CSCI862 System Security

Intrusion detection system

You are to implement, in C/C++ or Java, an intrusion detection system in the sense of that described in the lecture notes. We are assuming all activities are associated with the same user. No GUI implementation is required in this assignment. Your code must work on Banshee. Code cannot be compiled or executed may receive a zero mark.

You must provide compilation instructions for your program and the produced program should be named IDSE. It should run with the command

IDSE Events.txt Base-Data.txt Test-Events.txt

where the three files do not need to have those names but will follow the formats given below. A Java program should run with Java in front of the command.

There are some files that you will work from. An example of each and the generic structure of each are provided. Examples of the required output will be demonstrated.

A specific example of the first file, Events.txt is

5

Logins:2:Total time online:1:Emails sent:1:Orders processed:1: Pizza’s ordered online:0.5:

The general format is

Number of monitored events

Event-1:Weight-1:Event-2:Weight-2:Event-3:Weight-3:Event-4:Weight-4: Event-5:Weight-5: ........

Only four events are recorded per line. There will be multiple lines, as many as are necessary to give the details of the specified Number of Monitored Events. Number of Monitored Events will be a positive integer no greater than 20.

The second file, Base-Data.txt contains data based on measuring output associated with the events described in the file Events.txt. Part of a specific example of the second file, associated with the specific example of the first file above, is:

3:290:61:148:2:

2:370:50:173:4:

5:346:87:131:1:.

3:325:60:145:5:

The general format for a single line of the file isMeasure-Event-1:Measure-Event-2:Measure-Event-3:....:Measure-Event-Number of monitored events:

Each line contains the measures from a particular day. Each entry is the value associated with that event on a particular day.

The third file, Test-Events.txt, has the same form as Base-Data.txt, but each line is to be processed and tested against the base profile. Each corresponds to a days activity. These lines are not to be taken

into account in determining the baseline behaviour of the user. A specific example is:

5:387:75:120:2:

1:123:25:50:5:

The general format for a single line of the file is

Measure-Event-1:Measure-Event-2:Measure-Event-3:....:Measure-Event-Number of monitored events:

What do you need to do?

1. Read in the first two files, produce a base profile, and report it, as in the example below. As mentioned earlier, this is all assumed to be for a single user. You have been given the event names and the weights in the first file, Events.txt. You need to calculate the average and standard deviation (stdev) based on the data given in the second file, Base-Data.txt. The average and standard deviation should be listed to two decimal places only.

Your output doesn’t need to follow this exact format but it should be clear.

1. Calculate a threshold for detecting an intrusion. The threshold is 2 (Sums of weights). This should be reported. For the table above we have

Threshold 11

Your output doesn’t need to follow this exact format but it should be clear.