Tool for Secure File Transfer and Intrusion Detection in a. Network

i | P a g e

Tool for Secure File Transfer and Intrusion Detection in a

Network

GRADUATE PROJECT REPORT

Submitted to the Faculty of

The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi

Corpus Christi, TX

In Partial Fulfillment of the Requirements for the Degree of Master of Science in Computer Science

By Nithisha Repaka Summer 2012 Committee Members Dr. Mario Garcia _____________________________ Committee Chairperson Dr. Ajay Katangur ____________________________ Committee Member Dr. John Fernandez ____________________________ Committee Member

ii | P a g e ABSTRACT

The need for intrusion detection in solving cyber crime has been a very crucial issue for

decades. The scope and frequency of research conducted in the field of computer science has increased exponentially. The major motto behind the studies is to safeguard sensitive information and protect it from seditious attackers. Most of the present strategies used in this research field were based on both network based instruction detection system (NIDS) and host based intrusion detection system (HIDS) techniques. Misuse detection and anomaly detection methodologies were also used. The main idea behind these techniques was to achieve a secure way to transmit data from one terminal to another using a variety of methods.

In this paper, a hybrid tool has been proposed for client server networks (CSN). This tool supports a novel, flexible, secured NIDS, which takes network traffic dynamically as input and checks the client for an (internet protocol) IP match. For an invalid client, if the IP does not match with the server’s network address, it is identified as an attacker and stored in a Hit-List by generating a log file in the text format with all its properties (Time, Date, IP and Login Details). Additionally, file transfer for a valid client is processed in a very secure way by encrypting it. In this project, the Blowfish algorithm has been used to encrypt and decrypt the file. Only a user with a valid key can decrypt the file and access it. Thus, this strategy, which makes use of encryption concepts, has increased the level of security outside the network as well as inside the network.

iii | P a g e

TABLE OF CONTENTS

Abstract ... ii

Table of Contents ... iii

List of Figures ... vi

1. Introduction ...1

1.1 Intrusion Detection System (IDS) ...1

1.1.1 Host Based IDS (HIDS) ...1

1.1.2 Network Based IDS (NIDS) ...1

1.1.3 Protocol Based IDS (PIDS) ...2

1.1.4 Application protocol Based IDS (APIDS) ...2

1.1.5 Misuse Detection ...2

1.1.6. Anomaly Detection ...2

1.2 Why is IDS important? ...3

2. Background and Rationale ...5

2.1 A Distributed Autonomous Intrusion Detection Framework ...5

iv | P a g e

2.3 Intrusion Detection System Intended for Multi gigabit Networks ...9

2.4 Network-based intrusion detection using Adaboost algorithm ...10

2.5 A Collaborative Intrusion Detection System Using Log Server and Neural Networks ...11 2.6. Existing System ...13 2.6.1. Drawbacks...13 2.7. Proposed System ...14 2.7.1. Advantages ...14 3. Proposed System ...15 3.1. System Architecture ...15 3.1.1. Input ...15

3.1.2. Client Server Architecture ...16

3.1.2.1. Server: Listens IP ...16

3.1.2.2. Client: Connects to Server and Enters Login Credentials ...16

3.1.2.3. Server: Allows client to view its Resources ...16

3.1.2.4. Client: Decrypt Resources ...16

3.1.2.5. Server: Trigger an Event (“Hacker is present”) ...16

v | P a g e

3.1.3. Output ...17

3.2. Data Encryption / Decryption ...17

3.2.1. Encryption ...18

3.2.2. Decryption...21

4. Test Scenarios ...20

4.1. Scenario 1: IP ...20

4.2. Scenario 2: Login ...23

4.3. Scenario 3: Allow to Access Resources ...24

4.4. Scenario 4: Decrypting the Resource ...27

4.5. Scenario 5: Hit-List Checking ...29

4.7. Other Useful Screenshots ...30

5. Conclusion ...35

6. Future Work ...35

vi | P a g e

LIST OF FIGURES

Figure 1: Architecture of A2D2 Framework ...6

Figure 2: mEngine designed for A2D2 ...7

Figure 3: Architecture of IDS system using COMBO6X card ...9

Figure 4: Framework of NIDS with Adaboost Algorithm ...10

Figure 5: System Architecture (Left) and System Extension Architecture (Right) ...12

