Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr.

Published byAudrey Lily Rogers Modified over 8 years ago

Similar presentations

Presentation on theme: "Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr."— Presentation transcript:

1 Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr. Rodney Howell Dr. Mitchell Nielsen

2 Phase Deliverables  Action Items  Assessment Evaluation  Project Evaluation  User Manual

3 Network Data Model Action Items

4 Packet Data Model

5 OCL for CLIPNIDS Context Packet def: syn: Boolean = self.tcp.syn = true and self.tcp.ack = false def: synAck: Boolean = self.tcp.syn = true and self.tcp.ack = true def: oppositeIPFlow( p: Packet):Boolean = self.ip.sourceAddr = p.ip.destAddr and self.ip.destAddr = p.ip.sourceAddr def: oppositeTCPFlow( p: Packet):Boolean = self.oppositeIPFlow(p) and self.tcp.sourcePort = p.tcp.destPort and self.tcp.destPort = p.tcp.sourcePort def: occuredWithin( t: Integer, p:Packet):Boolean = self.timeStamp > p.timestamp and ((self.timeStamp – p.timeStamp) < t)

6 Context Packet Inv OpenPort: Packet.allInstances->forAll(p1, p2 | ( p1.syn and p2.synAck and p1.oppositeTCPFlow(p2) and p2.occuredWithin(2000,p1)) implies IPStack.allInstances->exists( i | i.ipAddr = p2.ip.sourceAddr and i.ports->exists( po : Port | po.state = PortState::Open and po.type = PortType::TCP and po.number = p2.tcp.sourcePort))) and Alarm.allInstances->exists(a | a. exploit->exists(e : Exploit | e.description = “Open Port Present”)) Context Session Inv Suspect: self. Packets.allInstances-> forAll( p: Packet | p.ip.sourceAddr = “210.233.108.255” and p.ip.destAddr = “78.89.242.182” implies self. alarm->exists( a: Alarm | a. exploit->exists(e : Exploit | e.description = “Packet from suspected host”))

7 Phase I

8 Phase II

9 Phase III

10 Lessons Learnt  Networking Domain Knowledge Packet, Protocols.  APIs used in Networking DAQ, pcap files  Linux, C, Bash Scripting, GDB  CLIPS expert system CLIPS rules and facts

11 Technical challenges  Compiling Errors  Debugging  Schedule

12 Execution and Testing  Specifying Source IP address of suspected machine in Clip  Display of alarm

13 Thank you!

Download ppt "Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase III MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr."

Similar presentations

Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.

Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.
Airline Reservation System

Airline Reservation System
Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 14, 2015 DRAFT1.

Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions April 14, 2015 DRAFT1.
CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.

CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
IDPS (Intrusion Detection & Prevention System )

IDPS (Intrusion Detection & Prevention System )
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.

Students:Gilad Goldman Lior Kamran Supervisor:Mony Orbach Mid-Semester Presentation Spring 2005 Network Sniffer.
Client Server Model The client machine (or the client process) makes the request for some resource or service, and the server machine (the server process)

Client Server Model The client machine (or the client process) makes the request for some resource or service, and the server machine (the server process)
Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.

Vocabulary URL = uniform resource locator: web address protocol –set of rules that networked computers follow in order to share data and coordinate communications.
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
Custom DE Domain Block - uEngine Other Script Languages or C/C++ lack Block Level integration, or similar abstraction with the Modeling Environment.

Custom DE Domain Block - uEngine Other Script Languages or C/C++ lack Block Level integration, or similar abstraction with the Modeling Environment.
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase I MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr. Rodney.

Using CLIPS to Detect Network Intrusions - (CLIPNIDS) Phase I MSE Project Sripriya Marry Committee Members Dr. David Gustafson (Major Professor) Dr. Rodney.
Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)

Data Mining for Intrusion Detection: A Critical Review Klaus Julisch From: Applications of data Mining in Computer Security (Eds. D. Barabara and S. Jajodia)
TCP/IP Networking sections 13.2,3,4,5 Road map: TCP, provide connection-oriented service IP, route data packets from one machine to another (RFC 791) ICMP,

TCP/IP Networking sections 13.2,3,4,5 Road map: TCP, provide connection-oriented service IP, route data packets from one machine to another (RFC 791) ICMP,
BRUE Behavioral Reverse Engineering in UML as Eclipse Plugin MSE Presentation 1 Sri Raguraman.

BRUE Behavioral Reverse Engineering in UML as Eclipse Plugin MSE Presentation 1 Sri Raguraman.
Unit 4, Lesson 11 How Data Travels the Internet

Unit 4, Lesson 11 How Data Travels the Internet

Similar presentations

Ads by Google