Network Intrusion Analysis - Part 3: NIDS Prototype(potd)
Developing a network intrusion detection system (NIDS) prototype that utilizes data manipulation techniques to analyze network traffic and identify potential security threats
Developing a network intrusion detection system (NIDS) prototype that utilizes data manipulation techniques to analyze network traffic and identify potential security threats
A Network Intrusion Detection System (NIDS) monitors network traffic to detect suspicious activities or security policy violations. Think of it as a digital security guard that watches data packets flowing through the network, looking for signs of potential threats like attacks or unauthorized access.
For our prototype, we’ll focus on demonstrating this concept with a simple, yet functional system.
Our task is to:
We’ll build the NIDS prototype in Python
using the Scapy
library, which is perfect for capturing, parsing, and analyzing network packets programmatically. The prototype will focus on detecting two common types of attacks using signature-based detection (looking for known malicious patterns):
Here’s how we’ll tackle it:
sniff
function to capture TCP packets in real-time.lo
) so anyone can demo it on their own machine without needing a live network.First, ensure we have pip
installed. Let's run:
sudo apt -y update && sudo apt -y upgrade && sudo apt install -y python3-pip
Next, below is the complete Python script for our NIDS prototype. Copy paste and save it as nids_prototype.py
and run it with sudo
(since packet sniffing often requires elevated privileges).
from scapy.all import *
import time
# Configuration
TIME_WINDOW = 60 # Time window in seconds
PORT_THRESHOLD = 10 # Max unique ports before flagging a port scan
SYN_THRESHOLD = 100 # Max SYN packets before flagging a SYN flood
# Data structures to track traffic
scan_attempts = {} # Key: (src_ip, dst_ip), Value: list of (port, timestamp)
syn_counts = {} # Key: (dst_ip, dst_port), Value: list of timestamps
def packet_handler(packet):
"""
Process each captured packet to detect port scans and SYN floods.
"""
if packet.haslayer(TCP) and packet.haslayer(IP):
src_ip = packet[IP].src
dst_ip = packet[IP].dst
dst_port = packet[TCP].dport
current_time = time.time()
# --- Port Scan Detection ---
key = (src_ip, dst_ip)
if key not in scan_attempts:
scan_attempts[key] = []
# Add current port with timestamp
scan_attempts[key].append((dst_port, current_time))
# Remove entries older than TIME_WINDOW
scan_attempts[key] = [entry for entry in scan_attempts[key]
if current_time - entry[1] <= TIME_WINDOW]
# Count unique ports in the window
unique_ports = set(entry[0] for entry in scan_attempts[key])
if len(unique_ports) > PORT_THRESHOLD:
print(f"Potential port scan from {src_ip} to {dst_ip}: "
f"{len(unique_ports)} ports scanned")
scan_attempts[key] = [] # Reset after alert
# --- SYN Flood Detection ---
if packet[TCP].flags == 'S': # Check for SYN flag
syn_key = (dst_ip, dst_port)
if syn_key not in syn_counts:
syn_counts[syn_key] = []
# Add SYN packet timestamp
syn_counts[syn_key].append(current_time)
# Remove old timestamps
syn_counts[syn_key] = [ts for ts in syn_counts[syn_key]
if current_time - ts <= TIME_WINDOW]
if len(syn_counts[syn_key]) > SYN_THRESHOLD:
print(f"Potential SYN flood to {dst_ip}:{dst_port}: "
f"{len(syn_counts[syn_key])} SYN packets")
syn_counts[syn_key] = [] # Reset after alert
# Start capturing packets on the loopback interface
print("Starting NIDS prototype... Press Ctrl+C to stop.")
sniff(iface="lo", filter="tcp", prn=packet_handler)
sudo python3 -m pip install scapy
in the terminal.sudo python3 nids_prototype.py
because sniffing requires root access. On Windows, it might be needed to adjust permissions or use a tool like npcap
.To make our prototype up and running, we'll need to generate some “malicious” traffic. Here are two simple scripts to simulate the attacks. Run them in separate terminal windows while the NIDS is active.
Save this as port_scan.py
and run with sudo python3 port_scan.py
. It sends SYN packets to ports 1–14 on 127.0.0.1
, triggering the port scan alert after 11 packets (since the threshold is 10).
from scapy.all import *
import time
target_ip = "127.0.0.1"
for port in range(1, 15):
send(IP(dst=target_ip)/TCP(dport=port, flags="S"), verbose=0)
time.sleep(0.1) # Small delay to avoid overwhelming
print("Port scan simulation complete.")
Save this as syn_flood.py
and run with sudo python3 syn_flood.py
. It sends 150 SYN packets to port 80 on 127.0.0.1
, triggering the SYN flood alert after 101 packets (since the threshold is 100).
from scapy.all import *
import time
target_ip = "127.0.0.1"
target_port = 80
for i in range(150):
send(IP(dst=target_ip)/TCP(dport=target_port, flags="S"), verbose=0)
time.sleep(0.01) # Small delay
print("SYN flood simulation complete.")
sudo python3 nids_prototype.py
sudo python3 port_scan.py
sudo python3 syn_flood.py
Through this experimentation, we successfully demonstrated the application of data manipulation techniques to analyze network traffic and identify potential security threats. By providing a foundation for further development, this prototype can be expanded to include more advanced detection methods and features.