Project Report: Bachelor of Engineering
Project Report: Bachelor of Engineering
Project Report: Bachelor of Engineering
On
Project Course
BACHELOR OF ENGINEERING
This is to certify that the work embodied in this Project Report entitled “
Intrusion Detection System ” being submitted by “ Harshraj Singh ” - UID
“ 19BCS2089 ” , 4th Semester for partial fulfilment of the requirement for the
degree of “ Bachelor of Engineering in Computer Science & Engineering ”
discipline in “ Chandigarh University ” during the academic session July-Dec
2019 is a record of bonafide piece of work, carried out by student under my
supervision and guidance in the “ Department of Computer Science &
Engineering ”, Chandigarh University.
Intrusion Detection System is a software or a device that can monitor all the
suspicious activities in the network or that activities that violates its policy. IDS
is very popular system to protect the networks from different types of attacks.
Any intrusion activity or violation is reported or informed either to
administrator or this information can be centrally collected in a system called
SIEM (Security Information and Event Management). It collects and combine
information from different sources and it uses alarm filtering techniques. There
are two most common types of IDS. (NIDS) Network based Intrusion detection
system and (HIDS) Host based Intrusion detection system. HIDS is used for
monitoring important operating system files and NIDS are used to analyze
incoming network traffic. Here’s how IDS work, IDS when placed at a strategic
point or points within a network to monitor traffic to and from all devices on the
network, an IDS will perform an analysis of passing traffic, and match the
traffic that is passed on the subnets to the library of known attacks. Once an
attack is identified, or abnormal behaviour is sensed, the alert can be sent to the
administrator. Modern networked business environments require a high level of
security to ensure safe and trusted communication of information between
various organizations. An intrusion detection system acts as an adaptable
safeguard technology for system security after traditional technologies fail.
Cyber-attacks will only become more sophisticated, so it is important that
protection technologies adapt along with their threats.
TABLE OF CONTENT
Contributions
Acknowledgements
List of Figures
List of Tables
Glossary
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2. Background
2.1 IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
2.2 How it is invented? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
2.4 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.5 Goals and Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3. System Design
3.1 Project Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
3.1.1 The Research Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.2 Project Layout Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.3 Network Devices and Connection Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2 Software and Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.1 Cisco Packet Tracer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.2.2 Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3 Project Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3.1 Configuring the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
3.3.2 Testing the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
3.3.3 Implementation of NIDS using CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
3.3.4 Commands for Implementing IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
3.4 IDS Enabled & Protected Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
6. Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Glossary
IDSs which detect attacks by capturing and analyzing network packets.
CNSSI 4009-2015 under intrusion detection systems (IDS), (network-based) NIST SP 800-36
NIST SP 800-12 Rev. 1 under Intrusion Detection System (IDS) NIST SP 800-94
A Security service that monitors and analyses network or system events for the purpose of
finding and providing real-time or near real-time warning of, attempts to access system
resources in an unauthorized manner.
NIST SP 800-82 Rev. 2 under Intrusion Detection System (IDS) RFC 4949
Data does not travel itself inside the network it need a carrier that take that data to it’s
destination.
CNSSI 4009-2015 under intrusion detection system (IDS), (host-based) NIST SP 800-36
IP address are the logical addresses which are used to identify the destination.
IP are IPv4 and IPv6, MAC Address is physical address built into the NIC of the each
machine and it’s Unique.
PROJECT
DESCRIPTION
1.Introduction
An IDS is basically a software or device that is categorised into two common parts
one is NID i.e. Network Intrusion Detection and second is HID i.e. Host Intrusion
Detection. The work of both the NID & HID is same but their level is different. But
IDS are categorised into 5 types – NIDS, HIDS, PIDS, Hybrid IDS & APIDS. Work is
same to detect intrusions but they are used at different levels.
Fig 1.1
In Fig 1.1 you are now clear that where HIDSs are used and where NIDSs are used.
A layout of the network should be made prior to the implementation of IDS as I’m
implementing NIDS. There are various parameters which are to be kept in mind while
I designed network and configure IDS. Here are some ‘can’s and ‘can not’s about the
IDS.
