The first step in the design of the system is to monitor the network traffic. Programs such as “Httpfox”, “Snort” or “Wireshark” can be used to monitor the traffic. This category of program can ‘sniff’ the traffic on a continuous basis, which is ideal for intrusion detection systems. An example of the data received when Wireshark is sniffing the network can be seen in Figure . Included in the data is the Destination IP, the Source IP, the Protocol and different information about each packet. All of these different programs have the ability to save the network packets into a text (.txt) file; this would make it easier for the IDS to read the packets.
Figure - Wireshark Packet Capture
The first step in the design of the IDS was to examine the network packets and have a good understanding of the data provided in each of the packets. Being able to determine the relevant information in the packets would greatly reduce the time spent when finding common sequences within the proxy packets. Therefore Wireshark would initially be used to monitor the network traffic, with the results from the monitoring displayed in a text file, this text file will be key to determine how to detect an anonymous proxy. As the main program being used to ‘sniff’ the network packets was Wireshark, the initial idea was that it could be used in conjunction with the proxy detection script. This however meant that the program would not be standalone, which would not have been ideal. As the IDS’s main purpose is to work on different platforms as a standalone program, a program wrote in Python was used. This program examined all the packets coming into and leaving the network. From this it could be altered to print all the packets to a log file so they could be examined, or run in the background scanning each of the packets as they entered/exited.
5.2 Software used
Python was used as IDS is run on multiple platforms as the network administrator may be using more than Windows. One of the main libraries’ used in the Python script is the Pcapy python library. Pcapy can be defined as follows “Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network”29. The Pcapy library will be used alongside other libraries in the script to produce the IDS. One of the other main libraries is the ‘re’ library30. The ‘re’ library provides support for regular expressions which will be used frequently within the script; these regular expressions will be used to match different key words against words in the network packets.
5.3 System Design
The main flow can be viewed in Figure . The network administrator will start the program running; they can do so by running it on the command line or using a python program such as IDLE31, IDLE is the python IDE, it’s a multi-platform IDE with a multi window text editor, it also has a python shell window, where the network administrator can interact with the program. Once the program is started, a list of all the available network interfaces is presented.
Figure - Network Interfaces
Each of the available network interfaces is listed with a number, so the administrator can select the interface they require, Figure shows the list of interfaces that are available to be selected. Unfortunately the list that is printed to the console is unreadable, and can only be found through the Registry Editor. However as each of the interfaces are listed in order, the administrator can go to ‘Control Panel\Network and Internet\Network Connections’ and view each of the different network interfaces available, the administrator can then count over and find the one that represents the interface they require.
Once the interface is selected, the IDS starts scanning the network packets continuously. When the script has started a new directory is created. This directory stores all the log files that are created when the IDS is in use. Along with a directory being created, a log file is created to store any proxies found when it is running. A new log file is created each time the program is restarted, to differentiate between the logs a date and time is supplied within the log file name. A list of common characteristic strings that each of the different proxies has when the network packets are traversing the network is necessary. Each of the proxies or onion routing applications have their own unique characteristics which make them different from a normal web browsing network packet. As each proxy has its own unique characteristics, this however does not mean if one of the characteristics is found then it is definitely a proxy. Each of the proxies have to match two or more of the characteristics before they are flagged up to the administrator and printed to the log file. As the program is designed to work in large networks, there could be many different proxies or onion routing applications being used at the same time. Matching the different characteristics and printing the result to the log is vital. As the program is running continuously, each packet containing the matched characteristics will be printed to the log, providing the type of proxy, the date and time each packet went through the network and all the different information contained in the packet. This information that is contained in the packet will allow the administrator to track down the computer using the proxy and disable the access or query the usage of the proxy. The time it takes from a proxy entering the network and it being logged should ideally only be a few seconds; this enables the administrator to quickly find the proxy user.
Administrator starts the system
Enters the number of the network interface that they want to scan
System scans the network
No
User presses exit
No
Proxy Found?
Exit System
Is user finished?
Yes
Yes
Print proxy to log
Figure - System Flow
Share with your friends: |