1 / 15

Detailed Design Document: PMID (Packet Monitoring & Intrusion Detection)

Detailed Design Document: PMID (Packet Monitoring & Intrusion Detection). 20033327 Yang Dongmin likeba@nds.postech.ac.kr. Contents. Introduction Detailed Design References. Introduction (1). One of TM application areas is intrusion & hacking detection.  IDS

macey-saunders
Download Presentation

Detailed Design Document: PMID (Packet Monitoring & Intrusion Detection)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Detailed Design Document:PMID (Packet Monitoring & Intrusion Detection) 20033327 Yang Dongmin likeba@nds.postech.ac.kr

  2. Contents • Introduction • Detailed Design • References

  3. Introduction (1) • One of TM application areas is intrusion & hacking detection.  IDS • N-IDS(Network IDS)  large # of systems, hard to deploy with products[switch/router] • H-IDS(Host IDS)  small # of systems, overhead on each server • Basic functions of H-IDS • Capture & analyze in/out packets • Intrusion detection • Packet admission control • In this project, implement basic functions of H-IDS.  PMID (Packet Monitoring & Intrusion Detection)

  4. Application PMID User mode TCP/IP NWLink PMID Driver AppleTalk Kernel mode NDIS library/wrapper NDIS drivers (Network Driver Interface Specification) Device Network Interface Card Fig. 1 Overview of PMID Introduction (2) (a) (B) (C) (A) (b) (D) (E) (F)

  5. Detailed Design User mode : PMID Visualizer Collector Logger Analyzer Notifier Configurator NIC Kernel mode : PMID driver

  6. Detailed Design Analyzer Collector I1 I2 I3 Protocol Analyzer Filter Analyzer Intrusion Analyzer NIC Notifier I4 I0 I5 I6 I7 Configurator

  7. Detailed Design • Interfaces • I0 : In/Out packets • I1 : Contents of protocol stack • I2 : Contents of filtered packet • I3 : Contents of intrusion • I4 : Notify intrusions • I5 : Protocol configuration • I6 : Filter configuration • I7 : Intrusion configuration • Protocol Analyzer • Capture packets and analyze protocol stack • Ethernet, TCP, UDP, IP, ICMP, ARP/RARP • Ethernet  MAC addr. • TCP/IP, UDP/IP  Five tuples(Src/Dest IP addr., Src/Dest port Number, Protocol ID) • ARP/RARP  type(req./rep.), Src/Dest IP/MAC addr. • ICMP/IP  type, code, IP address, Protocol ID • Filter Analyzer • Drop/Accept packets based on filter definition • Filter : (src/dest. IP, src/dest. Layer 4 port, Protocol ID) • Intrusion Analyzer • Analyze packets based on intrusion definition • DoS, Troy, Virus(worm)

  8. Detailed Design Visualizer I9 I11 I12 Collector Logger I10 I1 I2 I3 Analyzer

  9. Detailed Design • Interfaces • I1 : Contents of protocol stack • I2 : Contents of filtered packet • I3 : Contents of intrusion • I9 : Contents from I1, I2, I3 • I10 : Contents from I1, I2, I3 • I11 : Logging data • I12 : Configuration for logging • Collector • Collect information of packets • #, Timestamp, Src/Dest IP addr., Protocol ID, Src/Dest MAC addr. Additional information.(Filtered/Dropped/Intrusion) • Logger • Collect protocol information • Configure Log time

  10. Detailed Design • Visualizer • Show the protocol stack • Show Logging information • Configure the protocol/filter/intrusion • Show Pop up window on intrusion • Interfaces • I8 : Notify intrusions • I9 : Contents from I1, I2, I3 • I11 : Logging data • I12 : Configuration for logging • I13 : Configuration for protocol/filter/intrusion

  11. Detailed Design Analyzer Configurator I5 I6 I7 Protocol Configurator Filter Configurator Intrusion Configurator I13 Visualizer

  12. Detailed Design • Interfaces • I5 : Protocol configuration • I6 : Filter configuration • I7 : Intrusion configuration • I13 : Configuration information for protocol/filter/intrusion • Protocol Configurator • Configuration information • Ethernet, TCP, UDP, IP, ICMP, ARP/RARP • Ethernet  MAC addr. • TCP/IP, UDP/IP  Five tuples(Src/Dest IP addr., Src/Dest port Number, Protocol ID) • ARP/RARP  type(req./rep.), Src/Dest IP/MAC addr. • ICMP/IP  type, code, IP address, Protocol ID • Filter Configurator • Define filter • Filter : (src/dest. IP, src/dest. Layer 4 port, Protocol ID) • Intrusion Configurator • Define intrusion • DoS, Troy, Virus(worm)

  13. Detailed Design Visualizer • Interfaces • I4 : Notify Intrusions • I8 : Notify Intrusions • Protocol Configurator • Notify intrusions from analyzer I8 Notifier I4 Analyzer

  14. Detailed Design Visualizer I13 I9 I11 I12 I10 Collector Logger I8 I1 I2 I3 Analyzer Notifier I4 Protocol Analyzer Filter Analyzer Intrusion Analyzer I0 I5 I6 I7 Configurator Protocol Configurator Filter Configurator Intrusion Configurator

  15. References • http://www.ndis.com/ • http://msdn.microsoft.com/ • http://www.microsoft.com/whdc/ddk/winddk.mspx

More Related