1 SnIPS Implementation and GUI Tsung-Hsi Wu, M.S.E. Department of Computing and Information Science Kansas State University.

1

SnIPS Implementation and GUITsung-Hsi Wu, M.S.E.

Department of Computing and Information Science

Kansas State University

2

Outline

Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A

3

Outline

Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A

4

Project Overview

SnIPS Background

- Snort Intrusion Analysis using Proof Strengthening.

- Dr. Simon Ou, Siva Raj Rajagopalan (HP Labs), and Sa

kthiyuvaraja Sakthivelmurugan

- An Empirical Approach to Modeling Uncertainty in Intrusi

on Analysis, 25th Annual Computer Security Application

s Conference (ACSAC).

- Reason Under Uncertainty.

5

Project Overview

ReasoningEngine

Which machines are “certainty”

compromised ?

Answers with evidence

Observation Correspondence

Internal Model

Pre – Processing –> Datalog tuples

Snort Netflow filter Log analyzer

Reason UnderUncertainty

- open source network intrusion detection system- compare the payload of network packets with Snort Rules- alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;)

6

Project Overview

ReasoningEngine

Which machines are “certainty”

compromised ?

Answers with evidence

Observation Correspondence

Internal Model

Pre – Processing –> Datalog tuples

Snort Netflow filter Log analyzer Linux Command:

sudo snort -c test.conf -i eth4

Linux Command: python alert translator.py -h

Linux Command: summarize.sh

Linux Command: trace.sh

Linux Command: ?- show_trace(int(compromised(H),c))

GUI

int(probeOtherMachine('192.168.10.80',external),c,range(1904834156,0)) strengthenedPf int(probeOtherMachine('192.168.10.80',external),l,range(1904834156,0)) summarizedFact skolem(0) int(skol(probeOtherMachine('192.168.10.80',external)),p,range(1039206444,1904834156)) intRule_1f int(compromised('192.168.10.80'),l,range(1039206444,1039206444)) summarizedFact skolem(10)

obs(oid_1, snort('1:469', '128.111.49.46', '192.168.10.90', 1039203853)).obs(oid_2, snort('1:469', '128.111.43.65', '192.168.10.80', 1039203994)).

int(probeOtherMachine('192.168.10.80',external),l,skolem(0),range(1039206341,1039207768)).int(suspicious(external,'192.168.10.90'),p,skolem(9),range(1039205847,1039205847)).int(compromised('192.168.10.80'),l,skolem(10),range(1039206444,1039206444)).

GUI

GUI

GUI

GUI

7

Project Overview Motivation

- Need friendly user interface

- What triggers the “Snort Alerts”

Goal

- GUI

- Implementation

-> Backtrack the alerts

-> Payload triggers Snort Rules

8

Outline

Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A

9

Prototype Demo

GUI Framework SnIPS Visualized Output

http://people.cis.ksu.edu/~tsuhsiwu/

10

Outline

Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A

11

Project Requirements

SnIPS GUI Framework Use Case – SnIPS GUI Component

12

Project Requirements

SnIPS GUI Framework

- SR 1.1: SnIPS GUI must be extendible

-> Object Oriented Design

13

Project Requirements Use Case – SnIPS GUI Component

14

Project Requirements Use Case – SnIPS GUI Component

- SR 2(critical): Start and Stop Snort

- SR 3(critical): Fetch alerts from MySQL

- SR 4(critical): Fetch alerts based on time frame

- SR 5(critical): Manage Snort Rules

- SR 6(critical): Specify Configuration & Host Info

- SR 7(critical): Run Pre-Processing & Reasoning

- SR 8(critical): Webpage for Reasoning Engine Output

- SR 9(non-critical): Represent Output in Graphical View

15

Outline

Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A

16

Cost Estimation

Work Breakdown Structure (WBS)- Tree Structure Diagram

Software Artifact Sets (from Walker Royce):

- Requirement Set

- Design Set

- Implementation Set

- Deployment Set

- Management Set

17

Cost Estimation Work Breakdown Structure (WBS)