Figure 6: Data Sharing between Multiple Domains ...14

Figure 7: Proposed System Architecture ...15

Figure 8: Interface diagram (main page) ...20

Figure 9: Master is monitoring ...20

Figure 10: Viewing the content in both IP ADDRESS and RESOURCES sections...21

Figure 11: Entering the IP address as input ...21

Figure 12: Client credential details for login ...23

Figure 13: No access if user enters invalid login credentials ...23

Figure 14: Resource access window for client ...25

Figure 15: Monitoring unauthorized client actions ...25

Figure 16: Do enter Key ...27

Figure 17: Valid-user-invalid-key...27

Figure 18: Hit-List ...29

Figure 23: Selecting the ‘BLOWFISH’ encryption ...30

Figure 24: Encrypted file ...31

vii | P a g e

Figure 26: IDS information ...33 Figure 27: Content of the password log file...34

1 | P a g e

1. INTRODUCTION

1.1. Intrusion Detection System (IDS)

Intrusion detection system (IDS) is a tool/ application used to detect an attack that is encountered on a system or network in order to compromise or break it by an anomalous user outside of the network. This is done by keeping track of all the suspicious patterns/activities, experienced by both in incoming and outgoing traffic within the network. Generally an IDS maintains all the details of events examined on the system and later generates reports which are sent to the management station for further actions. After obtaining the details of that malicious user from the records, actions like blocking the user are performed. It is important to note that the IDS also includes a feature of monitoring the suspicious user within the network.

IDS can be classified in two different types:

 1st class: HIDS, NIDS and PIDS 1.1.1. Host-Based IDS (HIDS):

A Host Based IDS (HIDS) is executed on a separate host in the network. All the events related to suspicious activity like a change of file content, replacement of a file with other files is observed in this classification [1]. This is monitored with the help of audit data, which is recorded in the kernel and log files of the host on which this IDS is being run. The advantage of following this approach is that complete and elaborated file information is available for future reference.

1.1.2. Network-Based IDS (NIDS):

The Network-Based Intrusion Detection System (NIDS) is classified according to its name. Here the IDS monitors the network traffic to validate IP address and packet

2 | P a g e

information transmission. Detection is based on investigating the packet attributes [2]. Network hardware is used to monitor the traffic using switches and routers. The information of packets stored here is not comprehensive. The advantage of this approach is the feasibility of implementing the NIDS in a distributed environment. HIDS on the other hand, as it would have to be installed on each and every host.

1.1.3. Protocol-Based IDS (PIDS):

The Protocol-Based IDS (PIDS) is a type of IDS where the dynamic behavior of the protocol is checked. The dynamic nature of the PIDS is due to the installation of IDS on a web server [3]. An agent system is used on the web server to listen to and control the dynamic nature of the PIDS and protect the system from attacks.

1.1.4. Application Protocol-Based IDS (APIDS)

The Application Protocol-Based IDS (APIDS) is a special type of IDS where only a particular type of protocol used for the system is observed.

 2nd class: Misuse and Anomaly Detection

1.1.5. Misuse Detection/ Signature Detection:

Detection of threats is based completely on signatures and rules here. The new attack is compared against a huge database with signatures of already known threats to check if it has been observed [4]. This is similar to the functionality of any malware detection anti-virus system. This detection technique is heavily used and also delivers perfect results, but only in cases where the attack is a known intruder rather than a novel one. Comparison of the database with the new attack may result in time lagging complications.

3 | P a g e

Every system has its original normal behavior. A system administrator should maintain this information for all systems in the network [5]. Any anomalous behavior apart from the normal behavior shows that there is something going wrong on the network. This procedure is followed in this type of detection classification. The anomalies may take a shape in the form of high traffic load, breakdown, protocol mismatch and change in standard packet size. The network traffic is constantly compared with standard baseline behavior of the system for anomalies.

Any IDS is generally related to few questions like [6]:

Which type of firewall is needed (Hardware/ Software)? Will cookies compromise the security level?

How should a system avoid being spammed? How can a wireless network be secured?

Different types of security challenges for Cloud Computing?

1.2. Why is IDS important?

Now that IDS systems and their corresponding classifications systems have been described, an important question may arise, “Why is intrusion detection important?” Its importance is now discussed by quoting some examples.

Intrusion detection is important to manage the security levels of any system in a network. Generally detection is the only way an insufficiency in the system can be removed. Detection of the intrusion followed by a procedure to remove it is the basic process involved in any system designed to maintain security.

