tool for secure file transfer and intrusion detection in a ... · pdf filetool for secure file...
TRANSCRIPT
i | P a g e
Tool for Secure File Transfer and Intrusion Detection in a
Network
GRADUATE PROJECT REPORT
Submitted to the Faculty of
The School of Engineering & Computing Sciences
Texas A&M University-Corpus Christi
Corpus Christi, TX
In Partial Fulfillment of the Requirements for the Degree of
Master of Science in Computer Science
By
Nithisha Repaka
Summer 2012
Committee Members
Dr. Mario Garcia _____________________________
Committee Chairperson
Dr. Ajay Katangur ____________________________
Committee Member
Dr. John Fernandez ____________________________
Committee Member
ii | P a g e
ABSTRACT
The need for intrusion detection in solving cyber crime has been a very crucial issue for
decades. The scope and frequency of research conducted in the field of computer science has
increased exponentially. The major motto behind the studies is to safeguard sensitive information
and protect it from seditious attackers. Most of the present strategies used in this research field
were based on both network based instruction detection system (NIDS) and host based intrusion
detection system (HIDS) techniques. Misuse detection and anomaly detection methodologies
were also used. The main idea behind these techniques was to achieve a secure way to transmit
data from one terminal to another using a variety of methods.
In this paper, a hybrid tool has been proposed for client server networks (CSN). This tool
supports a novel, flexible, secured NIDS, which takes network traffic dynamically as input and
checks the client for an (internet protocol) IP match. For an invalid client, if the IP does not
match with the server’s network address, it is identified as an attacker and stored in a Hit-List by
generating a log file in the text format with all its properties (Time, Date, IP and Login Details).
Additionally, file transfer for a valid client is processed in a very secure way by encrypting it. In
this project, the Blowfish algorithm has been used to encrypt and decrypt the file. Only a user
with a valid key can decrypt the file and access it. Thus, this strategy, which makes use of
encryption concepts, has increased the level of security outside the network as well as inside the
network.
iii | P a g e
TABLE OF CONTENTS
Abstract .............................................................................................................................. ii
Table of Contents ............................................................................................................... iii
List of Figures ................................................................................................................... vi
1. Introduction ......................................................................................................................1
1.1 Intrusion Detection System (IDS) .............................................................................1
1.1.1 Host Based IDS (HIDS) ...................................................................................1
1.1.2 Network Based IDS (NIDS) .............................................................................1
1.1.3 Protocol Based IDS (PIDS) ..............................................................................2
1.1.4 Application protocol Based IDS (APIDS) .......................................................2
1.1.5 Misuse Detection ..............................................................................................2
1.1.6. Anomaly Detection ..........................................................................................2
1.2 Why is IDS important? ..............................................................................................3
2. Background and Rationale ...............................................................................................5
2.1 A Distributed Autonomous Intrusion Detection Framework ....................................5
2.2 Evaluating Files to Audit for Detecting Intrusions in File System Data ...................8
iv | P a g e
2.3 Intrusion Detection System Intended for Multi gigabit Networks ............................9
2.4 Network-based intrusion detection using Adaboost algorithm ...............................10
2.5 A Collaborative Intrusion Detection System Using Log Server and Neural Networks
.......................................................................................................................................11
2.6. Existing System ......................................................................................................13
2.6.1. Drawbacks....................................................................................................13
2.7. Proposed System ....................................................................................................14
2.7.1. Advantages ...................................................................................................14
3. Proposed System ............................................................................................................15
3.1. System Architecture ...............................................................................................15
3.1.1. Input .............................................................................................................15
3.1.2. Client Server Architecture ...........................................................................16
3.1.2.1. Server: Listens IP ...........................................................................16
3.1.2.2. Client: Connects to Server and Enters Login Credentials ..............16
3.1.2.3. Server: Allows client to view its Resources ...................................16
3.1.2.4. Client: Decrypt Resources ..............................................................16
3.1.2.5. Server: Trigger an Event (“Hacker is present”) .............................16
3.1.2.6. Stores Hacker’s IP in Hit-List ........................................................17
v | P a g e
3.1.3. Output ..........................................................................................................17
3.2. Data Encryption / Decryption .................................................................................17
3.2.1. Encryption ....................................................................................................18
3.2.2. Decryption....................................................................................................21
4. Test Scenarios ................................................................................................................20
4.1. Scenario 1: IP .........................................................................................................20
4.2. Scenario 2: Login ...................................................................................................23
4.3. Scenario 3: Allow to Access Resources .................................................................24
4.4. Scenario 4: Decrypting the Resource .....................................................................27
