intrusion detection via sms
TRANSCRIPT
PRESENTATION ON “INTRUSION DETECTION
VIA SMS”
Presented by-:Monika Lagwal (0947CS101029)Shrishti Sharma (0947CS101053)
INTRODUCTION• Some Intrusion Detection System only could give information about sniffing and intruder via website . But for high secure, real time information is needed.
• Cyber Crime can be detected by Intrusion Detection System such as using PHP Injection, SQL Injection, and Cross Side
Scripting. Using Intrusion Detection Systems, systems still have some weaknesses.
• This application system could also detect the hole before Web Server is cracked by cracker. In general, we developed warning system in real time base on short message service (SMS).
ON THE BASIS OF PREVIOUS SETUP OF INTRUSION DETECTION
• So much time taken to monitor the intrusion detection in the network by administrator with current setup of monitoring the
intrusion alert, but many of systems administrators are assigned to manage various IT related task/job in the company.
• The using of e-mail systems to alert the responsible person also created the same problem where it still took the time of
the system administrator. This is because they still have to be in front of the computer to get the alerts. This showed how slow the action taken with
alerts/threat in real-time. • Increased False Alarm rates
PROPOSED SYSTEM • the SMS alert system is needed for sending SMS alert automatically when there is an intrusion to a web server. This project focuses on developing an SMS alert system that has function to give an alert message to registered web server administrators whenever an intrusion is occurred. The alert is generated from Snort log file which is already converted to MySQL database query. In order to detect intrusions and get the log file, Snort intrusion detection system tool and its rules are implemented. Management of logged intrusion data can be presented as a tabulated or graphical report and the alert SMS also determined by the data.
MAIN OBJECTIVES• The objective of this project is to have real time IDS alert systems by using
SMS gateway interface with Snort (IDS tool) to send intrusion alert to the administrator through PERL script. This systems can reduce the require time usage by administrator to monitor the intrusion in the network.
• To enhance the security system using technology so that equally following the standards of living nowadays. This system is focus on providing the safety and guarantee for home owner as they are away from home by using sensor and GSM technology.
• To enable user to be alerted in real time as intrusion occur through SMS. This system enable user to be acknowledged about the intrusion even away from home.
• To provide productive security system that will work with wire, easy installation and produce low power consumption.
Intrusion Detection Systems•An IDS is any combination of hardware &
software that monitors a system or network for malicious activity.
Examples of IDSs in real life•Car alarms•Fire detectors•House alarms•Surveillance systems
Why IDS??Can be detected:• Mapping• Port scans
▫ Tens of thousands of packets• TCP stack scans
▫ Hundreds of thousands of packets
• “Deep Packet Inspection”
• Many organizations deploy IDS systems
• Provide warnings to network administrator▫ Administrator can then
improve network’s security
▫ Vigorous investigation could lead to attackers
False AlarmsFalse alarms:• False positive: normal traffic or benign action triggers alarm
▫ Example: fire alarm if wrong password is entered; benign user makes a typo
• False negative: alarm is not fired during attack
• A False Positive is when a system raises an incorrect alert▫ “The boy who cried ‘wolf!’” syndrome
• 0% false positives is the goal▫ It’s easy to achieve this: simply detect nothing
• 0% false negatives is another goal: don’t let an attack pass undetected
Proposed Intrusion Detection Via SMS Simulation Diagram
Block Diagram: Generic IDS
HostSystem
orNetworkSniffer
Pre-Processing Statisticalanalysis
Signaturematching
Knowledgebase
Long termstorage
Alert manager
GUI
Responsemanager
IDS: Pros•A reasonably effective IDS can identify
▫Internal hacking▫External hacking attempts
•Allows the system administrator to quantify the level of attack the site is under
•May act as a backstop if a firewall or other security measures fail
IDS: Cons•IDS’ don’t typically act to prevent or block
attacks▫They don’t replace firewalls, routers, etc.
•If the IDS detects trouble on your interior network what are you going to do?▫By definition it is already too late
Efficiency of IDS system• Accuracy: low false positive and false negative
rates• Performance: the rate at which traffic and audit
events are processed▫ To keep up with traffic, may not be able to put IDS at
network entry point▫ Instead, place multiple IDSs downstream
• Fault tolerance: resistance to attacks▫ Should be run on a single hardened host that supports
only intrusion detection services • Timeliness: time elapsed between intrusion and
detection
Attack Detection
InternalNetworkInternet
Routerw/somescreening
Firewall
DMZNetwork
WWWServer
Desktop
IDS detects (and counts) attacks againstthe Web Server and firewall
IDS
Intrusion Detection•Placing an IDS within the perimeter will
detect instances of clearly improper behavior▫Hacks via backdoors▫Hacks from staff against other sites▫Hacks that got through the firewall
•When the IDS alarm goes off, it’s a red alert
HOST BASED INTRUSION DETECTION SYSTEM
•Collect data usually from within the operating system▫C2 audit logs▫System logs▫Application logs
•Data collected in very compact form▫But application / system specific
Host Based: Pro•Quality of information is very high
▫Software can “tune” what information it needs (e.g.: C2 logs are configurable)
▫Kernel logs “know” who user is•Density of information is very high
▫Often logs contain pre-processed information (e.g.: “badsu” in syslog)
Host Based: Con•Capture is often highly system specific
▫Usually only 1, 2 or 3 platforms are supported (“you can detect intrusions on any platform you like as long as it’s Solaris or NT!”)
