version 0.1 Introduction
Lisys monitors TCP SYN packets to detect network traffic anomalies. The program e-mails a designated user when it detects unusual tcp connections. The user decides if the anomaly is truly a problem or merely an unusual, but valid, connection. The code is in an early stage of development.What does Lisys do?
Lisys is an immunologically-inspired network traffic anomaly detector. Each computer runs a broadcaster, which broadcasts the source and destination of each tcp SYN packet it sees to other computers running Lisys, and a detection node, which processes the information from the broadcasters.Each detection node receives data from broadcasters and mails an administrator if it detects a novel tcp connection. A detection node has an array of detectors that as a group determine if a packet is anomalous. The detectors are randomly generated, with each one sensitive to a particular random source and destination address and port as well as near matches to it. For a newly-generated detector, if it sees a packet that matches its template, it will be replaced by a new randomly-generated detector. For a detector is over a week old, if it recognizes a packet, it will send mail to the administrator. By having this week-long "tolerization" period for the new detectors, we can generate detectors randomly and only let the ones that do not send false positives for a week "survive".
When the user receives an alarm signal from a detector, she has two options. If the user does nothing, the detector that flagged the connection as anomalous will disappear and not bother the user any more. If the user chooses to confirm, or "costimulate", the anomaly, the detector that flagged the anomaly will become a permanent part of the program's repertoire and will alert the user whenever this tcp connection is made in the future.
There are a couple of papers that provide more information on Lisys:
Architecture for an Artificial Immune System, S. A. Hofmeyr and S. Forrest
An Immunological Model of Distributed Detection and its Application to Computer Security, S. A. Hofmeyr
Requirements
- TCPDump.
- A Java SDK of 1.2 or greater.
- All machines must be on the same subnet (i.e. the first three numbers of their ip addresses must be the same).
- Ability to write to the local drive is recommended.
Installation
First unpack the lisys.tar files into a directory on the desired machine. It is advised to use a directory on the machine's local hard drive. Before compiling Lisys, you may want to edit the Makefile:- Change the JAVAC variable if your Java compiler can't be run by typing javac.
- Change the BIN_DIR variable if you want the scripts for running Lisys to be placed in an alternate location.
- You also may want to change some of the variables in templates/global.properties before installing Lisys. If you want Lisys to store its various files in different places, then you should change the classpath, logpath, pidpath, and statepath variables.
Configuration
Before running Lisys, you need to edit its configuration files. These files are all conveniently located in /etc/lisys. Note that limited variable substitution is performed when these files are processed. This means that any single-word variable (i.e. no dots) that has been defined earlier in the file can be referenced later by putting the $ character in front of its name. Also, variables defined in the global.properties file can be referenced in the other configuration files.global.properties:
- You will want to change the network variable to refer to your local network's subnet (the first three numbers in your ip address). This is used in the filter rules file to keep tcpdump from looking at internal Lisys communications, which take place on port 9090 within your local subnet.
- You may need to hange the java variable if your Java compiler can't be run by typing java.
- Change the detection.nodes entry to list all of the hosts on which you will be running Lisys. Remember to include the port number 9090 for each address by appending ":9090" to each ip.
- Change the costimulation.server entry if you intend to use the mail interface for costimulating detection nodes.
Running Lisys
In order to run lisys, you need permission to run tcpdump, which is typically only done as root.After using the installing and configuring Lisys, you can run the detectors and broadcasters on the desired machines in your network. On a machine that has Lisys installed, simply type "lisys-detection" to start the detectors and "lisys-broadcast" to start the broadcast. Both programs can also be stopped by calling the command with the "-k" option.
Additionally, you can configure lisys to run at startup using the
script init.d/lisys. This script starts lisys-detection and
lisys-broadcast. For debian, all you have to do is copy init.d/lisys
to /etc/init.d/lisys and then execute the following command as root:
update-rc.d lisys defaults 90
The 90 makes it so that lisys is one of the last programs started,
which means it will be after networking.
After the detectors and broadcasts are running you will want to query
and interact with the detectors. The easiest way is to install the
cgi scripts provided in the cgi directory to provide a web interface.
Place these scripts in your web server's cgi directory and create a
hyperlink that calls LisysStat.cgi with the ip addresses of your
machines running lisys detectors as arguments, for example:
<a href="/cgi-bin/LisysStat.cgi?64.106.21.120+64.106.21.121">
Click here to check machines 64.106.21.120 and 64.106.21.121</a>
LisysStat will query the machines and display a status summary. If the
nodes have detected anomalies, you can click on the number of anomalies
for a given machine to get a full list of anomalies. Clicking on a
particular anomaly will costimulate the machine.
If you'd rather use the mail interface for costimulating Lisys detectors, execute "lisys-http" on a single machine that will act as a server to process costimulation requests. You need to set the costimulation.server entry in /etc/lisys/detection.properties to be the server machine. Once everything is set up, you should be able to costimulate nodes by following the html anomaly links sent by the lisys detection nodes. The sole purpose of the costimulation server is to accept the http requests from the users clicking on the mailed links and to forward the requests to the appropriate detection nodes.
Detection Node Settings
The default settings for the detection nodes work reasonably well, but you may want to change the following variables in detection.properties before running Lisys:
| costimulation.mail.delay | The number of packets a detector must receive before sending out mail if there are anomalies. Increasing this value will make mail less frequent. |
| costimulation.delay | The amount of time (in # of packets received) that a user has to costimulate an anomalous packet. After this amount of time elapses, the information about the particular anomalous packet will be overwritten. |
| costimulation.server.port | Port used for the costimulation mail interface. |
| activation.threshold | Number of anomalies a detection node must receive before notifying the user. |
| detectors.number | Number of detectors in a detection node. |
| tolerization.period | Currently not used. The tolerization period is automatically set to the number of packets the node receives in its first week. |
| random.seed | Random number generator seed. The system clock is used for the seed if the value is set to -1. |