TCP Stream Re-assembly and Web-based GUI for Sachet IDS

Palak Agarwal, Roll Number: Y4111033, February 2007

Supervisor: Dr. Dheeraj Sanghi

Sachet is a Network based Intrusion Detection System developed at IIT Kanpur. It monitors the network traffic to detect any unwanted attempts to compromise the security of the network by malicious users. Recently an Intrusion Prevention functionality was also added to it. IPS monitors network traffic inline and prevent intrusions by dropping the malicious packets before they reach the actual host. In this thesis, we are adding two functionalities needed to enhance the utility of the system.

One of the major techniques to prevent an IDS/IPS from detecting an attack is through splitting the signature into two packets of a TCP Connection. As the IDS/IPS checks for signature in each packet individually it would not be able to detect this attack. However, on the host machine these packets would be re-assembled and a stream of data is available to the application. Hence, it would get compromised. We are adding a TCP Re-assembly module to our IPS so that it can detect those attacks which would have went though undetected.

We are also adding a Web based Graphical User Interface to the system so that a network administrator can monitor the IDS from a remote machine. Currently, the information about the alerts (and the status of network and nodes) can be monitored only from the server machine.

Download Thesis in PDF

Back to the list of MTech theses

Palak Agarwal can be reached at palak.agarwal[AT]