Requesting help on completing project

Description

Hi there,

Thanks for your help as always. I need your help on completing the project.

complete I Introduction, II. Literature Review and partial of the III. Proposed Solution

The introduction is based on the previous work you did.(anser_2.docx) It should be 3 pages long.

For the literature review part, please do a 12 pages long review on related papers.zip.

For the proposed solution, please complete lab7 along with the screenshot. And make connection with our current project.

Additionally,

Please complete one powerpoint slide with the following parts. Should be 25 slides total.

CLASS PRESENTATION (total 15 points)

Introduction to the project: motivation and overview (2.5 points)
Overview (2.5 points)
Problem description: technical details (5 points)
Proposed methods: (even if not completed) (5 points)

Unformatted Attachment Preview

1
Network IDS Implementation
Student’s name
Institution
Course name: Number
Instructor’s Name
Due date
2
Table of Contents
Network IDS Implementation ……………………………………………………………………………………………………….. 1
Introduction ………………………………………………………………………………………………………………………………… 3
Problem Statement ………………………………………………………………………………………………………………………. 3
Review of Related Work ………………………………………………………………………………………………………………. 4
Overview of Work that Has Already Been Done………………………………………………………………………….. 4
Discussions …………………………………………………………………………………………………………………………….. 5
Project Objective…………………………………………………………………………………………………………………………. 7
Description and Methodology……………………………………………………………………………………………………….. 7
Project Description…………………………………………………………………………………………………………………… 7
Proposed Methodological Approaches to Achieving Project …………………………………………………………. 8
Resources ……………………………………………………………………………………………………………………………….. 8
Anticipated Contribution ……………………………………………………………………………………………………………… 9
Knowledge ……………………………………………………………………………………………………………………………… 9
Beyond the Previous Work ……………………………………………………………………………………………………… 10
Foreseeable Limitations That Might Be Addressed …………………………………………………………………….. 10
Work Plan and Schedule …………………………………………………………………………………………………………….. 11
Conclusion ……………………………………………………………………………………………………………………………….. 13
3
Introduction
With increasing degrees of such cyber threats, it has become necessary to have some
robust Intrusion Detection System (IDS) to safeguard all the network infrastructures. As a further
step of the research work of the previous semester, the Vancouver Laptop Project aims to
advance and integrate network-based intrusion detection systems (NIDS) into the firm’s
premises. NIDS helps detect any malicious activities that may threaten sensitive information by
checking all the traffic in the network segments. It deals with different NIDS solutions like
Snort, Suricata, and Zeek, all adding distinctive features and advantages: multi-threading, crossplatform, and traffic logging. What makes the choice of an appropriate IDS very crucial is the
prevention of network attacks and identification of new vulnerabilities, besides the need for
compliance with several regulations.
This proposal compares different IDS systems and recommends the most suitable one for
implementation according to the company’s specific requirements and the dynamic nature of
cyber threats. It is meant to carry out a full comparison of several network-based intrusion
detection systems to ascertain how well they can detect and prevent cyber threats and which IDS
to implement in the company’s network infrastructure. The IDS selected will be expected to
further enhance the security posture of the company, ensure that sensitive data is protected, and
comply with respective regulatory standards.
Problem Statement
The central challenge addressed in this project is selecting and implementing an
appropriate Intrusion Detection System (IDS) that effectively mitigates cybersecurity risks
within a corporate network.
4
Review of Related Work
Overview of Work that Has Already Been Done
Intrusion Detection Systems (IDS) have matured into substantial development in the
research pursued towards its improvement and adaptation to the permanent change of cyber
threats. Nevertheless, another research by Bhosale and Mane (2015) was done on three
celebrated Network Intrusion Detection System (NIDS) tools: Snort, Suricata, and Bro. Their
study then went on to establish the unique ways by which these tools operate and the features
they have, all of which are essential in the detection of intruders in the network and computer
systems. Based on this, Serinelli, Collen, and Nijdam (2021) have designed a system of anomalybased IDS that can detect not only zero-day attacks but also known attacks. The method
suggested by them is that the machine learning predictors are generated on the basis of datasets
like KDD99, NSL-KDD, and CIC-IDS2018, and these predictors are validated over a platform,
which shows the detection of zero-day anomalies.
This research underlines the role that proper selection of the datasets and methodology in
