SOFTWARE ARCHITECTURE

Intrusion Detection SystemMarc NematiApril 19, 2011

Intrusion Detection

Port Scan Detection Many attacks begin with locating an

open port to launch the attack (Port Scan)

Many algorithms and methods to determine if a port is open

Project Overview

Check at any given time, if any system on a network is being port scanned

Once a port scan is detected, return the following crucial information to the network admin IP address MAC address Ports Scanned Duration of Scan

Functionality

Display the Source MAC and IP addresses Check the type of transport protocol used by looking at

the protocol field of the IP packet. If it a TCP or UDP packet extract and display the source

and destination port numbers. Specifically recognize all of the following attacks;

TCP SYN scan UDP port scan IP protocol scan TCP Maimon scan TCP FIN, and Null scan

When a scan is detected, display the number of ports scanned, originating IP address, destination IP, and list all the destination port addresses.

Design 1 – Object Oriented

Design 1 – Level 2Main

PacketHandler

getDeviceList()

receivePacket()

PortScanDetector

detect()

run()

isTCP_SYN_attack()

isTCP_FIN_attack()

isTCP_Maimon_attack()

isIPproto_attack()

isUDP_attack()

Packet_list

Design 1 – Class DiagramPacketHandler-NUM_PACKETS:int-packet_list:List-threads:ExecutorService+ PacketHandler()+ recievePackets(Packet )

PortScanDetector

-FIN_THRESHOLD:int-IP_THRESHOLD:int-SYN_THRESHOLD:int-UDP_THRESHOLD:int-packet_list:List-type:int+PortScanDetector(List,int)+detect(int)+isIPproto_attack():boolean+isTCP_FIN_attack():boolean+isTCP_Maimon_attack():boolean+isUDP_attack():boolean+printAlert(String,InetAddress,byte[], long, int, int)+printMac(byte[]):String+run()+main(String[])

Design 1 - Mapping

Class ComponentPacketHandler Packet HandlerPortScanDetector (Thread) Port Scan DetectorPortScanDetector (Thread) SYN DetectionPortScanDetector (Thread) FIN DetectionPortScanDetector (Thread) Maimon DetectionPortScanDetector (Thread) UDP DetectionPortScanDetector (Thread) IP Detection

Design 2 – Client/Server

Design 2 – Level 2Main

PacketHandler

getDeviceList()

sendPacket()

PortScanDetector

detect()

run()

isTCP_SYN_attack()

isTCP_FIN_attack()

isTCP_Maimon_attack()

isIPproto_attack()

isUDP_attack()

Packet_list

receivePacket()

Network

Design 2 – Class DiagramPacketHandler-NUM_PACKETS:int-packet_list:List-threads:ExecutorService- connection:Connection+ PacketHandler()+ recievePackets(Packet )+ sendPackets(Packet)+ makeConnection() PortScanDetector

-FIN_THRESHOLD:int-IP_THRESHOLD:int-SYN_THRESHOLD:int-UDP_THRESHOLD:int-packet_list:List-type:int-connection:Connection+PortScanDetector(List,int)+detect(int)+isIPproto_attack():boolean+isTCP_FIN_attack():boolean+isTCP_Maimon_attack():boolean+isUDP_attack():boolean+printAlert(String,InetAddress,byte[], long, int, int)+printMac(byte[]):String+run()+main(String[])

Design 2 - Mapping

Class ComponentPacketHandler Packet HandlerPortScanDetector (Thread) Port Scan DetectorPortScanDetector (Thread) SYN DetectionPortScanDetector (Thread) FIN DetectionPortScanDetector (Thread) Maimon DetectionPortScanDetector (Thread) UDP DetectionPortScanDetector (Thread) IP Detection

Pros and Cons

Pros ConsNo Addition network overhead Single machine – not

distributed loadSingle machine - speed Limited by network(s) machine

is onFaster to implementPros ConsSeparation of Components Overhead to transfer dataMore computing power (multi-server)

Slower packet transfer for reading

Read packets faster (multi-client)Can run clients on many networks

Object - Oriented

Client/Server

Rational For Implementation Object Oriented Java

Cross Platform (Windows/Linux) Threading

Used due to Large number of packets on the network

Efficiency Memory Management

Reduces Network Overhead

Compilation

Screen Shots

Screen Shot - SYN

Screen Shot - FIN

Screen Shot - Maimon

Screen Shot - UDP

Screen Shot - IP