2.0Background
2.1 IDS
By the 1960s, financial systems began to introduce audit practice into their processes to
inspect data and check for fraud or errors in systems. However, some questions have arisen:
what should be detected, how to analyse what has been discovered and how to protect the
various levels of security clearance on the same network without compromising security?
Between 1984 and 1986, Dorothy Denning and Peter Neumann developed a first model of
IDS, a prototype named as Intrusion Detection Expert System (IDES).
The IDES model is based on the hypothesis that the behaviour pattern of an intruder is
different enough from a legitimate user to be detected by usage statistics analyses. Therefore,
this model tries to create a pattern of behaviour for users in relation to programs, files and
devices, both in the short and long term, to make the detection, besides feeding the system
based on the rules for representing known violations. By the end of the 1980s, many other
systems were developed, based on an approach combining statistical and expert systems.
However, we must differentiate between IDS and IPS (Intrusion Prevention System). The
first one is a software that automates the process of intrusion detection; the latter is an
intrusion prevention software, which aims to prevent possible attacks. One therefore works in
a reactive and informative way, while the IPS reduces the risk of compromising an
environment.
2.2 How it is Invented?
The IDS journey started thirty years ago when increasing enterprise network access spawned
a new challenge: the need for user access and user monitoring. As day-to-day operations
grew increasingly dependent upon shared use of information systems, levels of access to
these systems and clear visibility into user activity was required to operate safely and
securely.
Much of the initial headway on IDS was made within the U.S. Air Force. In 1980, James P.
Anderson, a pioneer in information security and member of the Defence Science Board Task
Force on Computer Security at the U.S. Air Force, produced “Computer Security Threat
Monitoring and Surveillance,” a report that is often credited with introducing automated IDS.
Soon after this report was released, the first model was built, born out of the same methods
used by anti-virus applications: rule-based systems that constantly scanned and compared
network traffic against a list of known threats.
2.3 Advantages
- It monitors the working of routers, firewall, key servers and files. It uses its extensive
attack signature database, raises an alarm and sends appropriate notifications on
detecting a breach.
- By using the signature database, IDS ensures quick and effective detection of known
anomalies with a low risk of raising false alarms.
- It analyses different types of attacks, identifies patterns of malicious content and help
the administrators to tune, organize and implement effective controls.
- It helps the company maintain regulatory compliance and meet security regulations as
it provides greater visibility across the entire network.
2.4 Motivation
When we had all individually registered for this project none of us were quite sure what and
how to implement IDS and what planning should be done to complete this project. But we all
knew we wanted to do something interesting and most importantly something fun. We have
seen some of the networking projects but all those were of basic level and we somehow knew
all the basics of networking and worked under some basic projects so we decided to do some
intermediate level. This IDS has many projects including the expert mode where some high
level commands are used but if I talk about network security we all were new so we picked
from basic IDS security that how it worked and secure the network. Anyone can understand
this project it’s easy to understand and it’s fun to implement. Whenever anyone does
anything it is important he/she should have a strong motive and encouragement to do that
task.
2.5 Goals and Specifications
The goal of this project is to design, implement and test a stable and secure IDS that can be
used to secure any type of network. It also has the ability to immediately inform the
administration about the intrusion or any suspicious activity. It collects all the different
protocols and traffic information directly to the admin of the network and after informing the
admin the work of the IDS is completed, next admin decides what to do with this traffic,
whether to continue the traffic or block.
The final IDS design after all the configurations it should meet the following specifications:
1. The IDS must be capable of detecting the type of traffic which admin assigned to it.
2. The IDS must be capable of informing admin about any suspicious activity related to
the signatures assigned by the admin.
3. The IDS should create a log report in the server which is specifically meant for
logging these activities.
4. The IDS must be capable of scanning the traffic which is entering inside the network.
2.6 Summary
The aim of this project was to build a security technique to secure a network for malicious
activity. This project was a great learning opportunity for all of us as we come to know some
new things which we don’t. There were many difficulties for us during the whole process but
we didn’t lose hope and tried to complete this as soon as possible. In 2.0 Section you read
about the IDS, it’s History and Advantages of having it in the network.
3.0System Design
In this section you will find all the explanations about this project and how it was
approached. All the software components and commands used for implementing this project
will be discussed in this project. Problems encountered during the journey of this project will
also be discussed in this section.
The Ultimate goal of this project is to log all the suspicious activity entering into the network.
