
Intrusion Detection System Bruno Melo Diego da Silva Matheus Finatti Vinicio Meira Advised by Dr. Xiang Fu
Intrusion Detection System • Monitor system processes • Detect • Analyze • Block Malicious Activities
System Architecture • CLUSTER • IDS
Support Vector Machine - SVM • Analyze Data • Recognize Patterns • Classify Data
Classified Data SVM
SVM Interface for IDS • Interface LIBSVM • SVM • IDS
Cluster Operation Modes Training mode: $ python clustey.py --train -c <logfolder> -w <function name> Predict mode: $ python cluster.py --judge -r <modelfile> * Test data is in the environment variable called “request”
Main Module - Java™ Program • Generate C++ Wrappers • LD_PRELOAD • LD_LIBRARY_PATH • dlsym() • Intercept and log Apache library calls • Monitor Apache library calls • How to generate wrappers?
IDS Operation Modes - Train • Parse Configuration File • Generate and compile wrapper • Start Apache • Intercept calls and generate log files
IDS Operation Modes – Complete Train • Stop Apache • Send log files to cluster’s training mode
IDS Operation Modes – Monitor • Parse configuration file • Generate and compile wrapper • Start listening server to communicate with wrapper • Start Apache • Intercept calls and send to listening server • Send response to C++ wrapper • Send log entry to cluster to analyze • If rejected, ask user if Apache should be killed
Using IDS Modes • Training mode: • # java –jar ids.jar -c <configfile> -o <outfile> -mode train [-v|-i] • Complete train mode: • # java –jar ids.jar –p <logpath> -mode completetrain • Monitor mode: • # java –jar ids.jar -c <configfile> -o <outfile> -mode monitor