data analysis play as the basis for potent IDS solutions. Thus, another very vital research area
includes the integration of machine learning techniques in IDS. Further, IDS categorizes the
statistical network traffic metrics for improving the ability to observe and respond to anomalies
with machine learning algorithms (Isa et al., 2019). These have not only led to more resilient and
adaptive solutions but, at the same time, developed for near real-time detection not only of
known but also new threats.
Intrusion detection systems (IDS) play a significant role in protecting the network host
since they can detect network anomalies. Despite their long history, 100% efficiency is not
guaranteed, and efficiency depends on the number of false positives detected. However, IDSs are
5
right in the middle of the fight, especially with new community hacking tools that expand the
security risk of online systems. Snort is a mature product that has been an industry-standard
open-source solution for the past decade. On the other hand, the Suricata allows a new kind of
signature-based intrusion detection using current technology, like process multi-threading, to
speed up processing. This paper evaluates Snort and Suricata, two rule-based open-source
Network Intrusion Detection Systems, by performing experiments on a multi-core computer
concerning their speed, memory requirements, and detection accuracy.
Intrusion Detection systems are an essential element of an organization’s security
framework and complement other security tools such as anti-virus software, firewalls, and packet
sniffers. When e-business is a significant portion of the business, then attacks can cause
significant financial losses and loss of confidence for the consumer. So, IDS will be a proper
security framework. Nevertheless, for many companies, especially smaller ones, the cost of IDS
implementation will be prohibitive. This study aims to give an adequate decision-making basis
for choosing an intrusion detection system by evaluating two open-source options, Snort and
Suricata. TIntrusion detection systems are categorizedinto Network-based (NIDS) and Hostbased (HIDS) systems with detection methods based on anomaly or pattern detection. Anomaly
detection builds a profile of average usage patterns and brings forth alarms for deviations, while
pattern detection discovers the intrusion by checking known techniques. This study aims to
compare two rule-based open-source NIDS, Snort and Suricata, to help organizations make a
more guided decision in the process of selection
Discussions
This important trend is the inclination towards integration with IDS and other security
technologies to bring into force a comprehensive strategy of defense. Such integration includes
6
IDS with firewalls, antivirus programs, and Security Information and Event Management
(SIEM) systems. It is meant to give a complete view of the security situation so that any
emerging possible threats are acted on in time and the right way. Thirdly, the emergence of cloud
computing and the Internet of Things (IoT) has introduced new dimensions into the IDS land.
One of the effects of the trend in scalable and flexible security services in cloud computing is the
rise of cloud-based IDS solutions. Also, it increased the demand for IDS that fits the
idiosyncrasies and constraints of the IoT networks.
The recent trend is to apply machine learning (ML) techniques to known and zero-day
attacks for unknown detections. Serinelli et al. (2021) extended previous works through the
generation of anomaly-based IDS ML predictors using such datasets as KDD99, NSL-KDD, and
CIC-IDS2018, and underlying the problem of the overwhelming amount of attacks to be detected
[2]. The authors underline that a main aspect of the construction of efficient IDS is a correct
selection of training datasets and methods of data analysis. This is extremely important in the
contemporary cyber threat landscape since it adds pressure for IDSs to adjust to new and
unanticipated attack patterns and behaviors effectively.
It is this advancement that will, indeed, be developed in an IDS built on leveraging
existing strengths of open source, such as Snort and Suricata. So, by its nature, the hybrid
approach brings together robustness from signature-based detection and adaptability from
anomaly-based detection to provide a unified defense against known and new threats. By its
integration within this coherent cybersecurity platform, this project aims to create a more
resilient and dynamic defense system able to react well to the constantly evolving threat
landscape.
7
Project Objective
The major aim of this project is to design and develop an Intelligent Intrusion Detection
System (IDS) tailored to the requirements of the Vancouver Laptop Project. The project will take
on a detailed analysis of varied open-source IDS offerings such as Snort, Suricata, and Zeek with
an aim to determine a system that is robust in performance, scalability, and security capabilities.
Will ensure that it integrates easily, is compatible, and with minimal operational disruptions to an
