Intrusion Detection System

Intrusion Detection System Bruno Melo Diego da Silva Matheus Finatti Vinicio Meira Advised by Dr. Xiang Fu

Intrusion Detection System • Monitor system processes • Detect • Analyze • Block Malicious Activities

System Architecture • CLUSTER • IDS

Support Vector Machine - SVM • Analyze Data • Recognize Patterns • Classify Data

SVM

Classified Data SVM

SVM Interface for IDS • Interface LIBSVM • SVM • IDS

Cluster Operation Modes Training mode: $ python clustey.py --train -c <logfolder> -w <function name> Predict mode: $ python cluster.py --judge -r <modelfile> * Test data is in the environment variable called “request”

Main Module - Java™ Program • Generate C++ Wrappers • LD_PRELOAD • LD_LIBRARY_PATH • dlsym() • Intercept and log Apache library calls • Monitor Apache library calls • How to generate wrappers?

Configuration File

IDS Operation Modes - Train • Parse Configuration File • Generate and compile wrapper • Start Apache • Intercept calls and generate log files

IDS Operation Modes – Complete Train • Stop Apache • Send log files to cluster’s training mode

IDS Operation Modes – Monitor • Parse configuration file • Generate and compile wrapper • Start listening server to communicate with wrapper • Start Apache • Intercept calls and send to listening server • Send response to C++ wrapper • Send log entry to cluster to analyze • If rejected, ask user if Apache should be killed

Using IDS Modes • Training mode: • # java –jar ids.jar -c <configfile> -o <outfile> -mode train [-v|-i] • Complete train mode: • # java –jar ids.jar –p <logpath> -mode completetrain • Monitor mode: • # java –jar ids.jar -c <configfile> -o <outfile> -mode monitor

Demonstration

Intrusion Detection System

Intrusion Detection System

Presentation Transcript