This made possible with a specialised software called IDS.
The research stage was a critical stage that provided our team with the knowledge necessary
to complete the other stages of our project. This stage was ongoing process throughout the
project until it is completed. During the development stage we have learnt many new things
by researching in the web. Our research encompassed a wide range of sources, which
included studies done at different universities and hobby enthusiast sources. Our research
includes different signatures used to activate detection against different types of traffic
protocols.
The network layout stage includes the whole network blueprint that on which type of network
our IDS will be implemented. We are using 3 different types of networks which has some
hosts and servers inside it.
The First Network is made of IPv4 Addressing having the IP addresses in the range of
192.168.1.2 – 192.168.1.7
Default Gateway for this Network is 192.168.1.1
The First Network is made of IPv4 Addressing having the IP addresses in the range of
192.168.10.2 – 192.168.10.8
Default Gateway for this Network is 192.168.10.1
The Third Network is made of IPv4 Addressing having the IP addresses in the range of
192.168.30.2 – 192.168.30.4
Default Gateway for this Network is 192.168.30.1
3 (1941) Routers are used to connect all these 3 LANs together. Dynamic routing is used to
route traffic all across 3 networks.
2 Different Servers are put across the networks to perform some more functions like Web
Access, File transfer.
These Servers are HTTP and FTP.
HTTP is used for Web traffic like if we want to access any website HTTP protocol or server
comes into play.
FTP is used for file transfer like if we want to store some files on the server or download
some files from a server FTP protocol or server comes into play.
In proper connection IP addresses are very important to communicate across the network.
IP used in this network is Class A and Class C
As large number of IPs are from Class C because it has the most number of hosts from other
classes such as A and B.
3.2 Software and Hardware Requirements
To implement this project we have to meet some software and hardware requirements.
Packet Tracer is a cross-platform visual simulation tool designed by Cisco Systems that
allows users to create network topologies and imitate modern computer networks. The
software allows users to simulate the configuration of Cisco routers and switches using a
simulated command line interface. Packet Tracer makes use of a drag and drop user interface,
allowing users to add and remove simulated network devices as they see fit. The software is
mainly focused towards Certified Cisco Network Associate Academy students as an
educational tool for helping them learn fundamental CCNA concepts. Previously students
enrolled in a CCNA Academy program could freely download and use the tool free of charge
for educational use.
Packet Tracer can be run on Linux, Microsoft Windows, and macOS. Similar Android and
iOS apps are also available. Packet Tracer allows users to create simulated network
topologies by dragging and dropping routers, switches and various other types of network
devices. A physical connection between devices is represented by a 'cable' item. Packet
Tracer supports an array of simulated Application Layer protocols, as well as basic routing
with RIP, OSPF, EIGRP, BGP, to the extents required by the current CCNA curriculum. As
of version 5.3, Packet Tracer also supports the Border Gateway Protocol.
In addition to simulating certain aspects of computer networks, Packet Tracer can also be
used for collaboration. As of Packet Tracer 5.0, Packet Tracer supports a multi-user system
that enables multiple users to connect multiple topologies together over a computer network.
Packet Tracer also allows instructors to create activities that students have to complete.
Packet Tracer is often used in educational settings as a learning aid. Cisco Systems claims
that Packet Tracer is useful for network experimentation.
Packet Tracer allows students to design complex and large networks, which is often not
feasible with physical hardware, due to costs. Packet Tracer is commonly used by CCNA
Academy students, since it is available to them for free. However, due to functional
limitations, it is intended by CISCO to be used only as a learning aid, not a replacement for
Cisco routers and switches. The application itself only has a small number of features found
within the actual hardware running a current Cisco IOS version. Thus, Packet Tracer is
unsuitable for modelling production networks. It has a limited command set, meaning it is not
possible to practice all of the IOS commands that might be required. Packet Tracer can be
useful for understanding abstract networking concepts, such as the Enhanced Interior
Gateway Routing Protocol by animating these elements in a visual form. Packet Tracer is
also useful in education by providing additional components, including an authoring system,
network protocol simulation and improving knowledge an assessment system.
To configure any device in packet tracer you are required to open or access its CLI. You can
do it by clicking any device and then navigating to CLI tab. Once you are at CLI you can
perform all Cisco Commands here.