existing network set-up. In addition, the project will be premised on making the IDS customized
to best address the security needs of the organization relating to the detection of advanced cyber
threats and ensuring security for classified information.
The use of state-of-the-art machine learning methods to improve the capabilities of the
IDS in handling emerging and new threats will be central to the project. In this regard,
algorithms have to be derived that can analyze behavior of traffic inside networks in respect of
patterns as well as isolated cases that might be indications of possible attacks. The project aims
to establish a proactive and adaptive defense mechanism that will keep pace with the
developments in cybersecurity technology and the shifts in the cyber threat landscape. Success in
this project is set to materially enhance the organization’s cybersecurity posture and assure the
defense of its assets and data from unauthorized access and malevolent attacks.
Description and Methodology
Project Description
This project is of utmost importance in the sense that it will enhance the security of the
company network by being able to keep track of and monitor the network traffic for suspicious
activities and alert the system administrators in the case of any potential threat. The project was
targeted to compare the three IDS systems, that is, Snort, Suricata, and Zeek, to find the most
8
suitable among the three to recommend for implementation. Snort is known to have prevention
of the network attacks and supports multi-threading for efficient processing of the packets.
This includes shared configuration and attribute table for easy configuration and uses
plugins for better customization. Another edge that gives Suricata over Snort is its use of
multiple threads—meaning it can use all the cores of the processor. It offers cross-platform
support and a scalable flow engine with protocol parsers of both packet and application layer
decoders, in addition to comprehensive traffic logging and analysis. It has a strong scripting
language that is event-driven and supports many protocols.
Proposed Methodological Approaches to Achieving Project
The methodological approach followed to reach the project’s goals will be detailed
through comparison and evaluation of the IDS systems Snort, Suricata, and Zeek. The approach
will consider the in-depth analysis regarding the capabilities, performance metrics, and
compatibility with the company’s network infrastructure within each IDS. This shall be
associated with real-world testing scenarios where several network attacks will be orchestrated to
observe the performance and responsiveness of each IDSs. The selection criteria would be based
on the accuracy of detection, processing speed, scalability, and integration levels of the IDSs.
The finally developed, proposed IDS system will be pilot-implemented, fine-tuned, and
improved. This will make sure that the IDS system is most suitable and selected through a
methodical and scientific approach to befitting the company in its security needs. Then, the most
appropriate IDS will be acquired.
Resources
A lot of resources would be needed to complete successfully the planned project. Among
them are hardware, software, and datasets. Hardware resources will be inclusive of the network
9
devices, such as routers and switches, to mirror the network traffic and the servers to host the
IDS system. Software resources comprise IDS software the, operating system, and any required
supporting tools for the configuration and monitoring tasks. Datasets critical to the system that
will be used during testing and evaluation of intrusion detection should consist of normal
network traffic data and synthetic attack data to mimic numerous intrusion scenarios. In addition,
network security and system administration competencies would be acquired, thus effectively
implementing and administrating the IDS system. It will be of critical importance to ensure that
access to these resources is granted for the project to meet with any level of success, as they will
enable the through comparison of the IDS systems and implementation of the most appropriate
solution to the network security requirements of the company.
Anticipated Contribution
Knowledge
The project will add to knowledge of network security with a detail comparative analysis
of Intrusion Detection Systems (IDS) composed of Snort, Suricata, and Zeek. This will shed light
on the efficacy of each system in identifying types of network intrusions, hence guiding selecting
the best IDS in different organizational contexts. The project will also investigate how to
integrate such systems into those existing network infrastructures and deliver best practices for
the deployment and configuration of that infrastructure. The performance of these IDS in reallife scenarios will be studied and reported under the project outcomes, hence providing a
yardstick for application vis-à-vis capabilities and limitations. The research will also look into
