Analysis of attacks and development of filters for an Intrusion Detection System based on NFR

Trainee Erwan Lemonnier Compagny Defcom Apelbergsgatan 66, Stockholm, Sweden   www.defcom-sec.com Time 15-01-2001 to 30-06-2001

Master thesis project registered at KTH-Electrum (Kista), and supervised by Mads Dam (SICS) and Olav Bandman (SICS). The supervisors at Defcom are Aigars Grins and Lovisa Haraldsson.

Project's Definition

This degree project consists of writing parts of a network Intrusion Detection System (IDS).
The aim is to develop filters for network protocols (from network layer to application layer) in order to monitor a network in real time and report any suspect activity. These filters will be written in N-Code (a language close to C and Perl) and used in Network Flight Recorder, a network monitoring framework commonly used to build IDS.

Writting of filters include the following steps:

• Detailed analysis of a protocol (definition, use...)
• Known security threats related to this protocol
• Definition of rules to detect threatening uses of the protocol. Such rules should detect not only known attacks signatures, but also non standard use of the protocol (anomaly detection).
• Implementation of the rules as NFR filters, and testing. Repeat the 2 last steps until the threats are efficiently handled.

Filters should work in cooperation with other parts of the system, and be designed to evolve easily, as well as be easily configured. The work include the search and analysis of information about the protocols. This will be done alone or in a team.

Here is a list of the protocols for which filters will be written: IP, ARP/RARP, ICMP, UDP, TCP, DHCP, DNS, SNMP, Telnet, FTP, NFS, RPC, SMB/CIFS, SMTP, POP, IMAP, HTTP, ASDF, IRC.

Schedule