to fulfill a message. Message are indicate on UML sequence diagrams as
labeled arrows, when the source and target of a message is an object or class the label is the
signature of the method invoked in response to the message. Return values are optionally
indicated using dashed arrows with a label indicating the return value.
4.1.4.1 Login/Logout
Fig 5: Login/Logout Sequence Diagram
28
8/3/2019 Major Project Report 7th Semester
29/61
4.1.4.2 Traffic Analysis
Fig 6: Traffic Analysis Sequence Diagram
4.1.4.3 View IP on Network
Fig 7: View IP Sequence Diagram
29
8/3/2019 Major Project Report 7th Semester
30/61
4.1.4.4 Add New IP Address into Network
Fig 8: Add New IP Sequence Diagram
4.1.4.5 View Block List
Fig 9: View Block List Sequence Diagram
30
8/3/2019 Major Project Report 7th Semester
31/61
4.1.4.6 Remove IP from Block List
Fig 10: Remove IP from Block List Sequence Diagram
4.1.4.7 Add New IP into Block List
Fig 11: Add New IP into Block List Sequence Diagram
31
8/3/2019 Major Project Report 7th Semester
32/61
4.1.4.8 Change Password
Fig 12: Change Password Sequence Diagram
4.1.4.9 Remove IP from Network
Fig 13: Remove IP Sequence Diagram
32
8/3/2019 Major Project Report 7th Semester
33/61
4.1.5 State Chart Diagram:
Fig 14: State Chart Diagram
33
8/3/2019 Major Project Report 7th Semester
34/61
4.1.6 Class Diagram:
The class diagram shows the building blocks of any object-oriented system. Class diagrams
depict a static view of the model, or part of the model, describing what attributes and behavior it
has rather than detailing the methods for achieving operations. Class diagrams are most useful in
illustrating relationships between classes and interfaces. Generalizations, aggregations, and
associations are all valuable in reflecting inheritance, composition or usage, and connections
respectively.
Fig 15: Class Diagram
34
8/3/2019 Major Project Report 7th Semester
35/61
5. DESIGN
35
8/3/2019 Major Project Report 7th Semester
36/61
5.1 Architectural design
Architectural design represents the structure of data and program components that are required to
build a computer based system. It considers the architectural styles that the system will take, the
structure and properties of the components that constitute the system, and the interrelationshipsthat occurs among all architectural components of a system.
Architectural design represents what are the classes used and how they interact with each other
to provide full functionally. It can either 2 tier or 3 tier architecture. 2 tier architecture include a
frontend and a backend. The 3 tier architecture includes a middle level also.
Architectural Context Diagram
Architectural Behavioral Diagram
36
8/3/2019 Major Project Report 7th Semester
37/61
5.1.1Architectural Context DiagramThe architectural design defines the relationship between major structural elements of the
Intrusion Detection System, the design patterns that can be used to achieve the requirements
that have been defined for the system, and the constraints that affect the way in which
architectural design patterns can be applied. The architectural design representation, the
framework, Intrusion Detection System can be derived from the system specification, the
analysis model, and the interaction of subsystems defines within the analysis model.
The main aspects that are considered during architectural design are:
The primary objective of architectural design is to develop a modular program structure and
represent the control relationships between modules.
Secondly, architectural design melds program structure and data structure, defining interfaces
that enable data to flow throughout the program.
Fig 16: Architectural Context Diagram
37
8/3/2019 Major Project Report 7th Semester
38/61
5.1.2 Architectural Behavioral Diagram
Behavior diagrams emphasize what must happen in the system being modeled:
State machine diagram : standardized notation to describe many systems, from computer
programs to business processes.
Use case diagram : shows the functionality provided by a system in terms of actors, their
goals represented as use cases, and any dependencies among those use cases.
The state chart diagrams and the use case diagrams have been already showed in this document
above.
Fig 17: Architectural Behavioral Diagram
38
8/3/2019 Major Project Report 7th Semester
39/61
5.1.3 Description of Architectural Design
Architectural Design represents the structure of data and program components that are required
to build a computer-based system. It considers the architectural style that the system will take,
the structure and properties of the components that constitute the system, and the
interrelationships that occur among all architectural components of a system.