4.5. Scenario 5: Hit-List Checking ................................................................................29
4.7. Other Useful Screenshots .......................................................................................30
5. Conclusion .....................................................................................................................35
6. Future Work ...................................................................................................................35
7. Bibliography ..................................................................................................................36
vi | P a g e
LIST OF FIGURES
Figure 1: Architecture of A2D2 Framework .......................................................................6
Figure 2: mEngine designed for A2D2 ................................................................................7
Figure 3: Architecture of IDS system using COMBO6X card ............................................9
Figure 4: Framework of NIDS with Adaboost Algorithm .................................................10
Figure 5: System Architecture (Left) and System Extension Architecture (Right) ...........12
Figure 6: Data Sharing between Multiple Domains ..........................................................14
Figure 7: Proposed System Architecture ...........................................................................15
Figure 8: Interface diagram (main page) ...........................................................................20
Figure 9: Master is monitoring ..........................................................................................20
Figure 10: Viewing the content in both IP ADDRESS and RESOURCES sections...........21
Figure 11: Entering the IP address as input .......................................................................21
Figure 12: Client credential details for login .....................................................................23
Figure 13: No access if user enters invalid login credentials .............................................23
Figure 14: Resource access window for client ..................................................................25
Figure 15: Monitoring unauthorized client actions ............................................................25
Figure 16: Do enter Key ....................................................................................................27
Figure 17: Valid-user-invalid-key......................................................................................27
Figure 18: Hit-List .............................................................................................................29
Figure 23: Selecting the ‘BLOWFISH’ encryption ...........................................................30
Figure 24: Encrypted file ...................................................................................................31
Figure 25: Decrypted Resource .........................................................................................32
vii | P a g e
Figure 26: IDS information ................................................................................................33
Figure 27: Content of the password log file.......................................................................34
1 | P a g e
1. INTRODUCTION
1.1. Intrusion Detection System (IDS)
Intrusion detection system (IDS) is a tool/ application used to detect an attack that is
encountered on a system or network in order to compromise or break it by an anomalous user
outside of the network. This is done by keeping track of all the suspicious patterns/activities,
experienced by both in incoming and outgoing traffic within the network. Generally an IDS
maintains all the details of events examined on the system and later generates reports which are
sent to the management station for further actions. After obtaining the details of that malicious
user from the records, actions like blocking the user are performed. It is important to note that
the IDS also includes a feature of monitoring the suspicious user within the network.
IDS can be classified in two different types:
1st class: HIDS, NIDS and PIDS
1.1.1. Host-Based IDS (HIDS):
A Host Based IDS (HIDS) is executed on a separate host in the network. All the
events related to suspicious activity like a change of file content, replacement of a file
with other files is observed in this classification [1]. This is monitored with the help of
audit data, which is recorded in the kernel and log files of the host on which this IDS is
being run. The advantage of following this approach is that complete and elaborated file
information is available for future reference.
1.1.2. Network-Based IDS (NIDS):
The Network-Based Intrusion Detection System (NIDS) is classified according to its
name. Here the IDS monitors the network traffic to validate IP address and packet
2 | P a g e
information transmission. Detection is based on investigating the packet attributes [2].
Network hardware is used to monitor the traffic using switches and routers. The
information of packets stored here is not comprehensive. The advantage of this approach
is the feasibility of implementing the NIDS in a distributed environment. HIDS on the
other hand, as it would have to be installed on each and every host.
1.1.3. Protocol-Based IDS (PIDS):
The Protocol-Based IDS (PIDS) is a type of IDS where the dynamic behavior of the
protocol is checked. The dynamic nature of the PIDS is due to the installation of IDS on a
web server [3]. An agent system is used on the web server to listen to and control the
dynamic nature of the PIDS and protect the system from attacks.
1.1.4. Application Protocol-Based IDS (APIDS)
The Application Protocol-Based IDS (APIDS) is a special type of IDS where only a
particular type of protocol used for the system is observed.
2nd
class: Misuse and Anomaly Detection
1.1.5. Misuse Detection/ Signature Detection:
Detection of threats is based completely on signatures and rules here. The new attack
is compared against a huge database with signatures of already known threats to check if
it has been observed [4]. This is similar to the functionality of any malware detection
anti-virus system. This detection technique is heavily used and also delivers perfect
results, but only in cases where the attack is a known intruder rather than a novel one.
Comparison of the database with the new attack may result in time lagging
complications.
1.1.6. Anomaly Detection:
3 | P a g e
Every system has its original normal behavior. A system administrator should
maintain this information for all systems in the network [5]. Any anomalous behavior
apart from the normal behavior shows that there is something going wrong on the
network. This procedure is followed in this type of detection classification. The
anomalies may take a shape in the form of high traffic load, breakdown, protocol
mismatch and change in standard packet size. The network traffic is constantly compared
with standard baseline behavior of the system for anomalies.
