[SOLVED] Cs6264 module 4 assignment: project four 2025

Whatsapp Us

Scan or Click here to open the chat!%s
, , , , , ,

[SOLVED] Cs6264 module 4 assignment: project four 2025

$25

File Name: Cs6264_module_4_assignment__project_four_2025.zip
File Size: 423.9 KB

Categories: , , , , , , Tags: , , , , , ,
5/5 - (1 vote)

“Good work on that report! The customer was super impressed!”

There seems to be a trend in your boss’ tone of voice versus the amount of work he is about to assign to you…

“They were so impressed, in fact, that they wanted you to create a host-based IDS for them that can monitor the behavior of a program they wrote.”

That doesn’t even seem like part of your job description, you think to yourself.

“Just make sure you can report on the malicious activities it does.”

Your boss also seems pretty fixated on this two-week cycle, you think as you start Googling for more documentation

Actions

.

VM link:

OneDrive: cs6264_lab4.ovaLinks to an external site.

Google Drive: https://drive.google.com/file/d/1Q8D-ltf24uCkTIEFkteDkp_iWXzOHm1G/view?usp=sharingLinks to an external site.

md5 checksum:

b92c8108ab2dae20b7ccf2bff63cfefe  cs6264_lab4.ova

Supplementary Materials

  Assignment

The purpose of this assignment is to apply your knowledge of IDS’s learned in class to implement your own host-based IDS to detect behaviors a malware may have during runtime.

Please implement an IDS on the provided VM that can report on the syscalls that are being made by the binary. As a hint, you will want to implement this by implementing syscall hooking.

  Deliverables

  Rubric

Rubric

Some Rubric

Total Points: 105

 

CS6264 Project 4
Supplementary
Materials
Supplementary Materials
Project 4 Overview
1. Hook 21 System Calls
2. Implement Anomaly Detection
Part 1 : System call hooking – Syscall hints
mkdir :
You can use kprintf() to print out the register
content to debug and make sure correct argument
values are in the correct registers
Part 1 : System call hooking – Syscall hints
fstatat:
fstatat not in syscalls.h
You may use newfstatat for kprobe instead
Note: Always check the man page of the syscalls for
more information
Part 1 : System call hooking – Syscall hints
wait4:
An example can be found here:
They hook the do_fork function; you will need to find the
address for wait4
https://elixir.bootlin.com/linux/v5.3/source/samples/kpr
obes/kprobe_example.c
Part 1 : System call hooking
Kprobes:
Example from the kernel:
https://elixir.bootlin.com/linux/v5.3/source/samples/kprobes/kprobe_
example.c
Documentation:
https://www.kernel.org/doc/Documentation/kprobes.txt
Tutorial:
https://www.kernel.org/doc/ols/2006/slides/kprobes.html
Part 2 : Anomaly Detection
How to design the anomaly detection with what you
have learn in part 1?
Part 2 : Anomaly Detection
Syscall sequence pattern -> normal profile
Use subsets of syscall sequence as the behavior
identifier to define a normal behavioral database
Part 2 : Anomaly Detection
Example Implementation:
Sliding Window
Pick a proper k value: you can choose 6 if you
don’t bother to test nuances for performance
and accuracy
Part 2 : Anomaly Detection – Sliding Window
K = 4 example, move 1 window slot at a time to model the behaviors
forest representation of sequence of system calls
Note: you can convert corresponding syscalls to the syscall numbers for easier representation
Part 2 : Anomaly Detection – Sliding Window
Sample database of normal behavior
Note: In case you want to know more details and the reasoning behind, refer to the paper:
http://wenke.gtisc.gatech.edu/ids-readings/unix_process_self.pdf
More on IDS:
https://www.cs.fsu.edu/~engelen/SnyderThesis.pdf
Example implementation of Sliding window:
https://www.geeksforgeeks.org/window-sliding-technique/
Part 2 : Anomaly Detection
Your anomaly detection system could divided into 2
phases:
1. Training Phase
2. Testing Phase
Part 2 : Anomaly Detection – Training Phase
To establish a normal profile, run through 100ish testing runs for all benign behaviors with our given binary to
a point that your IDS does not or rarely alert on benign syscall sequences. Like shown in the plot, the number
of new syscall sequences not increase drastically. Then you should conclude that the training phase is DONE!
We can accept an error rate upto 8%
Part 2 : Anomaly Detection – Training Phase
To run with what you have with Part 1:
sudo insmod hooks.ko
./target input (100ish testing runs)
sudo rmmod hooks.ko
Part 2 : Anomaly Detection – Normal DB storage
Where to store the normal database?
1. Store in memory (heap memory)
2. Store in database(mysql, sqlite, etc…)
3. Store in static files (db.txt)
Part 2 : Anomaly Detection – Testing Phase
As mentioned, we accept 8% error rate for your
anomaly detection.
Bonus: Malicious behavior detection
What’s defined as Malicious? (Refer to the tutorial
last section)

 

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

Related products

Shopping Cart
[SOLVED] Cs6264 module 4 assignment: project four 2025[SOLVED] Cs6264 module 4 assignment: project four 2025
$25