A Cisco IOS router command line interface can be accessed through a console or connection,
modem connection, or a telnet/ssh session.
Regardless of which connection method is used, access to the IOS command-line interface is
generally referred to as an EXEC session as shown in Fig 3.4
As a security feature, Cisco IOS separates EXEC sessions into two different access levels —
the user level and the privileged EXEC level.
EXEC user level allows a person to access only a limited amount of basic monitoring
commands.
Privileged EXEC level allows a person to access all of the router’s commands (e.g.
configuration and management) and can be password protected to allow only authorized users
the ability to configure or maintain the router.
Once an EXEC session is established, commands within Cisco IOS are hierarchically
structured. In order to be able to configure the router, it is important to understand this
hierarchy.
In this section we have gone through all the processes done in implementing the IDS
successfully.
Placing the devices and connecting it with cables is not enough! We have to do far more than
this. After connecting with cables first task is to assign them IP addresses. As discussed
above Class A and C IPv4 are used. After assigning IP to each interface in the network. Next
step is to check connectivity from one PC to another. But here connectivity only works inside
the network, our network is still not capable of communicating with outside PCs as you can
see in Fig 3.5, 3.6 & 3.7
Let’s take another test of sending a ICMP packet from PC 3 to PC7 (other network) and
check whether it successfully reached or not.
As you can see in Fig 3.5 & 3.6, it didn’t reached its destination.
Fig 3.6 ICMP Packet Sent from PC3 to PC7
This failure occurs because we have not told router, where it should send the packet it comes
to it.
The concept of Routing comes here. There are two types of routing.
- Static Routing
- Dynamic Routing
For our project we have used dynamic routing concept because it is more easy to use.
Another task for configuring this network was configuration of Servers i.e. Syslog, HTTP,
FTP. For Syslog server I have turned down all the service except logging service called
‘SYSLOG’ so that it can focus only to logging information come from IDS.
For configuring HTTP same concept like syslog. Here I made a custom webpage which can
be accessed from any host in the any network by IP address called 100.50.0.2
For configuring FTP same concept. Here I made a user called ‘harsh’ and password ‘123’
Before moving towards the implementation of IDS. It is important to test the connectivity of
the entire network.
In this a Packet is sent to PC7 from PC1 and acknowledgement of that packet is received
back to the PC1 and the whole process is successfully completed.
Now the main task has reached. We have to apply IDS into this network for securing it.
Our IDS will be implemented on Router0 on interface (gigabit ethernet 0/0). Our IDS will
scan all the ICMP traffic which is coming into the Network 1 from this interface. For that we
have used IPS Signature 2004
Although we have a list of different Signatures which made for different types of data traffic.
Some signatures are –
There are different commands used for implementing and enabling IDS on that specific
interface.
Commands Description
enable It is used to enable the networking device.
config t It will enter the device into configuration
mode.
show version It is used to show version of router with
some other details and security & data
packages.
license boot module c1900 technology- It is used to activate the securityk9 package
package securityk9 in the router for IDS implementation.
do reload For reloading the router.
mkdir (directory_name) Used for make a directory in router
ip ips config location (directory_name) Assigning the location to store IPS
signatures.
ip ips (name) For creating a IPS rule
ip ips signature-category For checking or entering the IPS signature
categories.
category all For entering into all the categories of IPS.
retired true For retiring a category.
retired false For unretiring a category.
category (name) basic For entering into a category which we made
earlier as IPS rule. And unretiring all the
basic categories of this rule.
int (interface_name) To enter into an interface.
ip ips (rule_name) out To apply the IPS signature inward at a
interface.
logging on Turning on the logging capability of the
router.
logging host (ip_address) Assigning the syslog server for logging
service timestamps log datetime msec To synchronize clock between system clock
and log message.
ip ips signature-definition To enter a specific signature and change the
definition of that signature
signature 2004 0 2004 is the signature ID and 0 is the SubID
of the IPS signature we have used in our
system.
status To enter the status of this signature
enabled To enable this category signature
engine This command is used to change the action
of that signature whether to inform or block.
event-action Action of the signature is configured in the
event-action section
produce-alert This will alert the admin by logging into
syslog server
deny-packet-inline This will block all the packet if it matches
with the signature we have configured.
