1 snips implementation and gui tsung-hsi wu, m.s.e. department of computing and information science...
TRANSCRIPT
1
SnIPS Implementation and GUITsung-Hsi Wu, M.S.E.
Department of Computing and Information Science
Kansas State University
2
Outline
Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A
3
Outline
Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A
4
Project Overview
SnIPS Background
- Snort Intrusion Analysis using Proof Strengthening.
- Dr. Simon Ou, Siva Raj Rajagopalan (HP Labs), and Sa
kthiyuvaraja Sakthivelmurugan
- An Empirical Approach to Modeling Uncertainty in Intrusi
on Analysis, 25th Annual Computer Security Application
s Conference (ACSAC).
- Reason Under Uncertainty.
5
Project Overview
ReasoningEngine
Which machines are “certainty”
compromised ?
Answers with evidence
Observation Correspondence
Internal Model
Pre – Processing –> Datalog tuples
Snort Netflow filter Log analyzer
Reason UnderUncertainty
- open source network intrusion detection system- compare the payload of network packets with Snort Rules- alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;)
6
Project Overview
ReasoningEngine
Which machines are “certainty”
compromised ?
Answers with evidence
Observation Correspondence
Internal Model
Pre – Processing –> Datalog tuples
Snort Netflow filter Log analyzer Linux Command:
sudo snort -c test.conf -i eth4
Linux Command: python alert translator.py -h
Linux Command: summarize.sh
Linux Command: trace.sh
Linux Command: ?- show_trace(int(compromised(H),c))
GUI
int(probeOtherMachine('192.168.10.80',external),c,range(1904834156,0)) strengthenedPf int(probeOtherMachine('192.168.10.80',external),l,range(1904834156,0)) summarizedFact skolem(0) int(skol(probeOtherMachine('192.168.10.80',external)),p,range(1039206444,1904834156)) intRule_1f int(compromised('192.168.10.80'),l,range(1039206444,1039206444)) summarizedFact skolem(10)
obs(oid_1, snort('1:469', '128.111.49.46', '192.168.10.90', 1039203853)).obs(oid_2, snort('1:469', '128.111.43.65', '192.168.10.80', 1039203994)).
int(probeOtherMachine('192.168.10.80',external),l,skolem(0),range(1039206341,1039207768)).int(suspicious(external,'192.168.10.90'),p,skolem(9),range(1039205847,1039205847)).int(compromised('192.168.10.80'),l,skolem(10),range(1039206444,1039206444)).
GUI
GUI
GUI
GUI
7
Project Overview Motivation
- Need friendly user interface
- What triggers the “Snort Alerts”
Goal
- GUI
- Implementation
-> Backtrack the alerts
-> Payload triggers Snort Rules
8
Outline
Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A
9
Prototype Demo
GUI Framework SnIPS Visualized Output
http://people.cis.ksu.edu/~tsuhsiwu/
10
Outline
Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A
11
Project Requirements
SnIPS GUI Framework Use Case – SnIPS GUI Component
12
Project Requirements
SnIPS GUI Framework
- SR 1.1: SnIPS GUI must be extendible
-> Object Oriented Design
13
Project Requirements Use Case – SnIPS GUI Component
14
Project Requirements Use Case – SnIPS GUI Component
- SR 2(critical): Start and Stop Snort
- SR 3(critical): Fetch alerts from MySQL
- SR 4(critical): Fetch alerts based on time frame
- SR 5(critical): Manage Snort Rules
- SR 6(critical): Specify Configuration & Host Info
- SR 7(critical): Run Pre-Processing & Reasoning
- SR 8(critical): Webpage for Reasoning Engine Output
- SR 9(non-critical): Represent Output in Graphical View
15
Outline
Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A
16
Cost Estimation
Work Breakdown Structure (WBS)- Tree Structure Diagram
Software Artifact Sets (from Walker Royce):
- Requirement Set
- Design Set
- Implementation Set
- Deployment Set
- Management Set
17
Cost Estimation Work Breakdown Structure (WBS)
Management Set Requirement Set Design SetImplementation Set
Deployment Set
Artifact
1. SQAP2. Project Plan 1.03. Project Plan 2.04. Project Evaluation. 5. Test Plan 1.06. Testing Evaluation7. Assessment Evaluation. 8. Formal Requirement Specification9. Formal Technical Inspection10. Reference11. Formal Technical Inspection letters