Chosen System Architecture: Client Server Architecture
The architectural design of a client/server system is often characterized as communicating
processes style describing architecture in the following way: The goal is to achieve the quality of
scalability. A server exists to serve data to one or more clients, which are typically located across
a network. The client originates a call to the server, which works, synchronously or
asynchronously, to serve the clients request. If the server works
Fig 18: Architectural Design Diagram
In our project the client is IDS and the server is a packet capturing tool (e.g. jNetpCap
API).Client i.e. IDS will request for IP packets and Server will response by providing the list of
captured IP packets
39
8/3/2019 Major Project Report 7th Semester
40/61
5.1.4 Control Hierarchy
Control hierarchy, represents the organization of program components (modules) and implies a
hierarchy of control. The most common notation is the three linked diagram that represents the
hierarchical control. Depth and width provide an indication of the number of levels of control
and overall span of control, respectively. Fan-out is a measure of the number of modules that are
directly controlled by another module. Fan-in indicates how many modules directly control a
given module.
Control hierarchy also represents two subtly different characteristics of software architecture:
Visibility
Connectivity
Fig 19: Control Hierarchy Diagram
40
8/3/2019 Major Project Report 7th Semester
41/61
5.2 Procedural / Modular Approach
Object-oriented analysis and design (OOAD) is a software engineering approach that models a
system as a group of interacting objects. Each object represents some entity of interest in the
system being modeled, and is characterized by its class, its state (data elements), and its
behavior. Various models can be created to show the static structure, dynamic behavior, and run-
time deployment of these collaborating objects. There are a number of different notations for
representing these models, such as the Unified Modeling Language (UML).
Object-oriented analysis (OOA) applies object-modeling techniques to analyze the
functional requirements for a system. Object-oriented design (OOD) elaborates the analysis
models to produce implementation specifications. OOA focuses on what the system does, OOD
on how the system does it.
5.2.1 Modules Used
LoginWindow.java: It is the window which allows the administrator to authenticate
himself by making him logged in into the IDS.
DetectionWindow.java: It is the window which allows the administrator to monitor the
traffic and also provides the link to perform other operations like Check Network IP
Details, View Block Listed IP, Change Password, Add IP to Block List and also can do
logout after the end of session.
ViewIPOnNetwork.java: It is the window which allows the administrator to view IP of
all the systems which are directly connected to the network.
AddNewIPIntoNetwork.java: It is the window which enables the administrator to insert
new nodes into the network and add their details into database.
ViewBlockList.java: It is the window whichallows the administrator to check the details
of all blocked IP and he can also remove blocked IP from Block List if necessary.
ChangePassword.java: It is the window which allows the administrator to change its
password regularly to maintain its confidentiality.
41
8/3/2019 Major Project Report 7th Semester
42/61
5.2.2 Internal Data Structures
Internal Data structure is the structure of the data in the form of table which have been used in
our project. There are three tables used by us in project namely Login Table, Network IP
Details Table, Block IP Details Table.
Name of Table Purpose
Login_Table To store admin name and password
Network_IP_Details_Table To store details of all the machines on the network
Block_IP_Details_Table To store details of all the blocked machines
Table 2: Internal Data Structure
5.2.2.1 Login Table
Fig 20: Login Table
5.2.2.2 Network IP Details Table
Fig 21: Network IP Details Table
5.2.2.3 Block IP Details Table
Fig 22: Block IP Details Table
5.2.3 Algorithm Design for Operations
42
8/3/2019 Major Project Report 7th Semester
43/61
As the administrator enters on INTRUSION DETECTION SYSTEM he can simply analyze the
network traffic by making an analysis of IP packets. He can view information of all the packets
or only anomalous packets by selecting the appropriate radio button. He can also add new systeminto the network by just clicking the menu item Add New IP into the Networkand can view the
details of all the systems on the network by clicking on the menu item View IP on Network. He
canview details of blocked IP by just clicking on menu item View Blocked IP. He can alsochange his password and make him logoutby just clickingon the menu items Change Password
and Logout. Administrator can also block any suspected or intruder IP by just selecting any row
appeared on detection window after traffic analysis and clicking on the button Add IP to BlockList.