Any IDS is generally related to few questions like [6]:
Which type of firewall is needed (Hardware/ Software)?
Will cookies compromise the security level?
How should a system avoid being spammed?
How can a wireless network be secured?
Different types of security challenges for Cloud Computing?
1.2. Why is IDS important?
Now that IDS systems and their corresponding classifications systems have been
described, an important question may arise, “Why is intrusion detection important?” Its
importance is now discussed by quoting some examples.
Intrusion detection is important to manage the security levels of any system in a network.
Generally detection is the only way an insufficiency in the system can be removed. Detection of
the intrusion followed by a procedure to remove it is the basic process involved in any system
designed to maintain security.
4 | P a g e
Cybercrime has become more prevalent than ever and with each day it is becoming more
challenging to avoid and to defend against. Protecting networks from intrusions and malware
attempts has become a critical effort for network management professionals.
Types of attacks may be in different forms (Passive/ Active attack): It may be ‘Data
driven attack’ like Trojans, trapdoors and viruses; it may be ‘Denial of Service attack’,
‘Password-Based attack’, ‘Data Modification attack’, ‘Identity Spoofing’, ‘Eavesdropping’,
‘Man-in the middle attack’, ‘Compromised-Key attack’, ‘Sniffer attack’, ‘Application-Layer
attack’ and ‘Botnet attack’ [7]. This may lead to the modification, interception, interruption,
destruction and fabrication of the confidential information stored in the system. Each and every
attack has its own characteristics but their final and only motive is to compromise the system in
the network to use it as its host and cause a great destruction.
In order to remove these malwares, a specific attack should be detected. Therefore
Intrusion Detection System is used.
A wave of cyber attacks has likely stolen at least $80 million from bank accounts in
Europe, the United States and elsewhere, a security report said Tuesday. [19]
USDA DC headquarters – June 2006 – The Department of Agriculture was subject to a
cyber attack where the names, social security numbers, and photographs of 26,000 employees
were stolen. [20]
5 | P a g e
2. BACKGROUND AND RATIONALE
Economical status of organization, time, and strength factors should be known properly
for a clear assessment of a tool development. After these factors have been assessed, then,
according to the tools needed, operating system, and coding language are decided for its
development. Support from foreign entities is very important once the tool is in its development
phase. Foreign entities may include senior program analysts, websites, books and magazines etc.
For any system in its building stage, it has to take care of all the above constraints. And the
proposed system must include the properties mentioned as follows.
2.1. A Distributed Autonomous Intrusion Detection Framework
This approach majorly concentrates on Intrusion Detection in distributed environment. In
this paper, a flexible and novel Intrusion Detection framework including Intrusion Detection
Autonomous Agents which are Dynamically Distributed (A2D2) in the network have been
proposed. These agents are capable of downloading and installing various accurate policies,
signatures and files dynamically from the core server, based on the attack attributes and
requirements. For a flexible response and communication between the agents in the distributed
network, a key management system has been implemented. In this work, an event analysis
engine and an object-oriented language, which are domain independent, have been designed to
enable data fusion in the environment.
These independent running Autonomous Agents (AA), take very wise decisions to
increase the adaptive nature in the environment by also improving manageability and
controllability in the distributed network. Key features of this A2D2 are:
6 | P a g e
A2D2 is the backbone of the system, designed to enhance flexible and novel intrusion
detection framework, using AAs. These AAs get active and also hibernate according to
their need in the network.
A2D2 has a modular structure to enable open framework features. As AAs dynamically
and independently performs the tasks of downloading and installing, problem of manual
maintenance and management has alleviated.
A2D2 has a well defined hierarchal structure to enable scalability with multiple layers of
data fusion AAs. Key management system is an option for a secured communication
between AAs.
Figure 1: Architecture of A2D2 Framework [10]
7 | P a g e
In Figure 1 architecture of A2D2 for a distributed network is shown, where this network is
divided into three autonomous zones based on subnets [11]. From the above figure, six different
AAs and three different Central Servers are used. They are:
Active Intrusion Detection AAs
Hibernative Intrusion Detection AAs
Mobile Intrusion Detection AAs
Auxiliary Intrusion Detection AAs
Control Intrusion Detection AAs
Data Fusion Intrusion Detection AAs
Central Data Fusion Server
Central Control Server
Central Update Server
Figure 2: mEngine designed for A2D2
8 | P a g e
Figure 2 is the design of mEngine, which is created with A2D2s for detecting Intrusions.