1. Vision Document 1.02. Vision Document 2.0
1. Architectural Design. 2. Component Design.
1. Prototype 1.02. Prototype 2.03. Final Project
1. User Manual.
18
Cost Estimation Work Breakdown Structure (WBS)
SnIPS
Phase 1 Phase 2 Phase 3
Management. SetRequirement. SetImplementation. Set
Management. SetRequirement. SetDesign SetImplementation. Set
Management SetDesign SetImplementation. SetDeployment. Set
19
Cost Estimation – Phase 1 WBS Phase 1
Management Set Requirement Set Implementation Set
1. Project Plan 1.0 2. SQAP
3. Vision Doc.1.0 4. Prototype 1.0
Task Estimated Duration of Task Task Dependencies
Project Plan 1.0 30 hr (10 pages * 3hrs/page 30)≒ Vision Document 1.0
SQAP 20 hr (7 pages * 3hrs/page 30)≒ Vision Document 1.0, Project Plan 1.0
Vision Document 1.0 30 hr (10 pages * 3hrs/page 30)≒
Prototype 1.0 40 hr (1200 LOC * 30LOC/HR)
20
Cost Estimation – Phase 2 WBS Phase 2
Management Set Requirement Set Implementation Set
1. Project Plan 2.02. Formal Requirement Specification3. Formal Technical Inspection4. Test Plan 1.0
5. Vision Doc.2.0 7. Prototype 2.0
Design Set
6. Architectural Design 1.0
Task Estimated Duration of Task Task Dependencies
Project Plan 2.0 15 hr (10 pages * 1.5 hrs/page 30)≒ Vision Document 2.0
Formal Requirement Specification 15 hr (5 pages * 3 hrs/page 30)≒ Vision Document 2.0
Formal Technical Inspection 2 hr Formal Requirement Specification
Test Plan 1.0 15 hr (5 pages * 3 hrs/page 30)≒ Architectural Design 1.0
Vision Document 2.0 15 hr (10 pages * 1.5 hrs/page 30)≒
Architectural Design1.0 45 hr (15 pages * 3 hrs/page 45)≒ Project Plan 2.0
Prototype 2.0 80 hr ( 40 * 2 80)≒
21
Cost Estimation – Phase 3 WBS Phase 3
Management Set Design Set Deployment Set
1. Project Evaluation2. Testing Evaluation3. Assessment Evaluation4. Reference5. Formal Technical Inspection Letters
6. Component Design 8. User Manual
Implementation Set
7. Final Project
Task Estimated Duration of Task Task Dependencies
Project Evaluation 15 hr (5 pages * 3 hrs/page 15)≒ Testing Evaluation
Testing Evaluation 15 hr (5 pages * 3 hrs/page 15)≒ Final Project
Assessment Evaluation 15 hr (5 pages * 3 hrs/page 15)≒ Testing Evaluation
Reference 3 hr (1 pages * 3 hrs/page 3)≒ Project and Assessment Evaluation
Formal Tech. Inspection. Letters 2 hr Testing Evaluation
Component Design 45 hr (15 pages * 3 hrs/page 45)≒
Final Project 120 hr ( 40 * 3 120)≒
User Manual 15 hr (5 pages * 3 hrs/page 15)≒ Testing Evaluation
22
Cost Estimation – Project Timeline
23
Outline
Project Overview Prototype Project Requirements Cost Estimation Software Quality Assurance Plan Phase 2 Deliverables Q&A
24
Software Quality Assurance Plan Documentation:
http://people.cis.ksu.edu/~tsuhsiwu/ Standards, Practices, Convention, and Metrics Reviews and Audits Testing Problem Reporting and Corrective Action Tool, Techniques, and Methodologies Records collection, Maintenance, and Retentio
n
25
Phase 2 Deliverables
Vision Document 2.0 Project Plan 2.0 Architectural Design 1.0 Prototype 2.0 Test Plan 1.0 Formal Requirements Specification Formal Technical Inspection
26
Questions & Answers
SnIPS Implementation and GUI