i | P a g e

Tool for Secure File Transfer and Intrusion Detection in a

Network

GRADUATE PROJECT REPORT

Submitted to the Faculty of

The School of Engineering & Computing Sciences

Texas A&M University-Corpus Christi

Corpus Christi, TX

In Partial Fulfillment of the Requirements for the Degree of

Master of Science in Computer Science

By

Nithisha Repaka

Summer 2012

Committee Members

Dr. Mario Garcia _____________________________

Committee Chairperson

Dr. Ajay Katangur ____________________________

Committee Member

Dr. John Fernandez ____________________________

Committee Member

ii | P a g e

ABSTRACT

The need for intrusion detection in solving cyber crime has been a very crucial issue for

decades. The scope and frequency of research conducted in the field of computer science has

increased exponentially. The major motto behind the studies is to safeguard sensitive information

and protect it from seditious attackers. Most of the present strategies used in this research field

were based on both network based instruction detection system (NIDS) and host based intrusion

detection system (HIDS) techniques. Misuse detection and anomaly detection methodologies

were also used. The main idea behind these techniques was to achieve a secure way to transmit

data from one terminal to another using a variety of methods.

In this paper, a hybrid tool has been proposed for client server networks (CSN). This tool

supports a novel, flexible, secured NIDS, which takes network traffic dynamically as input and

checks the client for an (internet protocol) IP match. For an invalid client, if the IP does not

match with the server’s network address, it is identified as an attacker and stored in a Hit-List by

generating a log file in the text format with all its properties (Time, Date, IP and Login Details).

Additionally, file transfer for a valid client is processed in a very secure way by encrypting it. In

this project, the Blowfish algorithm has been used to encrypt and decrypt the file. Only a user

with a valid key can decrypt the file and access it. Thus, this strategy, which makes use of

encryption concepts, has increased the level of security outside the network as well as inside the

network.

iii | P a g e

TABLE OF CONTENTS

Abstract .............................................................................................................................. ii

Table of Contents ............................................................................................................... iii

List of Figures ................................................................................................................... vi

1. Introduction ......................................................................................................................1

1.1 Intrusion Detection System (IDS) .............................................................................1

1.1.1 Host Based IDS (HIDS) ...................................................................................1

1.1.2 Network Based IDS (NIDS) .............................................................................1

1.1.3 Protocol Based IDS (PIDS) ..............................................................................2

1.1.4 Application protocol Based IDS (APIDS) .......................................................2

1.1.5 Misuse Detection ..............................................................................................2

1.1.6. Anomaly Detection ..........................................................................................2

1.2 Why is IDS important? ..............................................................................................3

2. Background and Rationale ...............................................................................................5

2.1 A Distributed Autonomous Intrusion Detection Framework ....................................5

2.2 Evaluating Files to Audit for Detecting Intrusions in File System Data ...................8

iv | P a g e

2.3 Intrusion Detection System Intended for Multi gigabit Networks ............................9

2.4 Network-based intrusion detection using Adaboost algorithm ...............................10

2.5 A Collaborative Intrusion Detection System Using Log Server and Neural Networks

.......................................................................................................................................11

2.6. Existing System ......................................................................................................13

2.6.1. Drawbacks....................................................................................................13

2.7. Proposed System ....................................................................................................14

2.7.1. Advantages ...................................................................................................14

3. Proposed System ............................................................................................................15

3.1. System Architecture ...............................................................................................15

3.1.1. Input .............................................................................................................15

3.1.2. Client Server Architecture ...........................................................................16

3.1.2.1. Server: Listens IP ...........................................................................16

3.1.2.2. Client: Connects to Server and Enters Login Credentials ..............16

3.1.2.3. Server: Allows client to view its Resources ...................................16

3.1.2.4. Client: Decrypt Resources ..............................................................16

3.1.2.5. Server: Trigger an Event (“Hacker is present”) .............................16

3.1.2.6. Stores Hacker’s IP in Hit-List ........................................................17

v | P a g e

3.1.3. Output ..........................................................................................................17

3.2. Data Encryption / Decryption .................................................................................17

3.2.1. Encryption ....................................................................................................18

3.2.2. Decryption....................................................................................................21

4. Test Scenarios ................................................................................................................20

4.1. Scenario 1: IP .........................................................................................................20

4.2. Scenario 2: Login ...................................................................................................23

4.3. Scenario 3: Allow to Access Resources .................................................................24

4.4. Scenario 4: Decrypting the Resource .....................................................................27

4.5. Scenario 5: Hit-List Checking ................................................................................29

4.7. Other Useful Screenshots .......................................................................................30

5. Conclusion .....................................................................................................................35

