PRESENTATION ON “INTRUSION DETECTION

VIA SMS”

Presented by-:Monika Lagwal (0947CS101029)Shrishti Sharma (0947CS101053)

INTRODUCTION• Some Intrusion Detection System only could give information about sniffing and intruder via website . But for high secure, real time information is needed.

• Cyber Crime can be detected by Intrusion Detection System such as using PHP Injection, SQL Injection, and Cross Side

Scripting. Using Intrusion Detection Systems, systems still have some weaknesses.

• This application system could also detect the hole before Web Server is cracked by cracker. In general, we developed warning system in real time base on short message service (SMS).

ON THE BASIS OF PREVIOUS SETUP OF INTRUSION DETECTION

• So much time taken to monitor the intrusion detection in the network by administrator with current setup of monitoring the

intrusion alert, but many of systems administrators are assigned to manage various IT related task/job in the company.

• The using of e-mail systems to alert the responsible person also created the same problem where it still took the time of

the system administrator. This is because they still have to be in front of the computer to get the alerts. This showed how slow the action taken with

alerts/threat in real-time. • Increased False Alarm rates

PROPOSED SYSTEM • the SMS alert system is needed for sending SMS alert automatically when there is an intrusion to a web server. This project focuses on developing an SMS alert system that has function to give an alert message to registered web server administrators whenever an intrusion is occurred. The alert is generated from Snort log file which is already converted to MySQL database query. In order to detect intrusions and get the log file, Snort intrusion detection system tool and its rules are implemented. Management of logged intrusion data can be presented as a tabulated or graphical report and the alert SMS also determined by the data.

MAIN OBJECTIVES• The objective of this project is to have real time IDS alert systems by using

SMS gateway interface with Snort (IDS tool) to send intrusion alert to the administrator through PERL script. This systems can reduce the require time usage by administrator to monitor the intrusion in the network.

• To enhance the security system using technology so that equally following the standards of living nowadays. This system is focus on providing the safety and guarantee for home owner as they are away from home by using sensor and GSM technology.

 • To enable user to be alerted in real time as intrusion occur through SMS. This system enable user to be acknowledged about the intrusion even away from home.

• To provide productive security system that will work with wire, easy installation and produce low power consumption.

Intrusion Detection Systems•An IDS is any combination of hardware &

software that monitors a system or network for malicious activity.

Examples of IDSs in real life•Car alarms•Fire detectors•House alarms•Surveillance systems

Why IDS??Can be detected:• Mapping• Port scans

▫ Tens of thousands of packets• TCP stack scans

▫ Hundreds of thousands of packets

• “Deep Packet Inspection”

• Many organizations deploy IDS systems

• Provide warnings to network administrator▫ Administrator can then

improve network’s security

▫ Vigorous investigation could lead to attackers

False AlarmsFalse alarms:• False positive: normal traffic or benign action triggers alarm

▫ Example: fire alarm if wrong password is entered; benign user makes a typo

• False negative: alarm is not fired during attack

• A False Positive is when a system raises an incorrect alert▫ “The boy who cried ‘wolf!’” syndrome

• 0% false positives is the goal▫ It’s easy to achieve this: simply detect nothing

• 0% false negatives is another goal: don’t let an attack pass undetected

Proposed Intrusion Detection Via SMS Simulation Diagram

Block Diagram: Generic IDS

HostSystem

orNetworkSniffer

Pre-Processing Statisticalanalysis

Signaturematching

Knowledgebase

Long termstorage

Alert manager

GUI

Responsemanager

IDS: Pros•A reasonably effective IDS can identify

▫Internal hacking▫External hacking attempts

•Allows the system administrator to quantify the level of attack the site is under

•May act as a backstop if a firewall or other security measures fail

IDS: Cons•IDS’ don’t typically act to prevent or block

attacks▫They don’t replace firewalls, routers, etc.

•If the IDS detects trouble on your interior network what are you going to do?▫By definition it is already too late

Efficiency of IDS system• Accuracy: low false positive and false negative

rates• Performance: the rate at which traffic and audit

events are processed▫ To keep up with traffic, may not be able to put IDS at

network entry point▫ Instead, place multiple IDSs downstream

• Fault tolerance: resistance to attacks▫ Should be run on a single hardened host that supports

only intrusion detection services • Timeliness: time elapsed between intrusion and

detection

Attack Detection

InternalNetworkInternet

Routerw/somescreening

Firewall

DMZNetwork

WWWServer

Desktop

IDS detects (and counts) attacks againstthe Web Server and firewall

IDS

Intrusion Detection•Placing an IDS within the perimeter will

detect instances of clearly improper behavior▫Hacks via backdoors▫Hacks from staff against other sites▫Hacks that got through the firewall

•When the IDS alarm goes off, it’s a red alert

HOST BASED INTRUSION DETECTION SYSTEM

•Collect data usually from within the operating system▫C2 audit logs▫System logs▫Application logs

•Data collected in very compact form▫But application / system specific

Host Based: Pro•Quality of information is very high

▫Software can “tune” what information it needs (e.g.: C2 logs are configurable)

▫Kernel logs “know” who user is•Density of information is very high

▫Often logs contain pre-processed information (e.g.: “badsu” in syslog)

Host Based: Con•Capture is often highly system specific

▫Usually only 1, 2 or 3 platforms are supported (“you can detect intrusions on any platform you like as long as it’s Solaris or NT!”)