the scalability and adaptability of these systems as per an increasingly evolved threat landscape
within networking, which can be adopted for a complete organization. The results from this
project will be useful to network administrators and security professionals, but also to
10
researchers who might be after improving their intrusion detection strategies and protecting the
networks from malicious activities.
Beyond the Previous Work
It continues its previous work on enhancing it to an innovative cloud-based platform that
integrates seamless provisioning of various cybersecurity tools and services, including multiple
Intrusion Detection Systems (IDS) such as Snort, Suricata, and Zeek. The novel approach in this
research is to approach the creation of a unified security ecosystem by exploiting the strengths of
each tool. Overall, the project is interested in enhancing network security with a focal point on
interoperability and real-time data sharing between these systems. In addition, advanced
technologies like machine learning algorithms and artificial intelligence enhance the prediction
and response of the platform to emerging threats. It is a paradigm shift from the traditional
reactive measures of security to active cybersecurity (Kacha & Shevade, 2012). Therefore, the
holistic and adaptive security framework project sets the pace for future developments in cyber
security.
Foreseeable Limitations That Might Be Addressed
Another major limitation of this project is that a good number of cybersecurity tools are
inherently very complex to aggregate and make into one single, cohesive platform. Such
platforms require seamless interoperability of many independent systems with their own
protocols and data formats — hence very challenging. In addition, the cloud-based infrastructure
upon which the project relies presents yet another front in which the latter would be liable to
sophisticated attacks by cyber criminals who exploit the peculiar weaknesses of the cloud. With
respect to resource allocation and management, the other kind of constraint that the platform
imposes is scalability, one of its strong suits, where the system has to adapt to varying loads
11
without any significant performance degradation (Mampage, Karunasekera & Buyya, 2022). The
nature of the cyber threats, which are continuously changing, and the means of the platform to
react to the new threats in a proactive manner are other factors that should be managed. All the
above restrictions should be overcome for the success and reliability of the proposed
cybersecurity platform.
Work Plan and Schedule
The work plan and schedules for the project are categorized into three stages: initial
preparation, detailed implementation, and thorough evaluation. In each stage, tasks and
schedules are categorized to further the work for the accomplishment of the objectives of the
project in efficient and effective ways.
Preparation: The first four weeks are for preparing the robust project foundation. Within
this period, the team will conduct an intensive analysis of the organization’s current intrusion
detection systems (IDS), with more emphasis on the Network-based Intrusion Detection Systems
(NIDS). This analysis will be done by comparing Snort and Suricata concerning Zeek by
checking their performance metrics, compatibility with the existing infrastructure, and
scalability. In parallel, the team will define a project management framework, laying down the
project scope, objectives, and key deliverables to be developed. In addition, a thorough risk
assessment will be conducted to identify the possible challenges, after which mitigation
strategies will be devised. At the completion of this phase, an appropriate IDS for
implementation is selected according to the analysis and alignment with the company’s security
requirements.
12
Implementation Detailed Phase (Weeks 5-12): This will be the core phase of the project
that spans eight weeks, and during it, the chosen IDS will be configured, customized, and
integrated into the company’s existing cybersecurity infrastructure. They should develop and
fine-tune custom rules and signatures for the IDS that can enhance the detection capabilities
against the threats identified in the risk assessment. Timely are all the progress reviews that are
required to keep the project on track, as well as to deal with any technical or operational
problems that occur (Khatib et al., 2022). Moreover, the team is going to closely coordinate with
the IT department for smoother collaboration of the team’s services with the other tools and
applications on the security aspect, such as firewalls and antivirus, into one strong cybersecurity
platform.
The assessment for the implemented IDS solution will take three final weeks, namely the
Thorough Evaluation Phase (Weeks 13-15). The assessment will comprise different testing
scenarios up to simulated cyberattacks to test the effectiveness of the system in its vulnerability
detections and response to threats. The assessment will also include a usability evaluation to
