Intrusion Prevention and Automated Response in Sachet Intrusion Detection System

[srijitkamath]

Intrusion Prevention and Automated Response in Sachet Intrusion Detection System

An Intrusion Detection System (IDS) monitors computer systems and network traffic, analyzes the traffic to identify possible security breaches, and raises alerts. It is difficult for human users to analyze the alerts and take swift appropriate actions which gives the attacker enough opportunity to continue to carry out further attacks. It is therefore important to take some automated actions to stop the attack. Unlike intrusion detection system, which passively monitors and reports, an Intrusion Prevention System (IPS) sits inline between the attacker and the system, monitors the traffic and stops the attacker to carry out attacks rather than just reporting them.

In this thesis, we describe the design and implementation of automated response module for Sachet - A distributed, real-time, network-based IDS developed at IIT Kanpur. The aim of automated response is to take immediate action in response to alerts generated by IDS to protect the system from further attacks. We are able to achieve a response time of less than one second.

We also describe the design and implementation of Intrusion Prevention System (which works independent of Sachet). Our intrusion prevention system detects signature-based attacks using INTEL IXP2400 Network Processor. It drops the packets containing predefined alert signature patterns thereby preventing these packets to reach the system. We tested our IPS on DARPA dataset and are able to achieve a speed of 24 Mbps without packet loss.

[zubair]

[attachment=15194]
An Intrusion Detection System (IDS) monitors computer systems and network traffic, analyzes the traffic to identify possible security breaches, and raises alerts. It is difficult for human users to analyze the alerts and take swift appropriate actions which gives the attacker enough opportunity to continue to carry out further attacks. It is therefore important to take some automated actions to stop the attack. Unlike intrusion detection system, which passively monitors and reports, an Intrusion Prevention System (IPS) sits inline between the attacker and the system, monitors the traffic and stops the attacker to carry out attacks rather than just reporting them.
In this thesis, we describe the design and implementation of automated response module for Sachet - A distributed, real-time, network-based IDS developed at IIT Kanpur. The aim of automated response is to take immediate action in response to alerts generated by IDS to protect the system from further attacks. We are able to achieve a response time of less than one second.
We also describe the design and implementation of Intrusion Prevention System (which works independent of Sachet). Our intrusion prevention system detects signature-based attacks using INTEL IXP2400 Network Processor. It drops the packets containing predefined alert signature patterns thereby preventing these packets to reach the system. We tested our IPS on DARPA dataset and are able to achieve a speed of 24 Mbps without packet loss.