6. Future Work ...................................................................................................................35

7. Bibliography ..................................................................................................................36

vi | P a g e

LIST OF FIGURES

Figure 1: Architecture of A2D2 Framework .......................................................................6

Figure 2: mEngine designed for A2D2 ................................................................................7

Figure 3: Architecture of IDS system using COMBO6X card ............................................9

Figure 4: Framework of NIDS with Adaboost Algorithm .................................................10

Figure 5: System Architecture (Left) and System Extension Architecture (Right) ...........12

Figure 6: Data Sharing between Multiple Domains ..........................................................14

Figure 7: Proposed System Architecture ...........................................................................15

Figure 8: Interface diagram (main page) ...........................................................................20

Figure 9: Master is monitoring ..........................................................................................20

Figure 10: Viewing the content in both IP ADDRESS and RESOURCES sections...........21

Figure 11: Entering the IP address as input .......................................................................21

Figure 12: Client credential details for login .....................................................................23

Figure 13: No access if user enters invalid login credentials .............................................23

Figure 14: Resource access window for client ..................................................................25

Figure 15: Monitoring unauthorized client actions ............................................................25

Figure 16: Do enter Key ....................................................................................................27

Figure 17: Valid-user-invalid-key......................................................................................27

Figure 18: Hit-List .............................................................................................................29

Figure 23: Selecting the ‘BLOWFISH’ encryption ...........................................................30

Figure 24: Encrypted file ...................................................................................................31

Figure 25: Decrypted Resource .........................................................................................32

vii | P a g e

Figure 26: IDS information ................................................................................................33

Figure 27: Content of the password log file.......................................................................34

1 | P a g e

1. INTRODUCTION

1.1. Intrusion Detection System (IDS)

Intrusion detection system (IDS) is a tool/ application used to detect an attack that is

encountered on a system or network in order to compromise or break it by an anomalous user

outside of the network. This is done by keeping track of all the suspicious patterns/activities,

experienced by both in incoming and outgoing traffic within the network. Generally an IDS

maintains all the details of events examined on the system and later generates reports which are

sent to the management station for further actions. After obtaining the details of that malicious

user from the records, actions like blocking the user are performed. It is important to note that

the IDS also includes a feature of monitoring the suspicious user within the network.

IDS can be classified in two different types:

1st class: HIDS, NIDS and PIDS

1.1.1. Host-Based IDS (HIDS):

A Host Based IDS (HIDS) is executed on a separate host in the network. All the

events related to suspicious activity like a change of file content, replacement of a file

with other files is observed in this classification [1]. This is monitored with the help of

audit data, which is recorded in the kernel and log files of the host on which this IDS is

being run. The advantage of following this approach is that complete and elaborated file

information is available for future reference.

1.1.2. Network-Based IDS (NIDS):

The Network-Based Intrusion Detection System (NIDS) is classified according to its

name. Here the IDS monitors the network traffic to validate IP address and packet

2 | P a g e

information transmission. Detection is based on investigating the packet attributes [2].

Network hardware is used to monitor the traffic using switches and routers. The

information of packets stored here is not comprehensive. The advantage of this approach

is the feasibility of implementing the NIDS in a distributed environment. HIDS on the

other hand, as it would have to be installed on each and every host.

1.1.3. Protocol-Based IDS (PIDS):

The Protocol-Based IDS (PIDS) is a type of IDS where the dynamic behavior of the

protocol is checked. The dynamic nature of the PIDS is due to the installation of IDS on a

web server [3]. An agent system is used on the web server to listen to and control the

dynamic nature of the PIDS and protect the system from attacks.

1.1.4. Application Protocol-Based IDS (APIDS)

The Application Protocol-Based IDS (APIDS) is a special type of IDS where only a

particular type of protocol used for the system is observed.

2nd

class: Misuse and Anomaly Detection

1.1.5. Misuse Detection/ Signature Detection:

Detection of threats is based completely on signatures and rules here. The new attack

is compared against a huge database with signatures of already known threats to check if

it has been observed [4]. This is similar to the functionality of any malware detection

anti-virus system. This detection technique is heavily used and also delivers perfect

results, but only in cases where the attack is a known intruder rather than a novel one.

Comparison of the database with the new attack may result in time lagging

complications.

1.1.6. Anomaly Detection:

3 | P a g e

Every system has its original normal behavior. A system administrator should

maintain this information for all systems in the network [5]. Any anomalous behavior

apart from the normal behavior shows that there is something going wrong on the

network. This procedure is followed in this type of detection classification. The

anomalies may take a shape in the form of high traffic load, breakdown, protocol

mismatch and change in standard packet size. The network traffic is constantly compared

with standard baseline behavior of the system for anomalies.