ensure that the system is usable and fits the needs of the company’s security personnel. This
phase will collect feedback, which will be used to make the necessary changes in the system.
This project will lead to a comprehensive report of implementation, the results of evaluation, and
recommendations for future improvements in the company’s cybersecurity posture. Throughout
all stages of the project, the project team will keep stakeholders informed of the team’s activities
to ensure continued open communication and company-wide visibility and concurrence
concerning security efforts.
13
Conclusion
In this respect, therefore, this project proposal is to put across an advanced Intrusion
Detection System (IDS) for the Vancouver Laptop Project. We would research and analyze
open-source IDS systems that are current and include Snort, Suricata, and Zeek in order to
identify the best system that fits our organization’s proprietary security needs and its network
infrastructure. We shall apply next-generation machine-learning techniques in helping the IDS in
improving its detection and reactive capabilities against the unknown as well as advanced cyber
threats. We would develop algorithms for network traffic analysis and anomaly detection that
would develop a proactive defense mechanism dynamically adjustable to a changing cyber threat
landscape.
Integration of the chosen IDS into the company’s current network infrastructure will be
vital for its success. The system will be designed such that there is less interference within the
operations but will offer much more strength within the cybersecurity posture. The customization
of the IDS to meet the real security challenges that are being faced will be a major point in
coming up with a solution that effectively mitigates the risks. In summary, this project proposal
is a strategic initiative to secure the cybersecurity defenses of the Vancouver Laptop Project. In
this respect, we shall deliver a holistic solution in terms of security, which is harnessed with an
appropriate IDS and complemented with machine learning to detect threats in real-time. The best
solution of the above will not only secure the organization from the existing threats but also be
prepared to mitigate future challenges to ensure the security and integrity of the organization’s
digital assets.
14
References
Bhosale, D. A., & Mane, V. M. (2015). Comparative study and analysis of Network Intrusion
Detection Tools. 2015 International Conference on Applied and Theoretical Computing
and Communication Technology (iCATccT).
https://doi.org/10.1109/icatcct.2015.7456901
Isa, F.M., Saad, S., Fadzil, A.F.A., Saidi, R.M. (2019). Comprehensive Performance Assessment
on Open Source Intrusion Detection System. In: Kor, LK., Ahmad, AR., Idrus, Z.,
Mansor, K. (eds) Proceedings of the Third International Conference on Computing,
Mathematics and Statistics (iCMS2017). Springer, Singapore.
https://doi.org/10.1007/978-981-13-7279-7_6
Kacha, C., & Shevade, K. A. (2012). Comparison of Different Intrusion Detection and
Prevention Systems. International Journal of Emerging Technology and Advanced
Engineering, 2(12).
Khatib, M. E., Alhosani, A., Alhosani, I., Matrooshi, O. A., & Salami, M. (2022). Simulation in
project and Program Management: Utilization, challenges and opportunities. American
Journal of Industrial and Business Management, 12(04), 731–749.
https://doi.org/10.4236/ajibm.2022.124037
Mampage, A., Karunasekera, S., & Buyya, R. (2022). A holistic view on resource management
in Serverless Computing Environments: Taxonomy and future directions. ACM
Computing Surveys, 54(11s), 1–36. https://doi.org/10.1145/3510412
15
Serinelli, B. M., Collen, A., & Nijdam, N. A. (2021). On the analysis of open source datasets:
Validating ids implementation for well-known and zero day attack detection. Procedia
Computer Science, 191, 192–199. https://doi.org/10.1016/j.procs.2021.07.024
计算机科学与工程系
Department of Computer Science and Engineering
CS 315 Computer Security Course
Lab 7: Firewall & Intrusion Detection Systems
Introduction
In this lab students will explore the Snort Intrusion Detection Systems. The students will
study Snort IDS, a signature based intrusion detection system used to detect network
attacks. Snort can also be used as a simple packet logger. For the purpose of this lab
the students will use snort as a packet sniffer and write their own IDS rules.
Software Requirements
All required files are packed and configured in the provided virtual machine image.
–
The VMWare Software
http://apps.eng.wayne.edu/MPStudents/Dreamspark.aspx
–
The Ubuntu 14.04 Long Term Support (LTS) Version
http://www.ubuntu.com/download/desktop
–
Snort: A signature-based Intrusion Detection System
https://www.snort.org/#get-started
Fengwei Zhang – CS 315 Computer Security Course
1
Starting the Lab 7 Virtual Machine
In this lab, we use Ubuntu as our VM image. Select the VM named “Lab8.
Login the Ubuntu image with username student, and password [TBA in the class].
Below is the screen snapshot after login.
