Nebula is a distributed system, fed by honeypots, that automates the generation of IDS signatures to detect and identify attacks. The goals for the next three months are to improve nebula so that the quality of generated signatures gets better. Also, more and different types of sensors should be able to contribute to a distributed signature generation setup. All in all, there are three work packages:
Primary Mentor: Felix Leder
Secondary Mentor: Jamie Riden
Student: Tillmann Werner
WP1: Nebula's clustering algorithm is one of the two critical components (the other important one is the signature generation engine). In the current implementation, clusters are built following a relatively easy strategy. In particular, cluster density is not considered. The classifiaction results can be improved by replacing the clustering algorithm with a density aware alternative. Another improvement would be to save classification states to files so that the nebula daemon can be interrupted in its execution (expectedly or unexpectedly) and resume from the latest state after a restart.
WP2: Sources that want to submit data to a nebula daemon must implement a proprietary protocol which was designed especially for secure and efficient attack submissions. To date, a submission module exists for honeytrap only. A command line client is available for manual submission of files. In this work packages, a libnebula C library will be developed for easy integration of nebula client functionality into other applications (e.g., nepenthes, snort).
WP3: Intrusion detection systems such as snort can also be used to submit detected attacks to nebula. Although this might at first seem pointless, it is not: Classical intrusion detection signatures often trigger on very simple features. Nebula could be used to generate more complex signatures for the corresponding attacks - not to be used for detection, but for a better understanding of an attack's properties. Signatures computed by nebula extract structural commonalities and are thus very helpful for understanding an attack class's anatomy. In work package 3, a snort plugin will be written based on the library developed in WP2. Snort is the best application around for UDP and TCP stream reassembly which is necessary to reconstruct complete attack strings prior to submission to nebula. As it might perform better to unlink intrusion detection from stream reassembly, a different application will be implemented based on libnids and libnebula. It might even be possible to let this application interact with snort.
Besides these three working package, several experiments with nebula's signature generation engine will be performed and some minor improvements will be added, e.g., a more sophisticated feature selection strategies that could result in even better signatures (the current strategy is a greedy algorithm).
Each work package will be assigned one month of development. The official timeline provides a bit less than that for coding because of administrative work before and after the development phase. The following milestones are set:
2009-05-15 - Starting to code
2009-06-15 - WP1 due
2009-07-15 - WP2 due
2009-08-15 - WP3 due
One project mentored by the Honeynet Project during GSoC aims at improving nebula, an automated intrusion signature generator. There are two critical components in the signature generator: A clustering engine that groups similar attacks into classes, and a signature assembler that extracts common features and selects some of them for the actual signature.