•Performance is a wild-card▫To unload computation from host logs are
usually sent to an external processor system
Network Based IDS•Collect data from the network or a hub /
switch▫Reassemble packets▫Look at headers
•Try to determine what is happening from the contents of the network traffic▫User identities, etc inferred from actions
Network Based: Pro•No performance impact•More tamper resistant•No management impact on platforms•Works across O/S’•Can derive information that host based
logs might not provide (packet fragmenting, port scanning, etc.)
Network Based: Con•May lose packets on flooded networks•May mis-reassemble packets•May not understand O/S specific
application protocols (e.g.: SMB)•May not understand obsolete network
protocols (e.g.: anything non-IP)•Does not handle encrypted data
Signature Detection• Signature detection uses specific patterns to
detect similar intrusion attacks. Network intrusion detection systems use signatures or partial strings that match parts of the network packet itself. Once the strings are matched, notification is sent to the proper authorities and the incident is logged. These intrusion attempts mark signatures already
programmed into the signature database that match parts of the network packet itself. Once the IDS match a string, it responds by sending the System Administrator an alert.
SMS based intrusion alert system
System architechture
Anomaly Detection•Goals:
▫Analyse the network or system and infer what is normal
▫Apply statistical or heuristic measures to subsequent events and determine if they match the model/statistic of “normal”
▫If events are outside of a probability window of “normal” generate an alert (tuneable control of false positives)
Misuse Detection•Typical misuse detection approaches:
▫“Network grep” - look for strings in network connections which might indicate an attack in progress
▫Pattern matching - encode series of states that are passed through during the course of an attack e.g.: “change ownership of /etc/passwd” ->
“open /etc/passwd for write” -> alert
CONTEXT DIAGRAM
LEVEL 1 DFD
NIDS
USER
Administrator Intruder
Mainta
in D
etail
s
ask
Maintain D
etails
send dp
Send cmd
send cmd
Hack dp
Maintain Details
IDS INNER FUNCTIONING THROUGH DFD
NIDS
User
Data Packet
Receive Acknowledgement
Give the definition of the packet and content
Give the definition of the packet like ip add,port number
Packet DetailsD3
D4
Ack DetailsD5
ENTITY RELATIONSHIP DIAGRAM
Transform
Monitor
Administrator
Intruder
Data PacketUser
Maintain
Name
PasswordUser_id
address
ContentsPacket_no
portPacket add
PasswordName
FEATURES OF INTRUSION DETECTION VIA SMS
• Fault tolerant
• Object tracking
• Reduced false alarm rate
• Rapid deployment capability
• Battery operated low power devices
• Easy to transport and operate
• User notification through SMS, voice and displays
• Internet and mobile based alert monitoring capability
FEASIBILITY STUDY
• Technical Feasibility
• Economic Feasibility
• Operational Feasibility
CONCEPTS REVISED IN THE PROJECT •SWINGS•REMOTE METHOD INVOCATION
SOFTWARES USED•NETBEANS 7.4
•APACHE TOMCAT SERVER
•MYSql
•SNORT
SOFTWARE DEVELOPMENT MODEL USED
•Increment 1: Analysis-->Design-->Code-->Test (Delivery of 1st Increments. Normally '''Core Product''') Increment 2: Analysis-->Design-->Code-->Test (Delivery of 2nd Increments) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Increment n: Analysis-->Design-->Code-->Test (Delivery of nth Increments)
TESTING The system can been tested using Virtual Machine, 1 host computer for SMS Gateway, and 2 Guest Computer for Target machine, Sensor Machine, Admin Machine and Cracker Machine. • Web Application is used for testing the system Application is used for campus information system. URL address of web application is http://www.xyz.net Mechanism of testing is cracker machine which is connected to virtual machine with NAT (Network Address Translation, but System connected in Host Only Networking. Cracker Machine can intrude into target machine with WEB-REMOTE PHP, CrossSide Scripting, and Snifng in SSH (Secure Shell) or FTP Port. Sensor Machine runs a Warning system in order to check any holes, then runs Snort and Warning Web Deface System in order to check the target machine from cracker action.
LIMITATION
•Depending on the outcome from the detection module, is taking the necessary precautions and to take quick decision to stop the intruder to penetrate to the computer network, in proposed IDSs we used email to send a warning to stop the intruder.
CONCLUSION• This system is proposed to help administrator web
server and person who has a domain to guard website from cracker. As Warning systems used is short Messages Service, web server administrator or person who has domain can quickly response an attack. In addition this system can detect holes before the system attacked by cracker. This system can also detect a file which has been modifed, not only Directory Index but also other files in web server. Even though the system has been developed successfully, but this system should be increased
their performance.
REFERANCES• Internet Security and Firewalls: Repelling
the Wily Hacker, by Bill Cheswick and Steve Bellovin, from Addison Wesley
• Internet Firewalls, by Brent Chapman and Elizabeth Zwicky
•IDS FAQs (warning: vendor sponsored)▫ http://www.ticm.com/kb/faq/idsfaq.html▫ http://www-rnks.informatik.tu-cottbus.de/~sobirey/
ids.html
WE THANKYOU FOR BEING PATIENT AND FOR THE APPRECIATION OF PROJECT!!!!!