Here in mEngine, after following four steps, Intrusions have been detected with the help of
AAs as illustrated in the above figure.
Data Processing --> Information Analysis --> Knowledge Analysis --> Assessment
These are the main steps followed by AA to detect Intrusions in mEngine.
2.2. Evaluating Files to Audit for Detecting Intrusions in File System Data
In this approach, intrusions have been detected by observing and listening to the file data
in system. If a system is attacked, there is a definite change in the data of its file system. Files
may be modified or entirely deleted or created with no permissions, by a malicious entity.
Auditing the file system’s quantitative data of an attacked system would be a good idea to detect
an intrusion [12]. A point to be noted is that, not all files with its file system data could provide
information about the attack activity. Careful file selection, which can show the malicious
activity, should be done to complete this task.
This paper mainly discusses 3 types of attacks: reconnaissance, modifying passwords and
downloading malware. For each of type of attack, data from the files affected are recorded and
compared with compromised data for detection of intrusion. Concentrating on the activity of
each file of the attacked system, data collected gives a probabilistic study on the evidence of
these three types of attacks. Then metrics are used to estimate the files for auditing.
As this approach is concentrated on the file system of a target host, this is an example for
Host-Based Intrusion Detection System (HIDS).
9 | P a g e
2.3. Intrusion Detection System Intended for Multi gigabit Networks
This paper contributes a new idea of using a Hardware based IDS instead of Software
based IDS to increase the speed in network links for Multi gigabit networks and this is an
example of Network based IDS (NIDS). This approach depends on Field Programmable Gate
Array (FPGA), which improves the speed of packet classification and pattern matching.
Snort is an open source tool of NIDS which uses rule-driven language, with its database,
containing signatures, rules of already learned viruses and bugs, different anomaly and protocol
based methods etc. 80% of CPU time and more is utilized for performing string matching tasks
while using Snort tool to improve hardware acceleration.
In this methodology, pre-filtration of network traffic packets is achieved by combining
the features of hardware acceleration card along with FPGA [14]. Filtered packets with no
suspicious traffic, after comparing with IDS rules defined, are sent to host system through the
hardware card. Performance measure of system increases only with the repeated filtering of
traffic with the card. For efficiency, prefix sharing and pattern truncating techniques are also
embedded with the hardware used.
Figure 3: Architecture of IDS system using COMBO6X card [13]
10 | P a g e
Above Figure 3, shows the architecture of IDS system with the hardware card: COMBO6X,
which gives a throughput of 6.4Gbps. Classification Unit and Pattern Match Unit are included in
the architecture for its working.
2.4. Network-based intrusion detection using Adaboost algorithm
This is again a new approach of NIDS framework using algorithm analysis. Here, in this
approach, the Adaboost Algorithm, which is a popular machine learning algorithms, is used to
detect the intrusions in the network [16]. Complexity of this algorithm is low compared to other
algorithms implemented for NIDS, previously.
Figure 4: Framework of NIDS with Adaboost Algorithm [15]
Figure 4 describes the NIDS architecture, which has four sections. Each section is discussed
briefly here:
Feature Extraction:
Three major characteristics are mainly focused while in the detection of intrusions. They
are:
11 | P a g e
General features of TCP connections.
Content features in the connection recommended by the domain.
Traffic features and its characteristics.
Data labeling:
Training data set is definitely labeled while applying this algorithm for network traffic.
+1 represents normal and -1 represents attack samples. This algorithm neither follows
misuse detection nor anomaly detection, but follows a novel approach.
Weak classifiers design:
A group of Weak classifiers modeled in early stages, are essential for this algorithm to be
applied. Low accurate classifiers are classified as Weak (or Basic) classifiers.
Strong classifier constructed using this algorithm:
Using this Algorithm, Strong classifiers are generated using a group of Weak classifiers,
with the rules applied.
The whole idea of this algorithm is to strengthen the classifiers by selecting and combining weak
ones.
2.5. A Collaborative Intrusion Detection System Using Log Server and Neural Networks
This is again a new approach where a Remote Login Server (RLS) technique with KIT-1
implementation is proposed. The RLS mechanism is majorly used to keep the backup of log files
on to the server. Neural networks concept is also used in this IDS approach.
Motivation behind this new approach with RLS technique is to get rid of intruder
changing the log files from the monitored system by compromising it, when IDS is locally
12 | P a g e
installed on it. There is a channel between client and server and if in case this channel is
intruded, it is worthless to have backup files stored, as we only get wrong and false information
from the stored backup [18].
SSL capability of Java is included in the framework to enhance the encryption feature for
the channel between client and server.
Figure 5: System Architecture (Left) and System Extension Architecture (Right) [17]
System Architecture, shown in Figure 5 has two modules as discussed.