Pseudo Code:
Login Window
1. {2. If (admin name and password got matched) then
3. {4. Detection Window
5. {6. want to analyze traffic
7. then click on traffic analysis
8. }9. if else
10. {
11. Want to add IP into block list12. then click on Add IP into Block List
13. }
14. if else15. {16. Want to add new IP address into database
17. then click on Add New IP
18. }19. If else
20. {
21. Want to view block list22. then click on View Block List
23. if {
24. want to remove IP from Block List
25. then click on Remove From Block List26. }
27. }
28. else29. Admin Authentication Failed
30. }
5.3 Data Design
43
8/3/2019 Major Project Report 7th Semester
44/61
5.3.1 Data objects and resultant data structures
The data design creates the model of data and information i.e. represented at a high level of
abstraction. The data objects defined during software requirements analysis are modeled using
ER diagrams and data dictionary (DD).The data design activity translates this element ofrequirement model into data structure at component data level
5.4 Interface Design
5.4.1 Human-machine interface design specification
The interface design is the bridge for interaction between a human and a computer .It creates an
effective communication between the human and the computer .The interface design begins with
the identification of the user, task and environmental requirements .It is the information
representation of the available data thus, if the representation is confusing or misleading users
may misunderstand the meaning of the information. The best possible representation of the data
or the easiest available interface is the Graphical User Interface (GUI). The GUI provides us with
windows, icons, menus, pointers etc. The basic interface design principles are:
User Familiarity: The interfaces in our project are easily understood by the user that is the
interface has the user friendly terms. In our project we have used JFrame to build various
interfaces so as to make the user much comfortable.
Consistency: The project if requirement specific needs to be consistent and so is this project
which satisfies the consistency criteria as a whole. It does not break down if any
unconditional problem is there.
Minimal Surprise: The user must not be surprised by the systems behavior .The system
must be capable of handling the abrupt data. Even if the system shuts down that should not
be abrupt. No abrupt switching off or anomalous behavior is there with the system.
Interface design focuses on three areas of concern:
The design of interface between software modules.
44
8/3/2019 Major Project Report 7th Semester
45/61
The design of interfaces between the software and other external entities.
The design of interfaces between user and the computer.
5.4.2 I/O Forms
5.4.2.1 Login Window
45
8/3/2019 Major Project Report 7th Semester
46/61
Fig 23: Login Window
5.4.2.2 Detection Window
46
8/3/2019 Major Project Report 7th Semester
47/61
Fig 24: Detection Window
5.4.2.3 View IP on Network Window
47
8/3/2019 Major Project Report 7th Semester
48/61
Fig 25: View IP on Network Window
5.4.2.4 Add IP into Network Window
Fig 26: Add IP into Network Window
5.4.2.5 View Block List Window
48
8/3/2019 Major Project Report 7th Semester
49/61
Fig 27: View Block List Window
5.4.2.6 Change Password Window
Fig 28: Change Password Window
5.4.2.7 Add IP into Block List Window
49
8/3/2019 Major Project Report 7th Semester
50/61
Fig 29: Add IP into Block List Window
50
8/3/2019 Major Project Report 7th Semester
51/61
6. LIMITATION`S
6. LIMITATIONS
Although some intrusion detection systems have become very advanced, the data
produced by software and the methods of the attackers are also becoming more complex
51
8/3/2019 Major Project Report 7th Semester
52/61
all the time. This makes it hard to distinguish legitimate use of a system from a possible
intrusion.
When an IDS incorrectly identifies an activity as a possible intrusion it will results in a
false alarm, also referred to as a false positive. Especially badly configured IDSs and
behavior-based IDSs in particular can produce many false positives.
Network-based IDS may not always be able to pick up and process all data in busy
networks.
Another challenge for a network-based IDS is encrypted data; most are able to inspect
compressed data, but encrypted data remains an obstacle simply because the IDS does not
have access to the keys of every devices in the network.
Last but not least, an IDS is another possible target to attack, they also have
bugs/exploits.
