Network Intrusion Detection

Network Security Spring 2021

The goals of this assignment are to:

  1. Create a network intrusion detection system
  2. Gain first-hand insight into dealing with IDS evasion

NIDS Specification

Using any library of your choice, implement a network intrusion detection system that can process PCAP files. Your NIDS must be able to detect three “attacks” in TCP traffic represented by the following signatures:

  1. iOwIVM5mu1Qc5QsUR11iFhgc3aB//ITN8hivvCrfSn8=
  2. GtV6G6z3BWTvxqd0Eh4zD81UZlsDtOWQtF1/9kGRBTc=
  3. 8DJNxln1Gv65fYpjwat2fYkRTCz023YUT1yKZWCfFWI=

Note that these signatures are base64-encoded here, but your NIDS should match against the decoded byte vectors.

Your NIDS should support:

  • IPv4 and TCP checksum verification
  • IPv4 fragment reassembly using the “Linux” policy
  • IPv4 fragment reassembly using the first and last policies (graduate only)

Your detector must take a single parameter representing the path to PCAP file. Detections must be printed to stdout as JSON objects. The format of a single detection is as follows:

    "timestamp": 1600890293,                    # UNIX timestamp
    "source": {
        "mac_address": "00:11:22:33:44:55",     # Source MAC address
        "ipv4_address": "",             # Source IPv4 address
        "tcp_port": 34567                       # Source TCP port
    "target": {
        "mac_address": "66:77:88:99:aa:bb",     # Target MAC address
        "ipv4_address": "",             # Target IPv4 address
        "tcp_port": 1234                        # Target TCP port
    "attack": 1                                 # Signature index (1-3)

Whitespace formatting doesn’t matter, but do ensure that no other data is written to stdout aside from a stream of detection messages. Feel free to write whatever you like to stderr.

Submission Instructions

Package your solution as a gzipped TAR archive. Your solution should have the following basic structure:

$ tree -F nids
├── Dockerfile
└── src/

The root directory must be named nids, and the source code to your NIDS should be contained in src/. Your Dockerfile should produce an image that runs your solution on a PCAP file, which you can assume has been mounted into your running container. For instance, given a PCAP file at eval.pcap in the current working directory, your solution must execute on this input when executed as follows:

$ docker run -it -v $(pwd)/eval.pcap:/eval.pcap:ro ${image_name} /eval.pcap

Submit the solution archive to Canvas.