Any IDS is generally related to few questions like [6]:

Which type of firewall is needed (Hardware/ Software)?

Will cookies compromise the security level?

How should a system avoid being spammed?

How can a wireless network be secured?

Different types of security challenges for Cloud Computing?

1.2. Why is IDS important?

Now that IDS systems and their corresponding classifications systems have been

described, an important question may arise, “Why is intrusion detection important?” Its

importance is now discussed by quoting some examples.

Intrusion detection is important to manage the security levels of any system in a network.

Generally detection is the only way an insufficiency in the system can be removed. Detection of

the intrusion followed by a procedure to remove it is the basic process involved in any system

designed to maintain security.

4 | P a g e

Cybercrime has become more prevalent than ever and with each day it is becoming more

challenging to avoid and to defend against. Protecting networks from intrusions and malware

attempts has become a critical effort for network management professionals.

Types of attacks may be in different forms (Passive/ Active attack): It may be ‘Data

driven attack’ like Trojans, trapdoors and viruses; it may be ‘Denial of Service attack’,

‘Password-Based attack’, ‘Data Modification attack’, ‘Identity Spoofing’, ‘Eavesdropping’,

‘Man-in the middle attack’, ‘Compromised-Key attack’, ‘Sniffer attack’, ‘Application-Layer

attack’ and ‘Botnet attack’ [7]. This may lead to the modification, interception, interruption,

destruction and fabrication of the confidential information stored in the system. Each and every

attack has its own characteristics but their final and only motive is to compromise the system in

the network to use it as its host and cause a great destruction.

In order to remove these malwares, a specific attack should be detected. Therefore

Intrusion Detection System is used.

A wave of cyber attacks has likely stolen at least $80 million from bank accounts in

Europe, the United States and elsewhere, a security report said Tuesday. [19]

USDA DC headquarters – June 2006 – The Department of Agriculture was subject to a

cyber attack where the names, social security numbers, and photographs of 26,000 employees

were stolen. [20]

5 | P a g e

2. BACKGROUND AND RATIONALE

Economical status of organization, time, and strength factors should be known properly

for a clear assessment of a tool development. After these factors have been assessed, then,

according to the tools needed, operating system, and coding language are decided for its

development. Support from foreign entities is very important once the tool is in its development

phase. Foreign entities may include senior program analysts, websites, books and magazines etc.

For any system in its building stage, it has to take care of all the above constraints. And the

proposed system must include the properties mentioned as follows.

2.1. A Distributed Autonomous Intrusion Detection Framework

This approach majorly concentrates on Intrusion Detection in distributed environment. In

this paper, a flexible and novel Intrusion Detection framework including Intrusion Detection

Autonomous Agents which are Dynamically Distributed (A2D2) in the network have been

proposed. These agents are capable of downloading and installing various accurate policies,

signatures and files dynamically from the core server, based on the attack attributes and

requirements. For a flexible response and communication between the agents in the distributed

network, a key management system has been implemented. In this work, an event analysis

engine and an object-oriented language, which are domain independent, have been designed to

enable data fusion in the environment.

These independent running Autonomous Agents (AA), take very wise decisions to

increase the adaptive nature in the environment by also improving manageability and

controllability in the distributed network. Key features of this A2D2 are:

6 | P a g e

A2D2 is the backbone of the system, designed to enhance flexible and novel intrusion

detection framework, using AAs. These AAs get active and also hibernate according to

their need in the network.

A2D2 has a modular structure to enable open framework features. As AAs dynamically

and independently performs the tasks of downloading and installing, problem of manual

maintenance and management has alleviated.

A2D2 has a well defined hierarchal structure to enable scalability with multiple layers of

data fusion AAs. Key management system is an option for a secured communication

between AAs.

Figure 1: Architecture of A2D2 Framework [10]

7 | P a g e

In Figure 1 architecture of A2D2 for a distributed network is shown, where this network is

divided into three autonomous zones based on subnets [11]. From the above figure, six different

AAs and three different Central Servers are used. They are:

Active Intrusion Detection AAs

Hibernative Intrusion Detection AAs

Mobile Intrusion Detection AAs

Auxiliary Intrusion Detection AAs

Control Intrusion Detection AAs

Data Fusion Intrusion Detection AAs

Central Data Fusion Server

Central Control Server

Central Update Server

Figure 2: mEngine designed for A2D2

8 | P a g e

Figure 2 is the design of mEngine, which is created with A2D2s for detecting Intrusions.

Here in mEngine, after following four steps, Intrusions have been detected with the help of

AAs as illustrated in the above figure.