4 | P a g e

Cybercrime has become more prevalent than ever and with each day it is becoming more challenging to avoid and to defend against. Protecting networks from intrusions and malware attempts has become a critical effort for network management professionals.

Types of attacks may be in different forms (Passive/ Active attack): It may be ‘Data driven attack’ like Trojans, trapdoors and viruses; it may be ‘Denial of Service attack’, ‘Password-Based attack’, ‘Data Modification attack’, ‘Identity Spoofing’, ‘Eavesdropping’, ‘Man-in the middle attack’, ‘Compromised-Key attack’, ‘Sniffer attack’, ‘Application-Layer attack’ and ‘Botnet attack’ [7]. This may lead to the modification, interception, interruption, destruction and fabrication of the confidential information stored in the system. Each and every attack has its own characteristics but their final and only motive is to compromise the system in the network to use it as its host and cause a great destruction.

In order to remove these malwares, a specific attack should be detected. Therefore Intrusion Detection System is used.

A wave of cyber attacks has likely stolen at least $80 million from bank accounts in Europe, the United States and elsewhere, a security report said Tuesday. [19]

USDA DC headquarters – June 2006 – The Department of Agriculture was subject to a cyber attack where the names, social security numbers, and photographs of 26,000 employees were stolen. [20]

5 | P a g e

2. BACKGROUND AND RATIONALE

Economical status of organization, time, and strength factors should be known properly for a clear assessment of a tool development. After these factors have been assessed, then, according to the tools needed, operating system, and coding language are decided for its development. Support from foreign entities is very important once the tool is in its development phase. Foreign entities may include senior program analysts, websites, books and magazines etc. For any system in its building stage, it has to take care of all the above constraints. And the proposed system must include the properties mentioned as follows.

2.1. A Distributed Autonomous Intrusion Detection Framework

This approach majorly concentrates on Intrusion Detection in distributed environment. In this paper, a flexible and novel Intrusion Detection framework including Intrusion Detection Autonomous Agents which are Dynamically Distributed (A2D2) in the network have been proposed. These agents are capable of downloading and installing various accurate policies, signatures and files dynamically from the core server, based on the attack attributes and requirements. For a flexible response and communication between the agents in the distributed network, a key management system has been implemented. In this work, an event analysis engine and an object-oriented language, which are domain independent, have been designed to enable data fusion in the environment.

These independent running Autonomous Agents (AA), take very wise decisions to increase the adaptive nature in the environment by also improving manageability and controllability in the distributed network. Key features of this A2D2 are:

6 | P a g e

 A2D2 is the backbone of the system, designed to enhance flexible and novel intrusion detection framework, using AAs. These AAs get active and also hibernate according to their need in the network.

 A2D2 has a modular structure to enable open framework features. As AAs dynamically and independently performs the tasks of downloading and installing, problem of manual maintenance and management has alleviated.

 A2D2 has a well defined hierarchal structure to enable scalability with multiple layers of data fusion AAs. Key management system is an option for a secured communication between AAs.

7 | P a g e

In Figure 1 architecture of A2D2 for a distributed network is shown, where this network is divided into three autonomous zones based on subnets [11]. From the above figure, six different AAs and three different Central Servers are used. They are:

 Active Intrusion Detection AAs  Hibernative Intrusion Detection AAs  Mobile Intrusion Detection AAs  Auxiliary Intrusion Detection AAs  Control Intrusion Detection AAs  Data Fusion Intrusion Detection AAs

 Central Data Fusion Server  Central Control Server  Central Update Server

8 | P a g e

Figure 2 is the design of mEngine, which is created with A2D2s for detecting Intrusions. Here in mEngine, after following four steps, Intrusions have been detected with the help of AAs as illustrated in the above figure.

Data Processing --> Information Analysis --> Knowledge Analysis --> Assessment

These are the main steps followed by AA to detect Intrusions in mEngine.

2.2. Evaluating Files to Audit for Detecting Intrusions in File System Data

In this approach, intrusions have been detected by observing and listening to the file data in system. If a system is attacked, there is a definite change in the data of its file system. Files may be modified or entirely deleted or created with no permissions, by a malicious entity. Auditing the file system’s quantitative data of an attacked system would be a good idea to detect an intrusion [12]. A point to be noted is that, not all files with its file system data could provide information about the attack activity. Careful file selection, which can show the malicious activity, should be done to complete this task.

