# Network Intrusion Detection

Network Security Spring 2021
Due

The goals of this assignment are to:

1. Create a network intrusion detection system
2. Gain first-hand insight into dealing with IDS evasion

## NIDS Specification

Using any library of your choice, implement a network intrusion detection system that can process PCAP files. Your NIDS must be able to detect three “attacks” in TCP traffic represented by the following signatures:

1. iOwIVM5mu1Qc5QsUR11iFhgc3aB//ITN8hivvCrfSn8=
2. GtV6G6z3BWTvxqd0Eh4zD81UZlsDtOWQtF1/9kGRBTc=
3. 8DJNxln1Gv65fYpjwat2fYkRTCz023YUT1yKZWCfFWI=

Note that these signatures are base64-encoded here, but your NIDS should match against the decoded byte vectors.

• IPv4 and TCP checksum verification
• IPv4 fragment reassembly using the “Linux” policy
• IPv4 fragment reassembly using the first and last policies (graduate only)

Your detector must take a single parameter representing the path to PCAP file. Detections must be printed to stdout as JSON objects. The format of a single detection is as follows:

{
"timestamp": 1600890293,                    # UNIX timestamp
"source": {
"tcp_port": 34567                       # Source TCP port
},
"target": {
"tcp_port": 1234                        # Target TCP port
},
"attack": 1                                 # Signature index (1-3)
}

Whitespace formatting doesn’t matter, but do ensure that no other data is written to stdout aside from a stream of detection messages. Feel free to write whatever you like to stderr.

## Submission Instructions

Package your solution as a gzipped TAR archive. Your solution should have the following basic structure:

$tree -F nids nids ├── Dockerfile └── src/ The root directory must be named nids, and the source code to your NIDS should be contained in src/. Your Dockerfile should produce an image that runs your solution on a PCAP file, which you can assume has been mounted into your running container. For instance, given a PCAP file at eval.pcap in the current working directory, your solution must execute on this input when executed as follows: $ docker run -it -v $(pwd)/eval.pcap:/eval.pcap:ro${image_name} /eval.pcap

Submit the solution archive to Canvas.