Data Processing --> Information Analysis --> Knowledge Analysis --> Assessment

These are the main steps followed by AA to detect Intrusions in mEngine.

2.2. Evaluating Files to Audit for Detecting Intrusions in File System Data

In this approach, intrusions have been detected by observing and listening to the file data

in system. If a system is attacked, there is a definite change in the data of its file system. Files

may be modified or entirely deleted or created with no permissions, by a malicious entity.

Auditing the file system’s quantitative data of an attacked system would be a good idea to detect

an intrusion [12]. A point to be noted is that, not all files with its file system data could provide

information about the attack activity. Careful file selection, which can show the malicious

activity, should be done to complete this task.

This paper mainly discusses 3 types of attacks: reconnaissance, modifying passwords and

downloading malware. For each of type of attack, data from the files affected are recorded and

compared with compromised data for detection of intrusion. Concentrating on the activity of

each file of the attacked system, data collected gives a probabilistic study on the evidence of

these three types of attacks. Then metrics are used to estimate the files for auditing.

As this approach is concentrated on the file system of a target host, this is an example for

Host-Based Intrusion Detection System (HIDS).

9 | P a g e

2.3. Intrusion Detection System Intended for Multi gigabit Networks

This paper contributes a new idea of using a Hardware based IDS instead of Software

based IDS to increase the speed in network links for Multi gigabit networks and this is an

example of Network based IDS (NIDS). This approach depends on Field Programmable Gate

Array (FPGA), which improves the speed of packet classification and pattern matching.

Snort is an open source tool of NIDS which uses rule-driven language, with its database,

containing signatures, rules of already learned viruses and bugs, different anomaly and protocol

based methods etc. 80% of CPU time and more is utilized for performing string matching tasks

while using Snort tool to improve hardware acceleration.

In this methodology, pre-filtration of network traffic packets is achieved by combining

the features of hardware acceleration card along with FPGA [14]. Filtered packets with no

suspicious traffic, after comparing with IDS rules defined, are sent to host system through the

hardware card. Performance measure of system increases only with the repeated filtering of

traffic with the card. For efficiency, prefix sharing and pattern truncating techniques are also

embedded with the hardware used.

Figure 3: Architecture of IDS system using COMBO6X card [13]

10 | P a g e

Above Figure 3, shows the architecture of IDS system with the hardware card: COMBO6X,

which gives a throughput of 6.4Gbps. Classification Unit and Pattern Match Unit are included in

the architecture for its working.

2.4. Network-based intrusion detection using Adaboost algorithm

This is again a new approach of NIDS framework using algorithm analysis. Here, in this

approach, the Adaboost Algorithm, which is a popular machine learning algorithms, is used to

detect the intrusions in the network [16]. Complexity of this algorithm is low compared to other

algorithms implemented for NIDS, previously.

Figure 4: Framework of NIDS with Adaboost Algorithm [15]

Figure 4 describes the NIDS architecture, which has four sections. Each section is discussed

briefly here:

Feature Extraction:

Three major characteristics are mainly focused while in the detection of intrusions. They

are:

11 | P a g e

General features of TCP connections.

Content features in the connection recommended by the domain.

Traffic features and its characteristics.

Data labeling:

Training data set is definitely labeled while applying this algorithm for network traffic.

+1 represents normal and -1 represents attack samples. This algorithm neither follows

misuse detection nor anomaly detection, but follows a novel approach.

Weak classifiers design:

A group of Weak classifiers modeled in early stages, are essential for this algorithm to be

applied. Low accurate classifiers are classified as Weak (or Basic) classifiers.

Strong classifier constructed using this algorithm:

Using this Algorithm, Strong classifiers are generated using a group of Weak classifiers,

with the rules applied.

The whole idea of this algorithm is to strengthen the classifiers by selecting and combining weak

ones.

2.5. A Collaborative Intrusion Detection System Using Log Server and Neural Networks

This is again a new approach where a Remote Login Server (RLS) technique with KIT-1

implementation is proposed. The RLS mechanism is majorly used to keep the backup of log files

on to the server. Neural networks concept is also used in this IDS approach.

Motivation behind this new approach with RLS technique is to get rid of intruder

changing the log files from the monitored system by compromising it, when IDS is locally

12 | P a g e

installed on it. There is a channel between client and server and if in case this channel is

intruded, it is worthless to have backup files stored, as we only get wrong and false information

from the stored backup [18].

SSL capability of Java is included in the framework to enhance the encryption feature for

the channel between client and server.

Figure 5: System Architecture (Left) and System Extension Architecture (Right) [17]

System Architecture, shown in Figure 5 has two modules as discussed.