This paper mainly discusses 3 types of attacks: reconnaissance, modifying passwords and downloading malware. For each of type of attack, data from the files affected are recorded and compared with compromised data for detection of intrusion. Concentrating on the activity of each file of the attacked system, data collected gives a probabilistic study on the evidence of these three types of attacks. Then metrics are used to estimate the files for auditing.

As this approach is concentrated on the file system of a target host, this is an example for Host-Based Intrusion Detection System (HIDS).

9 | P a g e

2.3. Intrusion Detection System Intended for Multi gigabit Networks

This paper contributes a new idea of using a Hardware based IDS instead of Software based IDS to increase the speed in network links for Multi gigabit networks and this is an example of Network based IDS (NIDS). This approach depends on Field Programmable Gate Array (FPGA), which improves the speed of packet classification and pattern matching.

Snort is an open source tool of NIDS which uses rule-driven language, with its database, containing signatures, rules of already learned viruses and bugs, different anomaly and protocol based methods etc. 80% of CPU time and more is utilized for performing string matching tasks while using Snort tool to improve hardware acceleration.

In this methodology, pre-filtration of network traffic packets is achieved by combining the features of hardware acceleration card along with FPGA [14]. Filtered packets with no suspicious traffic, after comparing with IDS rules defined, are sent to host system through the hardware card. Performance measure of system increases only with the repeated filtering of traffic with the card. For efficiency, prefix sharing and pattern truncating techniques are also embedded with the hardware used.

10 | P a g e

Above Figure 3, shows the architecture of IDS system with the hardware card: COMBO6X, which gives a throughput of 6.4Gbps. Classification Unit and Pattern Match Unit are included in the architecture for its working.

2.4. Network-based intrusion detection using Adaboost algorithm

This is again a new approach of NIDS framework using algorithm analysis. Here, in this approach, the Adaboost Algorithm, which is a popular machine learning algorithms, is used to detect the intrusions in the network [16]. Complexity of this algorithm is low compared to other algorithms implemented for NIDS, previously.

Figure 4: Framework of NIDS with Adaboost Algorithm [15]

Figure 4 describes the NIDS architecture, which has four sections. Each section is discussed briefly here:

 Feature Extraction:

Three major characteristics are mainly focused while in the detection of intrusions. They are:

11 | P a g e

 General features of TCP connections.

 Content features in the connection recommended by the domain.  Traffic features and its characteristics.

 Data labeling:

Training data set is definitely labeled while applying this algorithm for network traffic. +1 represents normal and -1 represents attack samples. This algorithm neither follows misuse detection nor anomaly detection, but follows a novel approach.

 Weak classifiers design:

A group of Weak classifiers modeled in early stages, are essential for this algorithm to be applied. Low accurate classifiers are classified as Weak (or Basic) classifiers.

 Strong classifier constructed using this algorithm:

Using this Algorithm, Strong classifiers are generated using a group of Weak classifiers, with the rules applied.

The whole idea of this algorithm is to strengthen the classifiers by selecting and combining weak ones.

2.5. A Collaborative Intrusion Detection System Using Log Server and Neural Networks

This is again a new approach where a Remote Login Server (RLS) technique with KIT-1 implementation is proposed. The RLS mechanism is majorly used to keep the backup of log files on to the server. Neural networks concept is also used in this IDS approach.

Motivation behind this new approach with RLS technique is to get rid of intruder changing the log files from the monitored system by compromising it, when IDS is locally

12 | P a g e

installed on it. There is a channel between client and server and if in case this channel is intruded, it is worthless to have backup files stored, as we only get wrong and false information from the stored backup [18].

SSL capability of Java is included in the framework to enhance the encryption feature for the channel between client and server.

Figure 5: System Architecture (Left) and System Extension Architecture (Right) [17]

System Architecture, shown in Figure 5 has two modules as discussed.

Transfer Module: Used to transfer client’s log files, on to the server, periodically in specific

intervals, time to time.

Neural Networks (NN) Module: Functionality of this module is to sense the data of log file

received from clients. If any suspicious activities are sensed, this module informs the administrator to take care of the issue.

13 | P a g e

2.6. Existing System

 Classical techniques provide us with good defensive structures in order to protect very important resources from being attacked. These include Firewalls, various encryption techniques, steganography methodologies, etc.