52
8/3/2019 Major Project Report 7th Semester
53/61
7. FUTURE SCOPE
7. FUTURE SCOPE
Our system will work only for IPv4 network. In future, it can be extended to IPv6 network. We
have analyzed only packet header. So, our system could not detect Exploits intrusions. So, we
53
8/3/2019 Major Project Report 7th Semester
54/61
could add payload analyzing features in our system in future.
Right now our system is capable to detect intrusion only but in future we may add some
functionality in the current system in order to make it capable to prevent intrusion also along
with the detection of intrusion.
In future, system could be enhanced to be more efficient and accurate as in its current version it
makes some compromises while detecting anomaly detection.
54
8/3/2019 Major Project Report 7th Semester
55/61
8. CONCLUSION
8. CONCLUSION
The completed project can detect the novel attacks with the learning techniques which were not
55
8/3/2019 Major Project Report 7th Semester
56/61
detected by the existing system, Snort. Comparing with snort, although it provides high
accuracy, it was more time consuming requiring regular updates. Our system can detect the
intrusions more efficiently with less time consuming.
After completing this project we are able to do teamwork and knew the way to task dividing and
cooperating in the task. Successful work not only made us feel proud but we also became good
companions. In this way we completed our project successfully.
56
8/3/2019 Major Project Report 7th Semester
57/61
9. BIBLIOGRAPHY &
REFERENCES
9. BIBLIOGRAPHY AND REFERENCES
Books:
57
8/3/2019 Major Project Report 7th Semester
58/61
[1] Bace R.G, Intrusion Detection, Technical Publishing ISBN 1-57870-185-6, 2002
[2] Lunt. T., Detecting intruders in computer systems. Conference on auditing and
computer technology, 1993.
[3] Krister Johansen, Stephen Lee, Bayesian Network Intrusion Detection, 2003
[4] MIT Lincolon Laboratory, 1999 DARPA intrusion detection evaluation design and
procedure, DARPA Technical report Feb 2001
[5] Weijie Chai, Li Li, Anomaly Detection Using TCP Header Information, April 26th
, 2004
Web Sites:
[6] www.wikipedia.org
[7] www.jnetpcap.com/node
[8] www.netsecurity.about.com/cs/hackertools/a/aa121403.htm
[9] www.MySQL.com/technetwork/java/javase/downloads/index.html
[10] www.snort.org
58
http://www.wikipedia.org/http://www.jnetpcap.com/nodehttp://www.netsecurity.about.com/cs/hackertools/a/aa121403.htmhttp://www.oracle.com/technetwork/java/javase/downloads/index.htmlhttp://www.snort.org/http://www.wikipedia.org/http://www.jnetpcap.com/nodehttp://www.netsecurity.about.com/cs/hackertools/a/aa121403.htmhttp://www.oracle.com/technetwork/java/javase/downloads/index.htmlhttp://www.snort.org/8/3/2019 Major Project Report 7th Semester
59/61
10. APPENDICES
10. APPENDICES
59
8/3/2019 Major Project Report 7th Semester
60/61
Definitions, Acronyms, and Abbreviations
Acronyms
API : Application Programming Interface
DFDs : Data Flow Diagrams
DNS : Domain Name System
DoS : Denial-of-Service
DS : Dataset
GUI : Graphical User Interface
HIDS : Host-based Intrusion Detection System
IDS : Intrusion Detection System
IP : Internet Protocol
NIDS : Network Intrusion Detection System
OS : Operating System
TCP/IP : Transmission Control protocol / Internetworking Protocol
UDP : User Datagram Protocol
Definitions
60
8/3/2019 Major Project Report 7th Semester
61/61
IDS: An intrusion detection system (IDS) monitors network traffic and monitors for
suspicious activity and alerts the system or network administrator. In some cases the IDS
may also respond to anomalous or malicious traffic by taking action such as blocking the
user or source IP address from accessing the network.
NIDS: Network Intrusion Detection Systems (NIDS) are a subset of security management
systems that are used to discover inappropriate, incorrect, or anomalous activities within
networks.
HIDS: Host-based intrusion detection system (HIDS) monitors and analyzes the internals
of a computing system rather than the network packets on its external interfaces.
EXPLOITS:These attacks take advantage of a known bug or design flaw in the system.
Denial-of-Service (DoS): These attacks disrupt or deny access to a service or resource.