THIS IS NOT USED AS THIS IS ONLY
IDS NOT IPS.
do show This will show all the configuration of IDS
implemented on that router interface.
3.5 Summary
An IDS is basically a software or device that is categorised into two common parts one is
NID i.e. Network Intrusion Detection and second is HID. In this project I have implemented
Intrusion Detection System by creating 3 different networks as in Fig 1.2. Implementing the
IDS is very challenging task as it needs the implementor to have proper knowledge with prior
knowledge with some common and special network devices and ethernet cables
Here are some ‘can’s and ‘can not’s about the IDS.
The aim of this project was to build a security technique to secure a network for malicious
activity. This project was a great learning opportunity for all of us as we come to know some
new things which we don’t. There were many difficulties for us during the whole process but
we didn’t lose hope and tried to complete this as soon as possible.
The network layout stage includes the whole network blueprint that on which type of network
our IDS will be implemented. We are using 3 different types of networks which has some
hosts and servers inside it.
The First Network is made of IPv4 Addressing having the IP addresses in the range of
192.168.1.2 – 192.168.1.7
Default Gateway for this Network is 192.168.1.1
Devices in this network –
- 4 Different PCs
- 1 SYSLOG Server
- 1 Printer
Packet Tracer is a cross-platform visual simulation tool designed by Cisco Systems that
allows users to create network topologies and imitate modern computer networks. The
software allows users to simulate the configuration of Cisco routers and switches using a
simulated command line interface.
Packet Tracer can be run on Linux, Microsoft Windows, and macOS. Similar Android and
iOS apps are also available. Packet Tracer allows users to create simulated network
topologies by dragging and dropping routers, switches and various other types of network
devices. A physical connection between devices is represented by a 'cable' item. Packet
Tracer supports an array of simulated Application Layer protocols, as well as basic routing
with RIP, OSPF, EIGRP, BGP, to the extents required by the current CCNA curriculum. As
of version 5.3, Packet Tracer also supports the Border Gateway Protocol.
For our project we have used dynamic routing concept because it is more easy to use.
Another task for configuring this network was configuration of Servers i.e. Syslog, HTTP,
FTP. For Syslog server I have turned down all the service except logging service called
‘SYSLOG’ so that it can focus only to logging information come from IDS.
For configuring HTTP same concept like syslog. Here I made a custom webpage which can
be accessed from any host in the any network by IP address called 100.50.0.2
For configuring FTP same concept. Here I made a user called ‘harsh’ and password ‘123’
4.2.1 Difficulties
4.2.2Future Work
In future reference we need to work on the Honeypot System to implement and work the
Intrusion Prevention System along with the Intrusion Detection System.
4.3 Summary
In this phase of the projects we delt with the difficulties that aroused from the testing and
improving the IDS System, also we learnt how to use the command lines and use features of
cisco like Syslog and Ping monitorisation.
5.0 Conclusion
In this project of implementing an Intrusion detection System using Cisco Packet Tracer, we
created a network using different components likes pc’s, routers, switches, servers,
connecting wires, hubs, etc.
After Connecting the network, we accessed the networks and allotted different protocols to
different components like FTP, HTTP etc. to servers, IP’s to all the devices in the network,
And Shared ICMP packets through the network to ensure its flawless working.
Then we fed and flooded the network using Pings and monitored the ping, type of message
and connection status. This was done to test the NIDS and implemented the IDS.
6.0 Bibliography
1. https://www.checkpoint.com/cyber-hub/network-security/what-is-an-intrusion-
detection-system-ids/#
2. http://neuro.bstu.by/ai/To-dom/My_research/Paper-0-again/For-research/D-
mining/Anomaly-D/Intrusion-detection/taxonomy.pdf
3. https://books.google.com/books?id=TnE85sckwMAC&q=IDS+network+host+sig
nature&pg=PA64
4. https://books.google.com/books?id=_R5ndK-
i3vkC&q=%22intrusion+prevention+system%22+AND+%28reaction+OR+reacti
ve%29&pg=PA266
5. https://books.google.com/books?id=ebbwmOFWvR8C&q=%22intrusion+prevent
ion+system%22+AND+%22application+layer+firewall%22&pg=PA46