Installing Snort into the Operating System
Fengwei Zhang – CS 315 Computer Security Course
2
In our Lab 7 Ubuntu VM image, the snort has been installed and setup for you. If you
want to use your own version of the image, you need to install snort into the operating
system. To install the latest version of the snort, you can follow the installation
instruction from the snort website. Note that installation instructions are vary from OSes.
The instruction below shows how to install snort from its source code on Linux.
You can find more information here:
https://www.snort.org/#get-started
While you install the snort, you system may miss some libraries. You need to install the
required libraries, too.
Configuring and Starting the Snort IDS
Fengwei Zhang – CS 315 Computer Security Course
3
After installing the Snort, we need to configure it. The configuration file of snort is stored
at /etc/snort/snort.conf. The screenshot below shows the commands to configure the
Snort. You need to switch to root to gain the permission to read the snort configurations
file.
After configuring the Snort, you need to start the Snort. You can simply type the
following command to start the service.
$ service snort start
or
$ /etc/init.d/snort start
Fengwei Zhang – CS 315 Computer Security Course
4
Snort Rules
Snort is a signature-based IDS, and it defines rules to detect the intrusions. All rules of
Snort are stored under /etc/snort/rules directory. The screenshot below shows the files
that contain rules of Snort.
The screenshot below shows real rules in the /etc/snort/rules/web-misc.rules. The slides
of Lab 7 has more information about Snort rules including syntax and format.
Fengwei Zhang – CS 315 Computer Security Course
5
Writing and Adding a Snort Rule
Next, we are going to add a simple snort rule. You should add your own rules at
/etc/snort/rules/local.rules. Add the following line into the local.rules file
alert icmp any any -> any any (msg:”ICMP Packet found”; sid:1000001; rev:1;)
Bascailly, this rule defines that an alert will be logged if an ICMP packet is found. The
ICMP packet could be from any IP address and the rule ID is 1000001. Make sure to
pick a SID greater 1000000 for your own rules. The screenshot below shows the
contents of the local.rules file after adding the rule.
Fengwei Zhang – CS 315 Computer Security Course
6
To make the rule become effective, you need to restart the snort service by typing the
following command.
$ service snort restart
or
$ /etc/init.d/snort restart
Triggering an Alert for the New Rule
To trigger an alert for the new rule, you only need to send an ICMP message to the VM
image where snort runs. First, you need to find the IP address of the VM by typing the
following command.
$ ifconfig
For instance, the screenshot shows the execution result on my VM image, and the IP
address is 172.16.108.242.
Fengwei Zhang – CS 315 Computer Security Course
7
Next, you can open a terminal in your host. If you host is a Windows OS, you can use
one of the following two ways to open a terminal
1. Press “Win-R,” type “cmd” and press “Enter” to open a Command Prompt
session using just your keyboard.
2. Click the “Start | Program Files | Accessories | Command Prompt” to open a
Command Prompt session using just your mouse.
After you have a terminal, you can just type the following command to send ping
messages to the VM.
$ ping 172.16.108.242
After you send the ping messages, the alerts should be trigged and you can find the log
messages in /var/log/snort/snort.log. However, the snort.log file will be binary format.
You need to use a tool, called u2spewfoo, to read it. The screenshot below shows the
result of reading the snort alerts.
Fengwei Zhang – CS 315 Computer Security Course
8
You can see that the SID is 1000001, and the alerts are generated by the ICMP
messages.
Fengwei Zhang – CS 315 Computer Security Course
9
Assignments for Lab 7
1. Read the lab instructions above and finish all the tasks.
2. Answer the questions and justify your answers. Simple yes or no answer will not
get any credits.
a. What is a zero-day attack?
b. Can Snort catch zero-day network attacks? If not, why not? If yes, how?
c. Given a network that has 1 million connections daily where 0.1% (not
10%) are attacks. If the IDS has a true positive rate of 95%, and the
probability that an alarm is an attack is 95%. What is false alarm rate?
(You may use the math approach from the slides.)
3. Write a rule that will fire when you browse to craigslist.org or another particular
website from the machine Snort is running on; it should look for any outbound
TCP request to craigslist.org and alert on it.
a. The rule you added (from the rules file)
b. A description of how you triggered the alert
c. The alert itself from the log file (after converting it to readable text)
Extra Credit (3pt): Write and add a snort rule for detecting VPNs; it should trigger an alert
when a VPN service is running on your machine.
Happy Hacking!
Fengwei Zhang – CS 315 Computer Security Course
10

Purchase answer to see full
attachment