Transfer Module: Used to transfer client’s log files, on to the server, periodically in specific

intervals, time to time.

Neural Networks (NN) Module: Functionality of this module is to sense the data of log file

received from clients. If any suspicious activities are sensed, this module informs the

administrator to take care of the issue.

Enterprise Security Management (ESM) is the extended System Architecture.

13 | P a g e

2.6. Existing System

Classical techniques provide us with good defensive structures in order to protect very

important resources from being attacked. These include Firewalls, various encryption

techniques, steganography methodologies, etc.

These varieties of defensive mechanisms are very effective tools, but mostly work

effectively on already known attacks.

There is also no perfect hybrid architecture for concept on file sharing.

Moreover, all these systems can only execute on single system.

2.6.1. Drawbacks

It is costly to implement AAs on each host in the distributed network.

Using hacking techniques, file audit data can also be altered.

At any time software implementation is more feasible than hardware implementation.

Applying algorithms is a very classic method and may be not so effective.

2.7. Proposed System

Proposed system can note the IP address of Hackers and can identify what type of file

they want to access and what password and key is used by hackers to access the file.

This system is based on both HIDS and NIDS, increasing the scope of security of IDS.

Also, combining the features of IDS and Encryption, to increase the level of scope.

Can be run on more than one system without changing and on a single system as well.

14 | P a g e

Figure 6: Data Sharing between Multiple Domains [8]

Figure 6 describes data sharing between three different domains A, B and C with key

security provided.

2.7.1. Advantages

IP check performed using NIDS strategy.

Client is not immediately eliminated, after the IP check, but it is allowed, until it

performs file download.

Text file is generated when an invalid user is trying to access server’s resources.

Server encrypts its resources. So failing to enter a key for decryption, cannot fulfill

the task.

Client, in order to view server’s resources, have to login. Failing to enter credentials

can avoid the access to the user.

15 | P a g e

3. PROPOSED SYSTEM

3.1. SYSTEM ARCHITECTURE

Figure 7: Proposed System Architecture

Figure 7 describes the proposed architecture of the novel tool for intrusion detection.

3.1.1. Input:

Dynamic network traffic is given as input to the proposed system. The server analyzes

this network traffic soon after the client establishes a connection with it. Resources, which

should be shared between clients, are also added manually by the administrator. The traffic is

16 | P a g e

taken in the form of IP addresses. The server gets the client’s IP address, soon after the client

requests a connection.

3.1.2. Client Server Architecture:

3.1.2.1. Server: Listens IP

The server analyzes and listens for the IP of the client, soon after the client establishes a

connection with it. In this stage, the server stores all the clients IP addresses.

3.1.2.2. Client: Connects to Server and Enters Login Credentials

After the client a requests for connection with the server, it is prompted to enter its login

credentials. If the credentials are matched with those present in the server’s database,

then it is treated as a valid client. If the credentials do not match those present in the

server’s database it is considered invalid and hence is discarded.

3.1.2.3. Server: Allows client to view its Resources

Only after the server approves the login credentials will the client be allowed to view the

resources provided by the server for sharing. The client can download its desired resource

by selecting it. At this stage, when the client tries to download a resource, the server

detects whether the client entered is valid or an intrusion attempt, by checking client’s IP.

For a client to be in a server’s network, it should have the same network address in its IP.

3.1.2.4. Client: Decrypt Resources

In the case of a valid client, the client is allowed to download the file only after it enters

the correct key to decrypt it. After decryption, the client can save that resource on its

local disk.

3.1.2.5. Server: Trigger an Event (“Hacker is present”)

17 | P a g e

In the case of invalid client/intrusion, an event is triggered with a message stating a

“Hacker is present”. At this event, a text file with the intrusion’s properties is generated

as output.

3.1.2.6. Stores Hacker’s IP in Hit-List

The hacker’s IP is entered into the Hit-List, which might be useful in future.

Hit-list checking

This checking is to gather the IP addresses which are live, i.e. respond easily. So,

this check is to collect the liveness measurement. It requires highly sophisticated tools to

perform this check to output greater efficiency results. This causes their addresses to be

scanned again and again repeatedly. So, this module should definitely help in

differentiating and tracking ‘live’ addresses from ‘dark’ addresses.

3.1.3. Output:

As soon as the intrusion detection event is triggered, a text file is generated on the server.

That text file holds the information of the Hacker/ Intrusion. The date and time of the detection

event, the login credentials used by the hacker and the IP address of the hacker are also stored in

the Hit-list for future reference.

Also, for a valid client, the desired and selected resource can be downloaded and saved to

its local disk.