 These varieties of defensive mechanisms are very effective tools, but mostly work effectively on already known attacks.

 There is also no perfect hybrid architecture for concept on file sharing.

 Moreover, all these systems can only execute on single system.

2.6.1. Drawbacks

 It is costly to implement AAs on each host in the distributed network.

 Using hacking techniques, file audit data can also be altered.

 At any time software implementation is more feasible than hardware implementation.

 Applying algorithms is a very classic method and may be not so effective.

2.7. Proposed System

 Proposed system can note the IP address of Hackers and can identify what type of file they want to access and what password and key is used by hackers to access the file.

 This system is based on both HIDS and NIDS, increasing the scope of security of IDS. Also, combining the features of IDS and Encryption, to increase the level of scope.

14 | P a g e

Figure 6: Data Sharing between Multiple Domains [8]

Figure 6 describes data sharing between three different domains A, B and C with key security provided.

2.7.1. Advantages

 IP check performed using NIDS strategy.

 Client is not immediately eliminated, after the IP check, but it is allowed, until it performs file download.

 Text file is generated when an invalid user is trying to access server’s resources.

 Server encrypts its resources. So failing to enter a key for decryption, cannot fulfill the task.

 Client, in order to view server’s resources, have to login. Failing to enter credentials can avoid the access to the user.

15 | P a g e

3. PROPOSED SYSTEM

3.1. SYSTEM ARCHITECTURE

Figure 7: Proposed System Architecture

Figure 7 describes the proposed architecture of the novel tool for intrusion detection.

3.1.1. Input:

Dynamic network traffic is given as input to the proposed system. The server analyzes this network traffic soon after the client establishes a connection with it. Resources, which should be shared between clients, are also added manually by the administrator. The traffic is

16 | P a g e

taken in the form of IP addresses. The server gets the client’s IP address, soon after the client requests a connection.

3.1.2. Client Server Architecture:

3.1.2.1. Server: Listens IP

The server analyzes and listens for the IP of the client, soon after the client establishes a connection with it. In this stage, the server stores all the clients IP addresses.

3.1.2.2. Client: Connects to Server and Enters Login Credentials

After the client a requests for connection with the server, it is prompted to enter its login credentials. If the credentials are matched with those present in the server’s database, then it is treated as a valid client. If the credentials do not match those present in the server’s database it is considered invalid and hence is discarded.

3.1.2.3. Server: Allows client to view its Resources

Only after the server approves the login credentials will the client be allowed to view the resources provided by the server for sharing. The client can download its desired resource by selecting it. At this stage, when the client tries to download a resource, the server detects whether the client entered is valid or an intrusion attempt, by checking client’s IP. For a client to be in a server’s network, it should have the same network address in its IP. 3.1.2.4. Client: Decrypt Resources

In the case of a valid client, the client is allowed to download the file only after it enters the correct key to decrypt it. After decryption, the client can save that resource on its local disk.

17 | P a g e

In the case of invalid client/intrusion, an event is triggered with a message stating a “Hacker is present”. At this event, a text file with the intrusion’s properties is generated as output.

3.1.2.6. Stores Hacker’s IP in Hit-List

The hacker’s IP is entered into the Hit-List, which might be useful in future.

Hit-list checking

This checking is to gather the IP addresses which are live, i.e. respond easily. So, this check is to collect the liveness measurement. It requires highly sophisticated tools to perform this check to output greater efficiency results. This causes their addresses to be scanned again and again repeatedly. So, this module should definitely help in differentiating and tracking ‘live’ addresses from ‘dark’ addresses.

3.1.3. Output:

As soon as the intrusion detection event is triggered, a text file is generated on the server. That text file holds the information of the Hacker/ Intrusion. The date and time of the detection event, the login credentials used by the hacker and the IP address of the hacker are also stored in the Hit-list for future reference.

Also, for a valid client, the desired and selected resource can be downloaded and saved to its local disk.

3.2. Data Encryption / Decryption

Blow Fish is a good encryption technique, which uses symmetric block cipher technology. It replaces each letter of a text with the letter which is k letters behind it.

18 | P a g e

3.2.1. Encryption

Blowfish is a Feistel network consisting of 16 rounds. The input is a 64-bit data element, x.