Transfer Module: Used to transfer client’s log files, on to the server, periodically in specific
intervals, time to time.
Neural Networks (NN) Module: Functionality of this module is to sense the data of log file
received from clients. If any suspicious activities are sensed, this module informs the
administrator to take care of the issue.
Enterprise Security Management (ESM) is the extended System Architecture.
13 | P a g e
2.6. Existing System
Classical techniques provide us with good defensive structures in order to protect very
important resources from being attacked. These include Firewalls, various encryption
techniques, steganography methodologies, etc.
These varieties of defensive mechanisms are very effective tools, but mostly work
effectively on already known attacks.
There is also no perfect hybrid architecture for concept on file sharing.
Moreover, all these systems can only execute on single system.
2.6.1. Drawbacks
It is costly to implement AAs on each host in the distributed network.
Using hacking techniques, file audit data can also be altered.
At any time software implementation is more feasible than hardware implementation.
Applying algorithms is a very classic method and may be not so effective.
2.7. Proposed System
Proposed system can note the IP address of Hackers and can identify what type of file
they want to access and what password and key is used by hackers to access the file.
This system is based on both HIDS and NIDS, increasing the scope of security of IDS.
Also, combining the features of IDS and Encryption, to increase the level of scope.
Can be run on more than one system without changing and on a single system as well.
14 | P a g e
Figure 6: Data Sharing between Multiple Domains [8]
Figure 6 describes data sharing between three different domains A, B and C with key
security provided.
2.7.1. Advantages
IP check performed using NIDS strategy.
Client is not immediately eliminated, after the IP check, but it is allowed, until it
performs file download.
Text file is generated when an invalid user is trying to access server’s resources.
Server encrypts its resources. So failing to enter a key for decryption, cannot fulfill
the task.
Client, in order to view server’s resources, have to login. Failing to enter credentials
can avoid the access to the user.
15 | P a g e
3. PROPOSED SYSTEM
3.1. SYSTEM ARCHITECTURE
Figure 7: Proposed System Architecture
Figure 7 describes the proposed architecture of the novel tool for intrusion detection.
3.1.1. Input:
Dynamic network traffic is given as input to the proposed system. The server analyzes
this network traffic soon after the client establishes a connection with it. Resources, which
should be shared between clients, are also added manually by the administrator. The traffic is
16 | P a g e
taken in the form of IP addresses. The server gets the client’s IP address, soon after the client
requests a connection.
3.1.2. Client Server Architecture:
3.1.2.1. Server: Listens IP
The server analyzes and listens for the IP of the client, soon after the client establishes a
connection with it. In this stage, the server stores all the clients IP addresses.
3.1.2.2. Client: Connects to Server and Enters Login Credentials
After the client a requests for connection with the server, it is prompted to enter its login
credentials. If the credentials are matched with those present in the server’s database,
then it is treated as a valid client. If the credentials do not match those present in the
server’s database it is considered invalid and hence is discarded.
3.1.2.3. Server: Allows client to view its Resources
Only after the server approves the login credentials will the client be allowed to view the
resources provided by the server for sharing. The client can download its desired resource
by selecting it. At this stage, when the client tries to download a resource, the server
detects whether the client entered is valid or an intrusion attempt, by checking client’s IP.
For a client to be in a server’s network, it should have the same network address in its IP.
3.1.2.4. Client: Decrypt Resources
In the case of a valid client, the client is allowed to download the file only after it enters
the correct key to decrypt it. After decryption, the client can save that resource on its
local disk.
3.1.2.5. Server: Trigger an Event (“Hacker is present”)
17 | P a g e
In the case of invalid client/intrusion, an event is triggered with a message stating a
“Hacker is present”. At this event, a text file with the intrusion’s properties is generated
as output.
3.1.2.6. Stores Hacker’s IP in Hit-List
The hacker’s IP is entered into the Hit-List, which might be useful in future.
Hit-list checking
This checking is to gather the IP addresses which are live, i.e. respond easily. So,
this check is to collect the liveness measurement. It requires highly sophisticated tools to
perform this check to output greater efficiency results. This causes their addresses to be
scanned again and again repeatedly. So, this module should definitely help in
differentiating and tracking ‘live’ addresses from ‘dark’ addresses.
3.1.3. Output:
As soon as the intrusion detection event is triggered, a text file is generated on the server.
That text file holds the information of the Hacker/ Intrusion. The date and time of the detection
event, the login credentials used by the hacker and the IP address of the hacker are also stored in
the Hit-list for future reference.
Also, for a valid client, the desired and selected resource can be downloaded and saved to
its local disk.