3.2. Data Encryption / Decryption

Blow Fish is a good encryption technique, which uses symmetric block cipher

technology. It replaces each letter of a text with the letter which is k letters behind it.

18 | P a g e

3.2.1. Encryption

Blowfish is a Feistel network consisting of 16 rounds. The input is a 64-bit data element,

x.

Divide x into two 32-bit halves: xL, xR

For i = 1 to 16:

xL = xL XOR Pi

xR = F(xL) XOR xR

Swap xL and xR

Swap xL and xR (Undo the last swap.)

xR = xR XOR P17

xL = xL XOR P18

Recombine xL and xR

Function F (see Figure 2):

Divide xL into four eight-bit quarters: a, b, c, and d

F(xL) = ((S1,a + S2,b mod 232

) XOR S3,c) + S4,d mod 232

Referenced from [9]

3.2.2. Decryption

Decrypting a key or any message generally follows the same procedures of encryption

but in a reverse order. So, P1, P2... P18 are reversed for decryption to take place.

Here, this algorithm firstly encrypts the entire message, which should be sent to the user.

Then, at the other end, the user needs to decrypt the received message. This decryption is mostly

carried out by using a private key k. The most important thing to be noted is that only legitimate

19 | P a g e

users have the private key. Therefore, decryption can only be performed by users who have

access to the message since they are the ones who are aware of the private key k for decrypting

the encrypted message.

20 | P a g e

4. TEST SCENARIOS:

4.1. Scenario 1: IP

Figure 8: Interface diagram (main page)

Figure 9: Master is monitoring

21 | P a g e

Figure 10: Viewing the content in both IP ADDRESS and RESOURCES sections

Figure 11: Entering the IP address as input

22 | P a g e

The main window of the Master/ Server is shown in the above Figure 8. This is the

Master GUI and it contains the server side application where server monitors the clients or peers.

The server window has both an IP addresses section and a Resources section. All the dynamic

traffic is stored in the IP addresses section, and the resources (text files) are stored in the other

section, which acts as input to the proposed system.

Starting the Master to monitor all the clients is shown in the Figure 9. In this tool, the

client server architecture is being used. Here, in this architecture, the first important task to be

performed is starting the server to listen. Only after the server starts listening to the clients, can it

see any client asking for a connection establishment. By clicking the “Monitor” button, the

server will start listening to the clients and fire a dialog stating, “Master is monitoring”, and

otherwise provides no information.

In the application window when the “View” button is clicked on the IP Addresses

section, all the traffic, which is already in the network, is seen. It must be noted that the traffic is

accepted dynamically by the tool. When the “View” button is clicked on the Resources section,

files, which are registered in the database for sharing among clients, will appear. This is shown

in Figure 10.

Client asks for the server’s IP address to establish a connection with the server and this is

shown in Figure 11. To access the server’s resources, the client has to connect to the server.

Now, the server listens to the client’s request and retrieves the client’s IP. The server checks if

the client is on its network with the help of the IP and if the client is not in its network, the server

does not notify that it is invalid but waits. So, this is the first test scenario, where the server just

listens to the IP and checks it, without notifying the results. This step uses NIDS strategy.

23 | P a g e

4.2. Scenario 2: Login

Figure 12: Client credential details for login

Figure 13: No access if user enters invalid login credentials

24 | P a g e

Figure 12, is a window which pops up, asking for a client to enter his/her login

credentials. Immediately after, the client enters the server’s IP address to establish a connection

this window appears for the client to login, adding a step for increasing security. The client has

to provide the details for the login, where these details already exist on the server side at the

database level. This database record is checked against the user-entered credentials and the

server allows the client to view and access the resources if the credentials match.

Figure 13 shows an error message to a client, if he/she enters invalid login credentials. As

the server checks and compares the client’s login details with its database, this may be

considered another test scenario, where level filtering is performed. In this stage, the clients who

do not have login credentials who try to access the server’s resources are considered as invalid

and therefore are filtered.

So, this is considered as another test scenario and uses anomaly detection strategy, where

suspicious activity is observed, when no login credentials are used. These types of anomalies are

detected here and are filtered at this stage.

25 | P a g e

4.3. Scenario 3: Allowing access to resources

Figure 14: Resource access window for client

Figure 15: Monitoring unauthorized client actions

26 | P a g e

Above Figure 14, is a resource access window the client opened after it had successfully

logged into the system. This window has an interface which shows all of the resources available on

the server, at the ‘Resources Available’ section. The client has privileges to access only the files

provided by the server. The download, decrypt and save buttons are used to perform their

respective operations.

The client first tries to access its desired resource, by clicking on the ‘Download’ button.

