intrusion detection system
DESCRIPTION
Intrusion Detection System. Bruno Melo Diego da Silva Matheus Finatti Vinicio Meira. Advised by Dr. Xiang Fu. Intrusion Detection System. Monitor system processes Detect Analyze Block. Malicious Activities. System Architecture. CLUSTER. IDS. Support Vector Machine - SVM. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/1.jpg)
Intrusion Detection System
Bruno MeloDiego da SilvaMatheus FinattiVinicio Meira Advised by Dr. Xiang Fu
![Page 2: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/2.jpg)
Intrusion Detection System
• Monitor system processes– Detect– Analyze– Block
Malicious Activities
![Page 3: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/3.jpg)
System Architecture
CLUSTER IDS
![Page 4: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/4.jpg)
Support Vector Machine - SVM
• Analyze Data • Recognize Patterns• Classify Data
![Page 5: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/5.jpg)
SVM
Training Data
SVM Training
Model
![Page 6: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/6.jpg)
SVM
![Page 7: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/7.jpg)
SVM Predict
Test Data
Model
Classified Data
SVM
![Page 8: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/8.jpg)
Interface
IDSSVM
SVM Interface for IDS
LIBSVM
![Page 9: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/9.jpg)
Cluster Operation Modes
Training mode:$ python clustey.py --train -c <logfolder> -w <function name>
Predict mode:$ python cluster.py --judge -r <modelfile>
* Test data is in the environment variable called “request”
![Page 10: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/10.jpg)
Main Module - Java™ Program
• Generate C++ Wrappers– LD_PRELOAD– LD_LIBRARY_PATH– dlsym()
• Intercept and log Apache library calls• Monitor Apache library calls
• How to generate wrappers?
![Page 11: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/11.jpg)
Configuration File
![Page 12: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/12.jpg)
IDS Operation Modes - Train
Parse Configuration
FileGenerate and
compile wrapper Start Apache
Intercept calls and
generate log files
![Page 13: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/13.jpg)
IDS Operation Modes – Complete Train
Stop Apache Send log files to cluster’s
training mode
![Page 14: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/14.jpg)
IDS Operation Modes – Monitor
Parse configuration
file
Generate and compile wrapper
Start listening server to
communicate with wrapper
Start Apache
Intercept calls and send to listening server Send log
entry to cluster to analyzeIf rejected,
ask user if Apache
should be killed
Send response to
C++ wrapper
![Page 15: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/15.jpg)
Using IDS Modes
• Training mode:– # java –jar ids.jar -c <configfile> -o <outfile> -
mode train [-v|-i]
• Complete train mode:– # java –jar ids.jar –p <logpath> -mode completetrain
• Monitor mode:– # java –jar ids.jar -c <configfile> -o <outfile> -
mode monitor
![Page 16: Intrusion Detection System](https://reader033.vdocuments.us/reader033/viewer/2022061505/56816371550346895dd44cfa/html5/thumbnails/16.jpg)
Demonstration