3.2. Data Encryption / Decryption
Blow Fish is a good encryption technique, which uses symmetric block cipher
technology. It replaces each letter of a text with the letter which is k letters behind it.
18 | P a g e
3.2.1. Encryption
Blowfish is a Feistel network consisting of 16 rounds. The input is a 64-bit data element,
x.
Divide x into two 32-bit halves: xL, xR
For i = 1 to 16:
xL = xL XOR Pi
xR = F(xL) XOR xR
Swap xL and xR
Swap xL and xR (Undo the last swap.)
xR = xR XOR P17
xL = xL XOR P18
Recombine xL and xR
Function F (see Figure 2):
Divide xL into four eight-bit quarters: a, b, c, and d
F(xL) = ((S1,a + S2,b mod 232
) XOR S3,c) + S4,d mod 232
Referenced from [9]
3.2.2. Decryption
Decrypting a key or any message generally follows the same procedures of encryption
but in a reverse order. So, P1, P2... P18 are reversed for decryption to take place.
Here, this algorithm firstly encrypts the entire message, which should be sent to the user.
Then, at the other end, the user needs to decrypt the received message. This decryption is mostly
carried out by using a private key k. The most important thing to be noted is that only legitimate
19 | P a g e
users have the private key. Therefore, decryption can only be performed by users who have
access to the message since they are the ones who are aware of the private key k for decrypting
the encrypted message.
20 | P a g e
4. TEST SCENARIOS:
4.1. Scenario 1: IP
Figure 8: Interface diagram (main page)
Figure 9: Master is monitoring
21 | P a g e
Figure 10: Viewing the content in both IP ADDRESS and RESOURCES sections
Figure 11: Entering the IP address as input
22 | P a g e
The main window of the Master/ Server is shown in the above Figure 8. This is the
Master GUI and it contains the server side application where server monitors the clients or peers.
The server window has both an IP addresses section and a Resources section. All the dynamic
traffic is stored in the IP addresses section, and the resources (text files) are stored in the other
section, which acts as input to the proposed system.
Starting the Master to monitor all the clients is shown in the Figure 9. In this tool, the
client server architecture is being used. Here, in this architecture, the first important task to be
performed is starting the server to listen. Only after the server starts listening to the clients, can it
see any client asking for a connection establishment. By clicking the “Monitor” button, the
server will start listening to the clients and fire a dialog stating, “Master is monitoring”, and
otherwise provides no information.
In the application window when the “View” button is clicked on the IP Addresses
section, all the traffic, which is already in the network, is seen. It must be noted that the traffic is
accepted dynamically by the tool. When the “View” button is clicked on the Resources section,
files, which are registered in the database for sharing among clients, will appear. This is shown
in Figure 10.
Client asks for the server’s IP address to establish a connection with the server and this is
shown in Figure 11. To access the server’s resources, the client has to connect to the server.
Now, the server listens to the client’s request and retrieves the client’s IP. The server checks if
the client is on its network with the help of the IP and if the client is not in its network, the server
does not notify that it is invalid but waits. So, this is the first test scenario, where the server just
listens to the IP and checks it, without notifying the results. This step uses NIDS strategy.
23 | P a g e
4.2. Scenario 2: Login
Figure 12: Client credential details for login
Figure 13: No access if user enters invalid login credentials
24 | P a g e
Figure 12, is a window which pops up, asking for a client to enter his/her login
credentials. Immediately after, the client enters the server’s IP address to establish a connection
this window appears for the client to login, adding a step for increasing security. The client has
to provide the details for the login, where these details already exist on the server side at the
database level. This database record is checked against the user-entered credentials and the
server allows the client to view and access the resources if the credentials match.
Figure 13 shows an error message to a client, if he/she enters invalid login credentials. As
the server checks and compares the client’s login details with its database, this may be
considered another test scenario, where level filtering is performed. In this stage, the clients who
do not have login credentials who try to access the server’s resources are considered as invalid
and therefore are filtered.
So, this is considered as another test scenario and uses anomaly detection strategy, where
suspicious activity is observed, when no login credentials are used. These types of anomalies are
detected here and are filtered at this stage.
25 | P a g e
4.3. Scenario 3: Allowing access to resources
Figure 14: Resource access window for client
Figure 15: Monitoring unauthorized client actions
26 | P a g e
Above Figure 14, is a resource access window the client opened after it had successfully
logged into the system. This window has an interface which shows all of the resources available on
the server, at the ‘Resources Available’ section. The client has privileges to access only the files
provided by the server. The download, decrypt and save buttons are used to perform their
respective operations.
The client first tries to access its desired resource, by clicking on the ‘Download’ button.
