Research work done by Ronak Sutaria at SERC

Summary

- Developed modules in C for TCP Reassembly and IP defragmentation for both packets sniffed from the promiscuous NIC as well as from a TCPdump file.

- Used DARPA’s Intrusion Detection Dataset available from the Lincoln Labs for TCP based feature extraction for the anomaly intrusion detection system.

- Feature extraction included TCP connection level features, IP Host specific features and Application level service oriented feature sets.

- Worked extensively with IP Tables based Firewalls and built network test beds using packet generators.


Detailed

I had spent time from September 2001 to April 2003 working under Prof. N. Balakrishnan of the Supercomputer Education and Research Center of the Indian Institute of Science, Bangalore. The initial focus was to build a working Anomaly based Intrusion Detection System. Initially, the first couple of months were spent on doing in-depth literature reivew as well as on creating a problem definition.

We gradually moved to getting together a system which used open-source signatures (Snort's) I developed an IP De-fragmentation and TCP Reassembly module. It was made to work in two modes - either taking packets from a promiscuous interface card or from the Tcpdump files. A Qt GUI was made to demonstrate the IDS. It provided an interface to update the signatures as well as view the alerts.

For the Anomaly detection module, I was largely impressed by the Lee, Stolfo paper. I spent many months working on extracting the features given there from the MIT LL tcpdump files. I was also simultaneously asked to start building a Neural Net which could be trained with those features. A lab mate working on another topic, gave me the idea of using a Matlab based HMM to evaluate some quick results. I think the only useful programs that came out of that effort were those of feature extraction from the tcpdump files.

I had also spent more than a month on these two projects: Building a CGI/PL GUI to configure anIPTables based firewall and a Vulnerabilities database. I also learnt how to deploy the firewall. There was also good amount of time spent on Penetration testing tools, specifically the Nessus Vulnerability Scanner. We also penetration tested a commercial Firewall, using our custom built tools and scripts for intrusive penetration testing. 

I also explored the payload based Buffer Overflow detection as discussed in theToth, Kruegel paper. I presented the idea and the further work possible in it at a CAIR-IISc seminar. I had started working on a module which could provide anomaly based detection to the above technique.

Screen shot of the system developed:

Connection Features,

Connection features extraced


Host Features,
Host specific features


Service Features
Service level features

 


This page was last updated on December 15, 2005