The server watches the client’s activity and gives access to the requested resource, only if the

client’s IP address matches with its network’s IP address.

For a valid client, after getting access to the desired resource, it has to enter the key (which

has been issued by the server) value and press the ‘Decrypt’ button to decrypt the file

decrypted, and then it can save the file to its Local Disk.

For an invalid client, a message window pops up stating that, “Hacker is Present” and

therefore the bug is detected.

Figure 15 is about how a server monitors an unauthorized client. If the user is

unauthorized to access the resources, then immediately an alert dialog box will appear at the

server regarding the hacker. Also at that time, the date and IP address are stored in a log on the

server side for the IDS information purposes.

The log file is generated at the moment the hacker is traced by the server. The log (.txt)

file provides the information like the date and time of the intrusion detection. The hacker’s IP

and the login credentials used by the hacker to get into the tool and view the server’s resources.

So, this is the major test scenario where a maximum number of intrusions are detected and

filtered. This uses a combination of HIDS and NIDS approaches to detect the intrusions.

27 | P a g e

4.4. Scenario 4: Decrypting the Resource

Figure 16: Do enter Key

Figure 17: Valid-user-invalid-key

28 | P a g e

Figure 16 describes the case of a decrypt key, if it is not entered. Here, after selecting the

desired resource to decrypt, if the client doesn’t provide any key, then it exposes an error

message in a pop up window like “Enter the Key First”.

Figure 17 describes a case when a valid user enters an invalid key. If some valid user enters

a wrong key, it exposes an error message saying “Enter valid key”.

These two cases illustrate the behavior of the tool with decrypt key. In this tool, Blowfish

algorithm has been used to Encrypt and Decrypt the resource. This adds a level of security to

the IDS tool. If a key is not provided to the proposed tool, then they can’t access the files and

should contact the server’s administrator.

In this stage clients who do not have a decryption key are filtered. So, this may be

considered as another test strategy.

29 | P a g e

4.5. Scenario 5: Hit-List Checking

Figure 18: Hit-List

Figure 18 shows a window with the message “IP Address entered in Hit-List”. After a

hacker is detected, then its IP address is stored in the Hit-List. This list stores all the IP addresses

of the intrusions detected using this tool. The number of hacker hits is specified in this for future

reference. In the future, if any packet is transferred from this IP address, the server can be

cautious about accepting the packet, since it already has the IP in the server’s Hit-List database.

30 | P a g e

OTHER USEFUL SCREEN SHOTS

Figure 23: Selecting the ‘BLOWFISH’ encryption

Figure 23 shows the menu options for a Blowfish tab. The Blowfish encryption is used to

encrypt the resources. From the Master’s window, when the blowfish menu is selected, it drops

down two options, where one option is to encrypt and the other option is to decrypt the file.

After selecting the Encryption menu item, from the Blowfish menu, a window will

appear consisting of the “Encrypt” button and “Ok” button. In the application when “Encrypt” is

selected, a file selection window will appear for the file selection (resources) from the local hard

disk on the server side.

31 | P a g e

Figure 24: Encrypted file

For a desired file to be encrypted, clicking on the Encrypt button opens a new window

with a group of files from which one may be selected for encryption.

An encrypted file using the Blowfish algorithm is showed in Figure 24. After selecting

resources for encryption, the resource, with its encrypted content will appear in the Encrypt

window content area. The encryption takes place after selecting the resource directly. There is no

need to select any other options for encryption. The file selection itself triggers the operation of

encryption.

32 | P a g e

Figure 25: Decrypted Resource

After selecting a Decryption menu item from the Blowfish menu, a new pop up window

to open a file for decryption is shown. This window consists of 2 buttons, one is “Decrypt”, and

other is “Ok”. Also, it has one decrypt text field to input a key and to decrypt the resource.

In the application when “Decrypt” is selected, a file selection window will appear

showing the resources on the server’s local hard disk. The decrypted resource in a new window

is shown in Figure 25. After decryption, the content of the resource will appear in a decrypt

window. And after decryption, implicitly the application asks to save the decrypted file on a

secondary storage device.

33 | P a g e

Figure 26: IDS information

The application consists of a menu “IDS” which gives information regarding text files

created when an intrusion is detected. This is shown in Figure 26.

Upon selecting the “IDS Information” menu item from the “IDS” menu, an IDS

information window will appear. It consists of a file selection button and content area.

Upon clicking the “Browse” button, a file selection window will appear and the password

log file will need to be selected according to the date.