The server watches the client’s activity and gives access to the requested resource, only if the
client’s IP address matches with its network’s IP address.
For a valid client, after getting access to the desired resource, it has to enter the key (which
has been issued by the server) value and press the ‘Decrypt’ button to decrypt the file
decrypted, and then it can save the file to its Local Disk.
For an invalid client, a message window pops up stating that, “Hacker is Present” and
therefore the bug is detected.
Figure 15 is about how a server monitors an unauthorized client. If the user is
unauthorized to access the resources, then immediately an alert dialog box will appear at the
server regarding the hacker. Also at that time, the date and IP address are stored in a log on the
server side for the IDS information purposes.
The log file is generated at the moment the hacker is traced by the server. The log (.txt)
file provides the information like the date and time of the intrusion detection. The hacker’s IP
and the login credentials used by the hacker to get into the tool and view the server’s resources.
So, this is the major test scenario where a maximum number of intrusions are detected and
filtered. This uses a combination of HIDS and NIDS approaches to detect the intrusions.
27 | P a g e
4.4. Scenario 4: Decrypting the Resource
Figure 16: Do enter Key
Figure 17: Valid-user-invalid-key
28 | P a g e
Figure 16 describes the case of a decrypt key, if it is not entered. Here, after selecting the
desired resource to decrypt, if the client doesn’t provide any key, then it exposes an error
message in a pop up window like “Enter the Key First”.
Figure 17 describes a case when a valid user enters an invalid key. If some valid user enters
a wrong key, it exposes an error message saying “Enter valid key”.
These two cases illustrate the behavior of the tool with decrypt key. In this tool, Blowfish
algorithm has been used to Encrypt and Decrypt the resource. This adds a level of security to
the IDS tool. If a key is not provided to the proposed tool, then they can’t access the files and
should contact the server’s administrator.
In this stage clients who do not have a decryption key are filtered. So, this may be
considered as another test strategy.
29 | P a g e
4.5. Scenario 5: Hit-List Checking
Figure 18: Hit-List
Figure 18 shows a window with the message “IP Address entered in Hit-List”. After a
hacker is detected, then its IP address is stored in the Hit-List. This list stores all the IP addresses
of the intrusions detected using this tool. The number of hacker hits is specified in this for future
reference. In the future, if any packet is transferred from this IP address, the server can be
cautious about accepting the packet, since it already has the IP in the server’s Hit-List database.
30 | P a g e
OTHER USEFUL SCREEN SHOTS
Figure 23: Selecting the ‘BLOWFISH’ encryption
Figure 23 shows the menu options for a Blowfish tab. The Blowfish encryption is used to
encrypt the resources. From the Master’s window, when the blowfish menu is selected, it drops
down two options, where one option is to encrypt and the other option is to decrypt the file.
After selecting the Encryption menu item, from the Blowfish menu, a window will
appear consisting of the “Encrypt” button and “Ok” button. In the application when “Encrypt” is
selected, a file selection window will appear for the file selection (resources) from the local hard
disk on the server side.
31 | P a g e
Figure 24: Encrypted file
For a desired file to be encrypted, clicking on the Encrypt button opens a new window
with a group of files from which one may be selected for encryption.
An encrypted file using the Blowfish algorithm is showed in Figure 24. After selecting
resources for encryption, the resource, with its encrypted content will appear in the Encrypt
window content area. The encryption takes place after selecting the resource directly. There is no
need to select any other options for encryption. The file selection itself triggers the operation of
encryption.
32 | P a g e
Figure 25: Decrypted Resource
After selecting a Decryption menu item from the Blowfish menu, a new pop up window
to open a file for decryption is shown. This window consists of 2 buttons, one is “Decrypt”, and
other is “Ok”. Also, it has one decrypt text field to input a key and to decrypt the resource.
In the application when “Decrypt” is selected, a file selection window will appear
showing the resources on the server’s local hard disk. The decrypted resource in a new window
is shown in Figure 25. After decryption, the content of the resource will appear in a decrypt
window. And after decryption, implicitly the application asks to save the decrypted file on a
secondary storage device.
33 | P a g e
Figure 26: IDS information
The application consists of a menu “IDS” which gives information regarding text files
created when an intrusion is detected. This is shown in Figure 26.
Upon selecting the “IDS Information” menu item from the “IDS” menu, an IDS
information window will appear. It consists of a file selection button and content area.
Upon clicking the “Browse” button, a file selection window will appear and the password
log file will need to be selected according to the date.
