150 likes | 257 Views
Detailed Design Document: PMID (Packet Monitoring & Intrusion Detection). 20033327 Yang Dongmin likeba@nds.postech.ac.kr. Contents. Introduction Detailed Design References. Introduction (1). One of TM application areas is intrusion & hacking detection. IDS
E N D
Detailed Design Document:PMID (Packet Monitoring & Intrusion Detection) 20033327 Yang Dongmin likeba@nds.postech.ac.kr
Contents • Introduction • Detailed Design • References
Introduction (1) • One of TM application areas is intrusion & hacking detection. IDS • N-IDS(Network IDS) large # of systems, hard to deploy with products[switch/router] • H-IDS(Host IDS) small # of systems, overhead on each server • Basic functions of H-IDS • Capture & analyze in/out packets • Intrusion detection • Packet admission control • In this project, implement basic functions of H-IDS. PMID (Packet Monitoring & Intrusion Detection)
Application PMID User mode TCP/IP NWLink PMID Driver AppleTalk Kernel mode NDIS library/wrapper NDIS drivers (Network Driver Interface Specification) Device Network Interface Card Fig. 1 Overview of PMID Introduction (2) (a) (B) (C) (A) (b) (D) (E) (F)
Detailed Design User mode : PMID Visualizer Collector Logger Analyzer Notifier Configurator NIC Kernel mode : PMID driver
Detailed Design Analyzer Collector I1 I2 I3 Protocol Analyzer Filter Analyzer Intrusion Analyzer NIC Notifier I4 I0 I5 I6 I7 Configurator
Detailed Design • Interfaces • I0 : In/Out packets • I1 : Contents of protocol stack • I2 : Contents of filtered packet • I3 : Contents of intrusion • I4 : Notify intrusions • I5 : Protocol configuration • I6 : Filter configuration • I7 : Intrusion configuration • Protocol Analyzer • Capture packets and analyze protocol stack • Ethernet, TCP, UDP, IP, ICMP, ARP/RARP • Ethernet MAC addr. • TCP/IP, UDP/IP Five tuples(Src/Dest IP addr., Src/Dest port Number, Protocol ID) • ARP/RARP type(req./rep.), Src/Dest IP/MAC addr. • ICMP/IP type, code, IP address, Protocol ID • Filter Analyzer • Drop/Accept packets based on filter definition • Filter : (src/dest. IP, src/dest. Layer 4 port, Protocol ID) • Intrusion Analyzer • Analyze packets based on intrusion definition • DoS, Troy, Virus(worm)
Detailed Design Visualizer I9 I11 I12 Collector Logger I10 I1 I2 I3 Analyzer
Detailed Design • Interfaces • I1 : Contents of protocol stack • I2 : Contents of filtered packet • I3 : Contents of intrusion • I9 : Contents from I1, I2, I3 • I10 : Contents from I1, I2, I3 • I11 : Logging data • I12 : Configuration for logging • Collector • Collect information of packets • #, Timestamp, Src/Dest IP addr., Protocol ID, Src/Dest MAC addr. Additional information.(Filtered/Dropped/Intrusion) • Logger • Collect protocol information • Configure Log time
Detailed Design • Visualizer • Show the protocol stack • Show Logging information • Configure the protocol/filter/intrusion • Show Pop up window on intrusion • Interfaces • I8 : Notify intrusions • I9 : Contents from I1, I2, I3 • I11 : Logging data • I12 : Configuration for logging • I13 : Configuration for protocol/filter/intrusion
Detailed Design Analyzer Configurator I5 I6 I7 Protocol Configurator Filter Configurator Intrusion Configurator I13 Visualizer
Detailed Design • Interfaces • I5 : Protocol configuration • I6 : Filter configuration • I7 : Intrusion configuration • I13 : Configuration information for protocol/filter/intrusion • Protocol Configurator • Configuration information • Ethernet, TCP, UDP, IP, ICMP, ARP/RARP • Ethernet MAC addr. • TCP/IP, UDP/IP Five tuples(Src/Dest IP addr., Src/Dest port Number, Protocol ID) • ARP/RARP type(req./rep.), Src/Dest IP/MAC addr. • ICMP/IP type, code, IP address, Protocol ID • Filter Configurator • Define filter • Filter : (src/dest. IP, src/dest. Layer 4 port, Protocol ID) • Intrusion Configurator • Define intrusion • DoS, Troy, Virus(worm)
Detailed Design Visualizer • Interfaces • I4 : Notify Intrusions • I8 : Notify Intrusions • Protocol Configurator • Notify intrusions from analyzer I8 Notifier I4 Analyzer
Detailed Design Visualizer I13 I9 I11 I12 I10 Collector Logger I8 I1 I2 I3 Analyzer Notifier I4 Protocol Analyzer Filter Analyzer Intrusion Analyzer I0 I5 I6 I7 Configurator Protocol Configurator Filter Configurator Intrusion Configurator
References • http://www.ndis.com/ • http://msdn.microsoft.com/ • http://www.microsoft.com/whdc/ddk/winddk.mspx