Divide x into two 32-bit halves: xL, xR For i = 1 to 16:

xL = xL XOR Pi xR = F(xL) XOR xR Swap xL and xR

Swap xL and xR (Undo the last swap.) xR = xR XOR P17

xL = xL XOR P18 Recombine xL and xR Function F (see Figure 2):

Divide xL into four eight-bit quarters: a, b, c, and d

F(xL) = ((S1,a + S2,b mod 232) XOR S3,c) + S4,d mod 232

Referenced from [9] 3.2.2. Decryption

Decrypting a key or any message generally follows the same procedures of encryption but in a reverse order. So, P1, P2... P18 are reversed for decryption to take place.

Here, this algorithm firstly encrypts the entire message, which should be sent to the user. Then, at the other end, the user needs to decrypt the received message. This decryption is mostly carried out by using a private key k. The most important thing to be noted is that only legitimate

19 | P a g e

users have the private key. Therefore, decryption can only be performed by users who have access to the message since they are the ones who are aware of the private key k for decrypting the encrypted message.

20 | P a g e

4. TEST SCENARIOS:

4.1. Scenario 1: IP

Figure 8: Interface diagram (main page)

21 | P a g e

Figure 10: Viewing the content in both IP ADDRESS and RESOURCES sections

22 | P a g e

The main window of the Master/ Server is shown in the above Figure 8. This is the Master GUI and it contains the server side application where server monitors the clients or peers. The server window has both an IP addresses section and a Resources section. All the dynamic traffic is stored in the IP addresses section, and the resources (text files) are stored in the other section, which acts as input to the proposed system.

Starting the Master to monitor all the clients is shown in the Figure 9. In this tool, the client server architecture is being used. Here, in this architecture, the first important task to be performed is starting the server to listen. Only after the server starts listening to the clients, can it see any client asking for a connection establishment. By clicking the “Monitor” button, the server will start listening to the clients and fire a dialog stating, “Master is monitoring”, and otherwise provides no information.

In the application window when the “View” button is clicked on the IP Addresses section, all the traffic, which is already in the network, is seen. It must be noted that the traffic is accepted dynamically by the tool. When the “View” button is clicked on the Resources section, files, which are registered in the database for sharing among clients, will appear. This is shown in Figure 10.

Client asks for the server’s IP address to establish a connection with the server and this is shown in Figure 11. To access the server’s resources, the client has to connect to the server. Now, the server listens to the client’s request and retrieves the client’s IP. The server checks if the client is on its network with the help of the IP and if the client is not in its network, the server does not notify that it is invalid but waits. So, this is the first test scenario, where the server just listens to the IP and checks it, without notifying the results. This step uses NIDS strategy.

23 | P a g e

4.2. Scenario 2: Login

Figure 12: Client credential details for login

24 | P a g e

Figure 12, is a window which pops up, asking for a client to enter his/her login credentials. Immediately after, the client enters the server’s IP address to establish a connection this window appears for the client to login, adding a step for increasing security. The client has to provide the details for the login, where these details already exist on the server side at the database level. This database record is checked against the user-entered credentials and the server allows the client to view and access the resources if the credentials match.

Figure 13 shows an error message to a client, if he/she enters invalid login credentials. As the server checks and compares the client’s login details with its database, this may be considered another test scenario, where level filtering is performed. In this stage, the clients who do not have login credentials who try to access the server’s resources are considered as invalid and therefore are filtered.

So, this is considered as another test scenario and uses anomaly detection strategy, where suspicious activity is observed, when no login credentials are used. These types of anomalies are detected here and are filtered at this stage.

25 | P a g e

4.3. Scenario 3: Allowing access to resources

Figure 14: Resource access window for client

26 | P a g e

Above Figure 14, is a resource access window the client opened after it had successfully logged into the system. This window has an interface which shows all of the resources available on the server, at the ‘Resources Available’ section. The client has privileges to access only the files provided by the server. The download, decrypt and save buttons are used to perform their respective operations.

The client first tries to access its desired resource, by clicking on the ‘Download’ button. The server watches the client’s activity and gives access to the requested resource, only if the client’s IP address matches with its network’s IP address.

 For a valid client, after getting access to the desired resource, it has to enter the key (which has been issued by the server) value and press the ‘Decrypt’ button to decrypt the file decrypted, and then it can save the file to its Local Disk.

 For an invalid client, a message window pops up stating that, “Hacker is Present” and therefore the bug is detected.