34 | P a g e

Figure 27: Content of the password log file

Figure 27 shows the IDS window from the menu to show the content of a password log

file. After selecting the password log file, the content of the log report will appear in the content

area. This log report consists of the date and time of the intrusion detection event including when

it was triggered, the IP address of the hacker used to access the resources and the password, and

also, the login credentials used by the hacker to access the tool with which to view the server’s

resources.

35 | P a g e

5. CONCLUSION

In this project, a hybrid intrusion detection tool, which detects intrusions from dynamic

network traffic, and also provides secure file transfer has been developed. As cyber crime is

increasing rapidly, it is very important to protect networks and/or systems from attacks and

intrusions. The strategy used in this approach is based on both Network Based IDS and Host

based IDS. This tool is developed to detect intrusions in network traffic by making use of

network IPs. In this project, secured file transfer is achieved through multiple levels with the

combination of IDS and encryption strategies.

In this proposed tool, a client server architecture has been used. The server starts listening

to the network traffic (IP) and stores them directly. If the client’s network address in IP matches

with the server’s IP, then that client is considered to be valid. Whenever a malicious or invalid

client tries to access server provided resources, an event is triggered immediately resulting in the

output of a text file, providing all its properties (Time, Date, IP address, Login Credentials).

Later, the hacker’s IP is stored in a Hit-List for future reference. Finally, all the operations are

performed with a user-friendly interface.

6. FUTURE WORK

Advanced features along with multiple levels of security can be included in the system to

work more efficiently.

This proposed tool only works in a Client Server Architecture. It may be a good idea to

implement this tool in a Distributed environment.

The scope of the project can be increased to defend against each and every type of attack

in the work environment by combining the features of PIDS.

36 | P a g e

7. BIBILOGRAPHY

1. http://netsecurity.about.com/cs/hackertools/a/aa030504.htm

2. http://www.webopedia.com/TERM/I/intrusion_detection_system.html

3. http://en.wikipedia.org/wiki/Intrusion_detection_system

4. http://en.wikipedia.org/wiki/Protocol-based_intrusion_detection_system

5. http://technet.microsoft.com/en-us/library/cc959354.aspx

6. https://nsrc.org/workshops/2008/ait-wireless/kemp/network-attacks.pdf

7. http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/Papers/IntrusionDetectionPap

er.pdf

8. https://lh4.ggpht.com/RK8CX2YYzbsEuj-uup9lq7hBCbJqI-

5sF3sXZ31_WmhQismDIlv288etR46QdtiILlC_=s126

9. http://www.schneier.com/paper-blowfish-oneyear.html

10. J. Molina, M. Cuiker, “Evaluating Files to Audit for Detecting Intrusions in

FileSystem Data,” in Netwok Computing and Applications, 2009. NCA 2009. Eight

IEEE International Symposium.

11. A. Cardenas, J. S. Baras, and K. Seamon, “A Framework for the Evaluation of

Intrusion Detection Systems,” in Pro. 2006 IEEE Symposium on Security and Privacy

(S&P'06), pp. 63-77, 2006.

12. Y. Cai, “A Distributed Autonomous Intrusion Detection Framework,” inGlobecom

Workshops, 2007 IEEE.

13. A. Kemmerer and V. Giovanni. Hi-DRA: intrusion detection for internet security.

Proceedings of the IEEE, 93(10):1848–1857, 2005.

37 | P a g e

14. J. Korenek, P. Kobiersky, “Intrusion Detection System Intended for Multigigabit

Networks,” in Design and Diagnostics of Electronic Circuits and Systems, 2007.

DDECS ’07. IEEE.

15. H. Song and J. W. Lockwood, “Efficient packet classification for network intrusion

detection using fpga,” in FPGA ’05: Proceedings of the 2005 ACM/SIGDA 13th

international symposium on Field-programmable gatearrays. New York, NY, USA:

ACM Press, 2005, pp. 238–245.

16. H. Wei, H. Weiming, “Network-based intrusion detection using Adaboost algorithm,”

in Web Intelligence, 2005. Proceedings. The 2005 IEEE/WIC/ACM Internation

Conference.

17. P. Hong, D. Zhang, and T. Wu, “An intrusion detection method based on rough set

and svm algorithm,” in Proceedings of International Conference on Communications,

Circuits and Systems, volume 2, pages 1127-1 130, June 2004.

18. D. Guan, K. Wang, X. Ye, W. Feng, “A Collaborative Intrusion Detection System

Using Log Server and Neural Networks,” in Proceedings of the IEEE International

Conference on Mechatronics & Automation Niagara Falls, Canada • July 2005.

19. http://dawn.com/2012/06/27/cyber-attacks-hit-global-banks-for-80-mn-study/

20. http://www.lawfareblog.com/2012/05/significant-cyber-attacks-on-federal-systems-2004-

present/