•Performance is a wild-card▫To unload computation from host logs are

usually sent to an external processor system

Network Based IDS•Collect data from the network or a hub /

switch▫Reassemble packets▫Look at headers

•Try to determine what is happening from the contents of the network traffic▫User identities, etc inferred from actions

Network Based: Pro•No performance impact•More tamper resistant•No management impact on platforms•Works across O/S’•Can derive information that host based

logs might not provide (packet fragmenting, port scanning, etc.)

Network Based: Con•May lose packets on flooded networks•May mis-reassemble packets•May not understand O/S specific

application protocols (e.g.: SMB)•May not understand obsolete network

protocols (e.g.: anything non-IP)•Does not handle encrypted data

Signature Detection• Signature detection uses specific patterns to

detect similar intrusion attacks. Network intrusion detection systems use signatures or partial strings that match parts of the network packet itself. Once the strings are matched, notification is sent to the proper authorities and the incident is logged. These intrusion attempts mark signatures already

programmed into the signature database that match parts of the network packet itself. Once the IDS match a string, it responds by sending the System Administrator an alert.

SMS based intrusion alert system

System architechture

Anomaly Detection•Goals:

▫Analyse the network or system and infer what is normal

▫Apply statistical or heuristic measures to subsequent events and determine if they match the model/statistic of “normal”

▫If events are outside of a probability window of “normal” generate an alert (tuneable control of false positives)

Misuse Detection•Typical misuse detection approaches:

▫“Network grep” - look for strings in network connections which might indicate an attack in progress

▫Pattern matching - encode series of states that are passed through during the course of an attack e.g.: “change ownership of /etc/passwd” ->

“open /etc/passwd for write” -> alert

CONTEXT DIAGRAM

LEVEL 1 DFD

NIDS

USER

Administrator Intruder

Mainta

in D

etail

s

ask

Maintain D

etails

send dp

Send cmd

send cmd

Hack dp

Maintain Details

IDS INNER FUNCTIONING THROUGH DFD

NIDS

User

Data Packet

Receive Acknowledgement

Give the definition of the packet and content

Give the definition of the packet like ip add,port number

Packet DetailsD3

D4

Ack DetailsD5

ENTITY RELATIONSHIP DIAGRAM

Transform

Monitor

Administrator

Intruder

Data PacketUser

Maintain

Name

PasswordUser_id

address

ContentsPacket_no

portPacket add

PasswordName

FEATURES OF INTRUSION DETECTION VIA SMS

• Fault tolerant

• Object tracking

• Reduced false alarm rate

• Rapid deployment capability

• Battery operated low power devices

• Easy to transport and operate

• User notification through SMS, voice and displays

• Internet and mobile based alert monitoring capability

FEASIBILITY STUDY

• Technical Feasibility

• Economic Feasibility

• Operational Feasibility

CONCEPTS REVISED IN THE PROJECT •SWINGS•REMOTE METHOD INVOCATION

SOFTWARES USED•NETBEANS 7.4

•APACHE TOMCAT SERVER

•MYSql

•SNORT

SOFTWARE DEVELOPMENT MODEL USED

•Increment 1: Analysis-->Design-->Code-->Test (Delivery of 1st Increments. Normally '''Core Product''') Increment 2: Analysis-->Design-->Code-->Test (Delivery of 2nd Increments) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Increment n: Analysis-->Design-->Code-->Test (Delivery of nth Increments)

TESTING The system can been tested using Virtual Machine, 1 host computer for SMS Gateway, and 2 Guest Computer for Target machine, Sensor Machine, Admin Machine and Cracker Machine. • Web Application is used for testing the system Application is used for campus information system. URL address of web application is http://www.xyz.net Mechanism of testing is cracker machine which is connected to virtual machine with NAT (Network Address Translation, but System connected in Host Only Networking.   Cracker Machine can intrude into target machine with WEB-REMOTE PHP, CrossSide Scripting, and Snifng in SSH (Secure Shell) or FTP Port. Sensor Machine runs a Warning system in order to check any holes, then runs Snort and Warning Web Deface System in order to check the target machine from cracker action. 

LIMITATION

•Depending on the outcome from the detection module, is taking the necessary precautions and to take quick decision to stop the intruder to penetrate to the computer network, in proposed IDSs we used email to send a warning to stop the intruder.

 

CONCLUSION• This system is proposed to help administrator web

server and person who has a domain to guard website from cracker. As Warning systems used is short Messages Service, web server administrator or person who has domain can quickly response an attack. In addition this system can detect holes before the system attacked by cracker. This system can also detect a file which has been modifed, not only Directory Index but also other files in web server. Even though the system has been developed successfully, but this system should be increased

their performance.

REFERANCES• Internet Security and Firewalls: Repelling

the Wily Hacker, by Bill Cheswick and Steve Bellovin, from Addison Wesley

• Internet Firewalls, by Brent Chapman and Elizabeth Zwicky

•IDS FAQs (warning: vendor sponsored)▫ http://www.ticm.com/kb/faq/idsfaq.html▫ http://www-rnks.informatik.tu-cottbus.de/~sobirey/

ids.html

WE THANKYOU FOR BEING PATIENT AND FOR THE APPRECIATION OF PROJECT!!!!!