IASP 550 Final Project

Network Intrusion Detection System

Summary

IDS is a software system designed and implemented as a dashboard application to gather

system status, network statistics and application logs of different systems and analyze them.

It works inside a LAN or over the internet. Basically, it gathers data from client systems and

stores them at a centralized server. At server side, backend scripts parse the stored data and

save it in the database. All the logs saved at the server are represented nicely using graphs

and tables. The system also generates reports based on the analyzed data.

Project Description:

The aim of this project to create an intrusion detection system by:

 Detecting an attack.

 Creating the rules for monitoring intrusions.

 Your approach would be to minimize false alarms, and to assure that your

 performance overhead is “acceptable”

Correspondingly, this system will detect each visit to www.google.com and create logs

that sends an alert when an activity relating to network chat is detected. The log will also

send an alert when an attempt is made for DNS Zone transfer, then generate an alert when

network traffic that indicates Viber, is being used where this alert ranges on the packet of size

> 100 bytes from the network 172.20.0.0 with SNM. This log will generate an Alert when

there is an access to unauthorized sites or the selected websites. Additionally, the system

generates an alert when SYN flood happens, record the logs by blocking the traffic,

generating an alert which detects the MiTM attack.

 The systems have IPS that complements an IDS configuration by proactively

inspecting a system’s incoming traffic to weed out malicious requests. A typical IPS

configuration uses web application firewalls and traffic filtering solutions to secure

applications. The IPS prevents attacks by dropping malicious packets, blocking offending IPs

and alerting security personnel to potential threats. Such a system usually uses a pre-existing

database for signature recognition and can be programmed to recognize attacks based on

traffic and behavioral anomalies.

Upon detection, the system does the following:

 System file makes a comparison against the respective malware signatures.

 Scanning processes to ensure detection of signals related to harmful patterns.

 Monitoring the user behavior to detect any available malicious intent.

 Monitors the system configurations.

Upon detecting a security policy violation, virus or configuration error, an IDS is able

to kick an offending user off the network and send an alert to security personnel.

Despite its benefits, including in-depth network traffic analysis and attack detection, an IDS

has inherent drawbacks. Because it uses previously known intrusion signatures to locate

attacks, newly discovered (i.e., zero-day) threats can remain undetected.