Intrusion Detection System

Bruno MeloDiego da SilvaMatheus FinattiVinicio Meira Advised by Dr. Xiang Fu

Intrusion Detection System

• Monitor system processes– Detect– Analyze– Block

Malicious Activities

System Architecture

CLUSTER IDS

Support Vector Machine - SVM

• Analyze Data • Recognize Patterns• Classify Data

SVM

Training Data

SVM Training

Model

SVM

SVM Predict

Test Data

Model

Classified Data

SVM

Interface

IDSSVM

SVM Interface for IDS

LIBSVM

Cluster Operation Modes

Training mode:$ python clustey.py --train -c <logfolder> -w <function name>

Predict mode:$ python cluster.py --judge -r <modelfile>

* Test data is in the environment variable called “request”

Main Module - Java™ Program

• Generate C++ Wrappers– LD_PRELOAD– LD_LIBRARY_PATH– dlsym()

• Intercept and log Apache library calls• Monitor Apache library calls

• How to generate wrappers?

Configuration File

IDS Operation Modes - Train

Parse Configuration

FileGenerate and

compile wrapper Start Apache

Intercept calls and

generate log files

IDS Operation Modes – Complete Train

Stop Apache Send log files to cluster’s

training mode

IDS Operation Modes – Monitor

Parse configuration

file

Generate and compile wrapper

Start listening server to

communicate with wrapper

Start Apache

Intercept calls and send to listening server Send log

entry to cluster to analyzeIf rejected,

ask user if Apache

should be killed

Send response to

C++ wrapper

Using IDS Modes

• Training mode:– # java –jar ids.jar -c <configfile> -o <outfile> -

mode train [-v|-i]

• Complete train mode:– # java –jar ids.jar –p <logpath> -mode completetrain

• Monitor mode:– # java –jar ids.jar -c <configfile> -o <outfile> -

mode monitor

Demonstration