Software System Engineering

CmpE 202 Practice Problems

Practice Problem (13)

Network Intrusion Detection System

_________________________________________________________________________ Read the following problem statement and perform the following: 1. Use Case Diagrams and Use Cases. Use one or more diagrams to describe all the actors in
design session problem and how they will interact with the Use Cases of your system. Provide Flow of Events for all of your Use Cases. Use associations, aggregations, and generalization in the use case diagram(s) and dont forget to use multiplicities. Use case diagram(s) textual description is a must. Use the following template to document your use cases. 1. Use Case Id. 2. Use Case Title 3. Actors & Corresponding Roles 4. Corresponding Classes 5. Corresponding Attributes 6. Corresponding Interfaces (7. Class Classification: EBTs, Business Objects, and Industrial Objects for software stability model) 8. Use Case Description 9. Alternatives

Evaluation: Use the model essentials to evaluate the use case models.
2. Document all the CRC cards for all the (classes) classes in the design session problems (CRC stands for Class Responsibility and Collaborations) Class Name (Role) Collaborations Responsibility Clients Servers

Evaluation: Use the model essentials to evaluate the CRC cards.

3. Class diagram (Traditional Model). Create a class diagram of the design session problems based on the Traditional Model. Class diagram should include all attributes and methods for the class. All class relationships (associations, aggregations, dependencies, and specializations) should be included in the class diagram. Association classes, interface classes, constraints, interfaces, tagged values and/or stereotypes, and notes must be included in the class diagram. Evaluation: Use the model essentials to evaluate the class diagram (Traditional). 4. Sequence diagrams. Sequence diagrams will be used to "realize" Use Cases. All Use cases should be described through sequence diagrams. The sequence diagrams can describe the same Use Cases that a flow of events was created for in the Use Case portion of the assignment. Evaluation: Use the model essentials to evaluate the sequence diagrams. 5. Activity Diagram. Activity diagram is similar to procedural flow charts except that all activities are uniquely associated with objects. Activity diagrams support the description of parallel activities. Activity diagrams: (a) Describes how activities are coordinated; (b) Is particularly useful when you know that an operation has to achieve a number of different things, and you want to model what the essential dependencies between them are, before you decide in what order to do them; (c) Records the dependencies between activities, such as which things can happen in parallel and what must be finished before something else can start; and (4) Represents the workflow of the process. Activities, transitions, decision diamond, constraints, synchronization and splitting bars, boundaries, and start & stop markers must be included in the class diagram. Evaluation: Use the model essentials to evaluate the Activity diagrams.

Iterate: Redo 1, 2, 5, and 6 with stability in mind where:

Class diagram (Stability Model). Create a new Class diagram of the design session problems based on the EBTs, BOs, and IOs. Class model should include all attributes and methods for the class. All class relationships (associations, aggregations, dependencies, and specializations) should be included in the Class diagram. Association classes, interface classes, constraints, interfaces, tagged values and/or stereotypes, and notes must be included in the class diagram. Evaluation: Use the model essentials to evaluate the class diagram (Stability Model). _________________________________________________________________________

Network Intrusion Detection System Abstract

The system detects any intrusion in the network by constantly monitoring the network traffic. Network intrusion is a method in which a person exploits the software features and bugs to gain unauthorized access to the system. In the extreme case, he/she may access well-known ports and services to infect the system with viruses and worms bringing down the network performance. Various sensors, like operating system sensors and network sensors, are installed at strategic locations through out the enterprise network to monitor network performance.

Domain
In our system IDS is installed on the server side, which serves local hosts and users over internet as shown in figure.1. There are four actors in the system namely monitor, user, network and system administrator. User sends request to the server over the internet or LAN and IDS will analyze the packets received by the server. This IDS detects both internal and external intrusions. If it detects any intrusion then it alerts system administrator.
System Administrator Server IDS User App1 User App2 Router Host1 Host2 Hostn Internet . User Appn

System Description
Network Intrusion Detection system (NIDS) is a system which monitors network intrusion. Intrusion may be detected by techniques like anomaly detection, signature pattern matching etc. Anomaly detection is a method in which normal network behavior is captured and any abnormality in the network is detected such as a sudden increase in network traffic rate (number of IP packets per second). Signature pattern matching is a method in which network data is compared with the known attack techniques that are saved in a database. For example an IDS that watches web servers might be programmed to look for string phf as an indicator for a CGI program attack. Intrusion is detected and system administrator is alerted about the kind of intrusion when any one of the following events takes place: 1. If a foreign entity has been detected in a log entry. 2. If user tries to access information which is beyond his/her access.

3. Baseline for critical system resources is measured such as cpu utilization, file entries, disk activity, user logins etc. Then the system can trigger when there is a deviation from this baseline.

Use Cases
Actors: 1) User User sends request to server and server responds by providing the requested service. 2) Network Network carries the IP packets from source to destination. 3) IDS IDS takes the packets from the network, analyses the packets. 4) System Administrator System Administrator is alerted by the IDS of any suspicious activity or whenever intrusion is detected.

Use Case Description

1) IP Packets Network gives the IP Packets to IDS which does further processing of these packets. 2) Anomaly Detection If IDS Detects any abnormality in the network traffic, then it triggers the alert system 3) Signature recognition IDS examines the traffic looking for well-known patterns of attack, which are saved in pattern database and triggers the alert system, if a match is found. 4) Alert System Whenever triggered by anomaly detection or signature recognition, it alerts the system administrator.

Use Case Diagram

Network IDS IP Packets

Login

Pattern Database

User Anomaly detection Alert

Admin

Signature Recognition