Management Set Requirement Set Design SetImplementation Set

Deployment Set

Artifact

1. SQAP2. Project Plan 1.03. Project Plan 2.04. Project Evaluation. 5. Test Plan 1.06. Testing Evaluation7. Assessment Evaluation. 8. Formal Requirement Specification9. Formal Technical Inspection10. Reference11. Formal Technical Inspection letters

1. Vision Document 1.02. Vision Document 2.0

1. Architectural Design. 2. Component Design.

1. Prototype 1.02. Prototype 2.03. Final Project

1. User Manual.

18

Cost Estimation Work Breakdown Structure (WBS)

SnIPS

Phase 1 Phase 2 Phase 3

Management. SetRequirement. SetImplementation. Set

Management. SetRequirement. SetDesign SetImplementation. Set

Management SetDesign SetImplementation. SetDeployment. Set

19

Cost Estimation – Phase 1 WBS Phase 1

Management Set Requirement Set Implementation Set

1. Project Plan 1.0 2. SQAP

3. Vision Doc.1.0 4. Prototype 1.0

Task Estimated Duration of Task Task Dependencies

Project Plan 1.0 30 hr (10 pages * 3hrs/page 30)≒ Vision Document 1.0

SQAP 20 hr (7 pages * 3hrs/page 30)≒ Vision Document 1.0, Project Plan 1.0

Vision Document 1.0 30 hr (10 pages * 3hrs/page 30)≒

Prototype 1.0 40 hr (1200 LOC * 30LOC/HR)

20

Cost Estimation – Phase 2 WBS Phase 2

Management Set Requirement Set Implementation Set

1. Project Plan 2.02. Formal Requirement Specification3. Formal Technical Inspection4. Test Plan 1.0

5. Vision Doc.2.0 7. Prototype 2.0

Design Set

6. Architectural Design 1.0

Task Estimated Duration of Task Task Dependencies

Project Plan 2.0 15 hr (10 pages * 1.5 hrs/page 30)≒ Vision Document 2.0

Formal Requirement Specification 15 hr (5 pages * 3 hrs/page 30)≒ Vision Document 2.0

Formal Technical Inspection 2 hr Formal Requirement Specification

Test Plan 1.0 15 hr (5 pages * 3 hrs/page 30)≒ Architectural Design 1.0

Vision Document 2.0 15 hr (10 pages * 1.5 hrs/page 30)≒

Architectural Design1.0 45 hr (15 pages * 3 hrs/page 45)≒ Project Plan 2.0

Prototype 2.0 80 hr ( 40 * 2 80)≒

21

Cost Estimation – Phase 3 WBS Phase 3

Management Set Design Set Deployment Set

1. Project Evaluation2. Testing Evaluation3. Assessment Evaluation4. Reference5. Formal Technical Inspection Letters

6. Component Design 8. User Manual

Implementation Set

7. Final Project

Task Estimated Duration of Task Task Dependencies

Project Evaluation 15 hr (5 pages * 3 hrs/page 15)≒ Testing Evaluation

Testing Evaluation 15 hr (5 pages * 3 hrs/page 15)≒ Final Project

Assessment Evaluation 15 hr (5 pages * 3 hrs/page 15)≒ Testing Evaluation

Reference 3 hr (1 pages * 3 hrs/page 3)≒ Project and Assessment Evaluation

Formal Tech. Inspection. Letters 2 hr Testing Evaluation

Component Design 45 hr (15 pages * 3 hrs/page 45)≒

Final Project 120 hr ( 40 * 3 120)≒

User Manual 15 hr (5 pages * 3 hrs/page 15)≒ Testing Evaluation

22

Cost Estimation – Project Timeline

23

Outline

Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A

24

Software Quality Assurance Plan Documentation:

http://people.cis.ksu.edu/~tsuhsiwu/ Standards, Practices, Convention, and Metrics Reviews and Audits Testing Problem Reporting and Corrective Action Tool, Techniques, and Methodologies Records collection, Maintenance, and Retentio

n

25

Phase 2 Deliverables

Vision Document 2.0 Project Plan 2.0 Architectural Design 1.0 Prototype 2.0 Test Plan 1.0 Formal Requirements Specification Formal Technical Inspection

26

Questions & Answers

SnIPS Implementation and GUI