34 | P a g e
Figure 27: Content of the password log file
Figure 27 shows the IDS window from the menu to show the content of a password log
file. After selecting the password log file, the content of the log report will appear in the content
area. This log report consists of the date and time of the intrusion detection event including when
it was triggered, the IP address of the hacker used to access the resources and the password, and
also, the login credentials used by the hacker to access the tool with which to view the server’s
resources.
35 | P a g e
5. CONCLUSION
In this project, a hybrid intrusion detection tool, which detects intrusions from dynamic
network traffic, and also provides secure file transfer has been developed. As cyber crime is
increasing rapidly, it is very important to protect networks and/or systems from attacks and
intrusions. The strategy used in this approach is based on both Network Based IDS and Host
based IDS. This tool is developed to detect intrusions in network traffic by making use of
network IPs. In this project, secured file transfer is achieved through multiple levels with the
combination of IDS and encryption strategies.
In this proposed tool, a client server architecture has been used. The server starts listening
to the network traffic (IP) and stores them directly. If the client’s network address in IP matches
with the server’s IP, then that client is considered to be valid. Whenever a malicious or invalid
client tries to access server provided resources, an event is triggered immediately resulting in the
output of a text file, providing all its properties (Time, Date, IP address, Login Credentials).
Later, the hacker’s IP is stored in a Hit-List for future reference. Finally, all the operations are
performed with a user-friendly interface.
6. FUTURE WORK
Advanced features along with multiple levels of security can be included in the system to
work more efficiently.
This proposed tool only works in a Client Server Architecture. It may be a good idea to
implement this tool in a Distributed environment.
The scope of the project can be increased to defend against each and every type of attack
in the work environment by combining the features of PIDS.
36 | P a g e
7. BIBILOGRAPHY
1. http://netsecurity.about.com/cs/hackertools/a/aa030504.htm
2. http://www.webopedia.com/TERM/I/intrusion_detection_system.html
3. http://en.wikipedia.org/wiki/Intrusion_detection_system
4. http://en.wikipedia.org/wiki/Protocol-based_intrusion_detection_system
5. http://technet.microsoft.com/en-us/library/cc959354.aspx
6. https://nsrc.org/workshops/2008/ait-wireless/kemp/network-attacks.pdf
7. http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/Papers/IntrusionDetectionPap
er.pdf
8. https://lh4.ggpht.com/RK8CX2YYzbsEuj-uup9lq7hBCbJqI-
5sF3sXZ31_WmhQismDIlv288etR46QdtiILlC_=s126
9. http://www.schneier.com/paper-blowfish-oneyear.html
10. J. Molina, M. Cuiker, “Evaluating Files to Audit for Detecting Intrusions in
FileSystem Data,” in Netwok Computing and Applications, 2009. NCA 2009. Eight
IEEE International Symposium.
11. A. Cardenas, J. S. Baras, and K. Seamon, “A Framework for the Evaluation of
Intrusion Detection Systems,” in Pro. 2006 IEEE Symposium on Security and Privacy
(S&P'06), pp. 63-77, 2006.
12. Y. Cai, “A Distributed Autonomous Intrusion Detection Framework,” inGlobecom
Workshops, 2007 IEEE.
13. A. Kemmerer and V. Giovanni. Hi-DRA: intrusion detection for internet security.
Proceedings of the IEEE, 93(10):1848–1857, 2005.
37 | P a g e
14. J. Korenek, P. Kobiersky, “Intrusion Detection System Intended for Multigigabit
Networks,” in Design and Diagnostics of Electronic Circuits and Systems, 2007.
DDECS ’07. IEEE.
15. H. Song and J. W. Lockwood, “Efficient packet classification for network intrusion
detection using fpga,” in FPGA ’05: Proceedings of the 2005 ACM/SIGDA 13th
international symposium on Field-programmable gatearrays. New York, NY, USA:
ACM Press, 2005, pp. 238–245.
16. H. Wei, H. Weiming, “Network-based intrusion detection using Adaboost algorithm,”
in Web Intelligence, 2005. Proceedings. The 2005 IEEE/WIC/ACM Internation
Conference.
17. P. Hong, D. Zhang, and T. Wu, “An intrusion detection method based on rough set
and svm algorithm,” in Proceedings of International Conference on Communications,
Circuits and Systems, volume 2, pages 1127-1 130, June 2004.
18. D. Guan, K. Wang, X. Ye, W. Feng, “A Collaborative Intrusion Detection System
Using Log Server and Neural Networks,” in Proceedings of the IEEE International
Conference on Mechatronics & Automation Niagara Falls, Canada • July 2005.
19. http://dawn.com/2012/06/27/cyber-attacks-hit-global-banks-for-80-mn-study/
20. http://www.lawfareblog.com/2012/05/significant-cyber-attacks-on-federal-systems-2004-
present/