Using CLIPS to Detect Network Intrusions - (CLIPNIDS)

Phase IMSE Project

Sripriya Marry

Committee MembersDr. David Gustafson (Major Professor)

Dr. Rodney Howell Dr. Mitchell Nielsen

Overview

Problem Statement Purpose and Motivation Background Project phases Project Requirements User Interface Cost Estimation Effort Distribution

Problem Statement

Objective

To update Clipnids with the signatures of latest network

attacks so as to detect and notify network administrators about

any unauthorized access to the network resources by intruders

Purpose and Motivation

To excel in the Linux, C and GNU Programming.

Inspired by SNORT.

Background

• Intrusion detection: Process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusion.

• Types of Intrusion Detection Systems:Network-based IDSHost-based IDSApplication-Based IDS

• Types of Analysis: Misuse Detection Anomaly Detection

• Types of Response:Passive measureActive measure

• Conclusion: CLIPNIDS is Network-based IDS, that uses “Misuse Detection” analysis technique for detecting intrusions and uses “Passive Measure” to Respond to intrusions.

Project phases

Inception Phase.

Elaboration Phase.

• Production Phase

Inception Phase

Vision Document 1.0

Project Plan 1.0

Software Quality Assurance Plan

Prototype

Project Requirements

•Actors identified for Clipnids.

•Use-Case diagram.

• Tasks required to achieve the objective of the project.

•Actors identified for Clipnids.

Network

Clipnids

System Administrator

•Use-Case diagram.

• Tasks required to achieve the objective of the project.

Strong knowledge of Linux, C, GNU Programming and Bash scripting language.

Strong knowledge of GDB tool for debugging.

Migration of source code of CLIPNIDS from PCAP to DAQ to capture packets.

Integrating of latest versions of decoders and pre-processors from SNORT into CLIPNIDS

Identifying the version of SNORT using which CLIPNIDS decoder and pre-processors were built.

Possessing the latest version of SNORT.

Good understanding of working of expert-system CLIPS.

Good understanding of working of CLIPNIDS and its architecture.

Good understanding of working of SNORT and its architecture.

Modifying of “conf.clp” file to alter configuration settings for

CLIPNIDS based on the latest pre-processors.

Adding new CLIPS files to incorporate the latest signatures of

intrusions into pattern database of CLIPNIDS.

User Interface

Cost Estimation

• COCOMO Model is used as cost estimation for CLIPNIDSEffort = C1 * EAF * (Size)P1

Time = C2 * (Effort)P2

Organic Mode

• C1= 3.2• C2= 2.5• P1= 1.05• P2= 0.38

Parameter Value Level

RELY 1.00 Nominal

DATA 1.08 High

CPLX 1.15 High

TIME 1.11 High

STOR 1.06 High

VIRT 0.87 Low

TURN 1.00 Nominal

ACAP 0.86 High

AEXP 1.00 Nominal

PCAP 0.86 High

VEXP 1.10 Low

LEXP 0.95 High

MODP 1.00 Nominal

TOOL 1.00 Nominal

SCED 1.00 Nominal

Parameter Name Effort Adjustment Factor Value Range

RELY Required Reliability 0.75-1.40

DATA Database Size 0.94-1.16

CPLX Product Complexity 0.70-1.65

TIME Execution Time Constraint 1.00-1.66

STOR Main Storage Constraint 1.00-1.56

VIRT Virtual Machine Volatility 0.87-1.30

TURN Computer Turnaround Time 0.87-1.15

ACAP Analyst Capability 0.71-1.46

AEXP Applications Experience 0.82-1.29

PCAP Programmer Capability 0.70-1.42

VEXP Virtual Machine Experience 0.90-1.21

LEXP Language Experience 0.95-1.14

MODP Use of Modern Practices 0.82-1.24

TOOL Use of Software Tools 0.83-1.24

SCED Required Development schedule 1.10-1.23

Effort Estimation – Gantt chart

Inception Phase Vision Document 1.0

Project Plan 1.0 SQA Plan Prototype

Presentation 1Elaboration Phase

Vision Document 2.0 Project Plan 2.0

Formal Specification Architectural Design

Test Plan Inspection checklist

Inspection Prototype

Presentation 2Production Phase

Component Design Develop code

Testing Documentation

User Manual Project Evaluation

Presentation 3

1/23/14 1/30/14 2/6/14 2/13/14 2/20/14 2/27/14 3/6/14 3/13/14 3/20/14 3/27/14 4/3/14 4/10/14 4/17/14

Start Date Duration