Figure 15 is about how a server monitors an unauthorized client. If the user is unauthorized to access the resources, then immediately an alert dialog box will appear at the server regarding the hacker. Also at that time, the date and IP address are stored in a log on the server side for the IDS information purposes.

The log file is generated at the moment the hacker is traced by the server. The log (.txt) file provides the information like the date and time of the intrusion detection. The hacker’s IP and the login credentials used by the hacker to get into the tool and view the server’s resources.

So, this is the major test scenario where a maximum number of intrusions are detected and filtered. This uses a combination of HIDS and NIDS approaches to detect the intrusions.

27 | P a g e

4.4. Scenario 4: Decrypting the Resource

Figure 16: Do enter Key

28 | P a g e

Figure 16 describes the case of a decrypt key, if it is not entered. Here, after selecting the desired resource to decrypt, if the client doesn’t provide any key, then it exposes an error message in a pop up window like “Enter the Key First”.

Figure 17 describes a case when a valid user enters an invalid key. If some valid user enters a wrong key, it exposes an error message saying “Enter valid key”.

These two cases illustrate the behavior of the tool with decrypt key. In this tool, Blowfish algorithm has been used to Encrypt and Decrypt the resource. This adds a level of security to the IDS tool. If a key is not provided to the proposed tool, then they can’t access the files and should contact the server’s administrator.

In this stage clients who do not have a decryption key are filtered. So, this may be considered as another test strategy.

29 | P a g e

4.5. Scenario 5: Hit-List Checking

Figure 18: Hit-List

Figure 18 shows a window with the message “IP Address entered in Hit-List”. After a hacker is detected, then its IP address is stored in the Hit-List. This list stores all the IP addresses of the intrusions detected using this tool. The number of hacker hits is specified in this for future reference. In the future, if any packet is transferred from this IP address, the server can be cautious about accepting the packet, since it already has the IP in the server’s Hit-List database.

30 | P a g e

OTHER USEFUL SCREEN SHOTS

Figure 23: Selecting the ‘BLOWFISH’ encryption

Figure 23 shows the menu options for a Blowfish tab. The Blowfish encryption is used to encrypt the resources. From the Master’s window, when the blowfish menu is selected, it drops down two options, where one option is to encrypt and the other option is to decrypt the file.

After selecting the Encryption menu item, from the Blowfish menu, a window will appear consisting of the “Encrypt” button and “Ok” button. In the application when “Encrypt” is selected, a file selection window will appear for the file selection (resources) from the local hard disk on the server side.

31 | P a g e

Figure 24: Encrypted file

For a desired file to be encrypted, clicking on the Encrypt button opens a new window with a group of files from which one may be selected for encryption.

An encrypted file using the Blowfish algorithm is showed in Figure 24. After selecting resources for encryption, the resource, with its encrypted content will appear in the Encrypt window content area. The encryption takes place after selecting the resource directly. There is no need to select any other options for encryption. The file selection itself triggers the operation of encryption.

32 | P a g e

Figure 25: Decrypted Resource

After selecting a Decryption menu item from the Blowfish menu, a new pop up window to open a file for decryption is shown. This window consists of 2 buttons, one is “Decrypt”, and other is “Ok”. Also, it has one decrypt text field to input a key and to decrypt the resource.

In the application when “Decrypt” is selected, a file selection window will appear showing the resources on the server’s local hard disk. The decrypted resource in a new window is shown in Figure 25. After decryption, the content of the resource will appear in a decrypt window. And after decryption, implicitly the application asks to save the decrypted file on a secondary storage device.

33 | P a g e

Figure 26: IDS information

The application consists of a menu “IDS” which gives information regarding text files created when an intrusion is detected. This is shown in Figure26.

Upon selecting the “IDS Information” menu item from the “IDS” menu, an IDS information window will appear. It consists of a file selection button and content area.

Upon clicking the “Browse” button, a file selection window will appear and the password log file will need to be selected according to the date.

34 | P a g e

Figure 27: Content of the password log file

Figure 27 shows the IDS window from the menu to show the content of a password log file. After selecting the password log file, the content of the log report will appear in the content area. This log report consists of the date and time of the intrusion detection event including when it was triggered, the IP address of the hacker used to access the resources and the password, and also, the login credentials used by the hacker to access the tool with which to view the server’s resources.

