Incidence Handling and Response System

Incidence Handling and Response System (make the computer network more secure and capable enough to
withstand any kind of attack.) Prof.Dhananjay R.Kalbande Asst.Professor, Dept.of Computer Engg.. Sardar Patel Institute Of Technology (SPIT), Mumbai,India. E-mail:k_dhananjay@yahoo.com

Mr.Manish Singh Student Sardar Patel Institute of Technology(SPIT), Mumbai,India. E-mail:manishspit@yahoo.co.in

Prof.Dr.G.T.Thampi
Principal Pillai’s Institute of Information Technology (PIIT), New Panvel,India E-mail:gtthampi@yahoo.com

Abstract-A computer network can be attacked in a number of ways. The security-related threats have become not only numerous but also diverse and they may also come in the form of blended attacks. it becomes difficult for any security system to block all types of attacks. this gives rise to the need of an incidence handling capability which is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited and restoring the computing services. incidence response has always been an important aspect of information security but it is often overlooked by security administrators. in this paper, we propose an automated system which will handle the security threats and make the computer network capable enough to withstand any kind of attack. we also present the state-of-the-art technology in computer, network and software which is required to build such a system.

Key Words- Incidence, Incidence Handling ,Computer Security, Information Security ,Disaster Recovery, Blocking The Attacks I. INTRODUCTION In an organization, thousands of possible signs of incidents may occur each day. The organizations that are attacked typically call a Computer Security and Incident Response Team(CSIRT) to handle the incident.However, CSIRTs are not accessible to all . A system can be built which utilizes the services of host-based and network-based IDPSs, firewalls,antivirus and other tools to detect incidents, auditing and forensic tools to gather evidence of incident,implements
event correlation and centralized logging to intelligently analyze and classify incidents,mitigate incidents and restore the system to a stable state.We aim at developing such an automated system.
We make use of the required softwares and tools to build the system in the following way:
• We convert Snort which is an network IDS into an adaptive IDS/IPS . • We make use of host-based IDS i.e Tripwire to
ensure the integrity of critical system files and directories by identifiying all changes made to them. • We use the sleuth kit to examine the file system and layout of disks and other media of the suspected computer • We install Clam AntiVirus toolkit to scan the files and emails too using command line. • We make use of SSH protocol to establish a secure connection between two systems • We use Tcpdump to sniff packets over network.

Figure 1.System Context Diagram Of Incidence Handling And Response
System
IJCSIS) International Journal of Computer Science and Information Security,
Vol. 2, No. 1, 2009

II. SOFTWARES AND TOOLS TO BE USED

A. Network Intrusion Detection System (NIDS)

NIDS are intrusion detection systems that capture data packets traveling on the network media (cables, wireless) and match them to a database of signatures.

         Figure 2.Architecture Of Network Intrusion Detection System 

Depending upon whether a packet is matched with an intruder signature, an alert is generated or the packet is logged to a file or database.

Packet Capture Library: Supports raw packet capture (packet sniffing). Packet Decoder: Once captured, packets are passed to a packet decoder, so that they can be translated into an IDS’s internal data structure that provide a uniform basis for packet analysis. Preprocessor: Preprocessors are very important for any IDS to prepare data packets to be analyzed against rules in the detection engine. The Detection Engine: The detection engine is the most important part of an IDS. Its responsibility is to detect if any intrusion activity exists in a packet.
Output Plug-in:
If suspicious activity is identified by the Detection Engine, output plug-ins are called to generate administrative alerts.

Now in this project , we configure snort and run it in IDS mode so that the packets or alerts are logged into a file say alerts.ids in /var/log/snort directory. We make use of classification.config located in /etc/snort to filter the log file alerts.ids and separate the ipaddresses from where the attacks such as portscan or ICMP flooding attack were launched.We perform the above operation by writing a shell script which will block

…(Full text truncated)…