Serverus is an behavior-based intrusion detection and prevention system for linux-based servers which uses deep learning model in order to identify attacks by anomaly behavior on the server transportation and block it.
The name "Serverus" is influenced by the great Cerberus from the greek mythology. A Cerberus (often referred to as the hound of Hades) is a creature which resembles to a multi-headed dog, and guards the gates of the Underworld. Since our product's main goal is defending servers from attack, we've found it exteremely similar to the Cerberus.
Created by Ofir Shapira and Omri Zaiman as a final project of Magshimim - the Israeli national cyber program.
First you have to register to our website here, it will provide you the project files with a uniqe identifier that was generated especially for you by us.
Make sure you have the following technologies installed on your machine:
It is also possible to install the modules using requirements.txt
file
sudo pip3 install -r requirements.txt
For Compiling there are 2 main options:
- using
build.sh
- script that compiles and executes the project (on us, without a charge) - compile by yourself
mkdir build
cmake -B build #generate the make file
cd build
make . #compile the project
sudo ./idps #execute the script
The Sniffing unit is a sniffer-like python program. It uses Scapy module for packets' sniffing, and sends the packets to the model using messages queue.
The model component (implemented in C++ language) is based on an ensemble of autoencoders. It analyzes metadata (jitter and packets' size) and determines whether each packet is considered an anomaly with respect to the server's normal behaviour. The model will output a score between [0-4] whereas 0 is a normal behavior.
The feature extractor generates a vector of statistics from each new arriving packet. It uses statistics such as weight, mean, standard deviation, magnitude, radius, covariance, and correlation. The FE uses Damped Incremental Statistics as a method of feature generating.
*describe
The anomaly detector is the part which is based on an ensemble of autoencoders. It composed of 2 layers of autoencoders:
- 1st --> the ensemble, each autoencoder receives a cluster from the Feature Mapper, and produces an RMSE (Root Mean Squared Error).
- 2nd --> the output layer, recieves the 1st layer's autoencoders' outputs (RMSEs) and produces an anomaly score for the specific packet given.
Than, it manipulates the anomaly score into a number between [0-4], represents the blocking level for the packet's sender.
*add an image describing the parts
The defending component communicates with the model and the server,
it will block an hostile entities according
to the anomaly level the model provided:
- Closing socket.
- Blocking entity temporaly.
- Blocking entity permanently.
- Inform other machines (which uses Serverus) about the hostile entity.
The blocking is made using linux iptables
and requires a root permission.
The server component is responsible for supplying data to the database (all data which is not related to the web application). The defender on each machine sends data to the server, this data describes the events that the specific machine has encountered with (those events are considered as attacks). The server documents the events in the database.
Moreover, the server is responsible for informing each defending unit about level 4
events that another defenders has reported on.
Our web application here, was built using Flask
module in python language. it uses Nginx
and Gunicorn
in order to run in production.
The app was developed with many tools to make the website accessible, such as: Chart.js
, bootstrap
, etc...
In order to use our services, one has to sign up to the website. As a registered user, a zip file containing the product's file becomes availiable.
We would like to thank:
- Our Mentor Shlomo Yona.
- Our team leader Arad Kotzer.
- Yisroel Mirsky for his algorithm "Kitnet".