35 | P a g e

5. CONCLUSION

In this project, a hybrid intrusion detection tool, which detects intrusions from dynamic network traffic, and also provides secure file transfer has been developed. As cyber crime is increasing rapidly, it is very important to protect networks and/or systems from attacks and intrusions. The strategy used in this approach is based on both Network Based IDS and Host based IDS. This tool is developed to detect intrusions in network traffic by making use of network IPs. In this project, secured file transfer is achieved through multiple levels with the combination of IDS and encryption strategies.

In this proposed tool, a client server architecture has been used. The server starts listening to the network traffic (IP) and stores them directly. If the client’s network address in IP matches with the server’s IP, then that client is considered to be valid. Whenever a malicious or invalid client tries to access server provided resources, an event is triggered immediately resulting in the output of a text file, providing all its properties (Time, Date, IP address, Login Credentials). Later, the hacker’s IP is stored in a Hit-List for future reference. Finally, all the operations are performed with a user-friendly interface.

6. FUTURE WORK

 Advanced features along with multiple levels of security can be included in the system to work more efficiently.

 This proposed tool only works in a Client Server Architecture. It may be a good idea to implement this tool in a Distributed environment.

 The scope of the project can be increased to defend against each and every type of attack in the work environment by combining the features of PIDS.

36 | P a g e 7. BIBILOGRAPHY 1. http://netsecurity.about.com/cs/hackertools/a/aa030504.htm 2. http://www.webopedia.com/TERM/I/intrusion_detection_system.html 3. http://en.wikipedia.org/wiki/Intrusion_detection_system 4. http://en.wikipedia.org/wiki/Protocol-based_intrusion_detection_system 5. http://technet.microsoft.com/en-us/library/cc959354.aspx 6. https://nsrc.org/workshops/2008/ait-wireless/kemp/network-attacks.pdf 7. http://infohost.nmt.edu/~sfs/Students/HarleyKozushko/Papers/IntrusionDetectionPap er.pdf 8. https://lh4.ggpht.com/RK8CX2YYzbsEuj-uup9lq7hBCbJqI-5sF3sXZ31_WmhQismDIlv288etR46QdtiILlC_=s126 9. http://www.schneier.com/paper-blowfish-oneyear.html

10. J. Molina, M. Cuiker, “Evaluating Files to Audit for Detecting Intrusions in FileSystem Data,” in Netwok Computing and Applications, 2009. NCA 2009. Eight IEEE International Symposium.

11. A. Cardenas, J. S. Baras, and K. Seamon, “A Framework for the Evaluation of Intrusion Detection Systems,” in Pro. 2006 IEEE Symposium on Security and Privacy (S&P'06), pp. 63-77, 2006.

12. Y. Cai, “A Distributed Autonomous Intrusion Detection Framework,” inGlobecom Workshops, 2007 IEEE.

13. A. Kemmerer and V. Giovanni. Hi-DRA: intrusion detection for internet security. Proceedings of the IEEE, 93(10):1848–1857, 2005.

37 | P a g e

14. J. Korenek, P. Kobiersky, “Intrusion Detection System Intended for Multigigabit Networks,” in Design and Diagnostics of Electronic Circuits and Systems, 2007. DDECS ’07. IEEE.

15. H. Song and J. W. Lockwood, “Efficient packet classification for network intrusion detection using fpga,” in FPGA ’05: Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gatearrays. New York, NY, USA: ACM Press, 2005, pp. 238–245.

16. H. Wei, H. Weiming, “Network-based intrusion detection using Adaboost algorithm,” in Web Intelligence, 2005. Proceedings. The 2005 IEEE/WIC/ACM Internation Conference.

17. P. Hong, D. Zhang, and T. Wu, “An intrusion detection method based on rough set and svm algorithm,” in Proceedings of International Conference on Communications, Circuits and Systems, volume 2, pages 1127-1 130, June 2004.

18. D. Guan, K. Wang, X. Ye, W. Feng, “A Collaborative Intrusion Detection System Using Log Server and Neural Networks,” in Proceedings of the IEEE International Conference on Mechatronics & Automation Niagara Falls, Canada • July 2005. 19. http://dawn.com/2012/06/27/cyber-attacks-hit-global-banks-for-80-mn-study/

20. http://www.lawfareblog.com/2012/05/significant-cyber-attacks-on-federal-systems-2004-present/