The Lightweight-Intrusion-Detection System (LIDS) is a software product that meets the needs of the DAC cyber analysts at the DEVCOM Analysis Center for conducting Cyber Vulnerability Assessments (CVAs). The customer requested the development of LIDS because publicly available intrusion detection system software products require heavy use of a device’s resources. Therefore, the main objective of this project is to create a lightweight intrusion detection system in terms of required resources, number of dependencies, and total lines of code. As required by the customer, LIDS includes three sub-systems, called agents from now on LIDS agent, Lightweight Network Intrusion Detection System (LNIDS) agent, and Lightweight Intrusion Detection System Distributed (LIDS-D) agent. Collectively, the three agents compose and work as an intrusion detection system that detects and sends alerts (LIDS agents and LNIDS agents) based on parameters given by the DAC cyber analysts, stores network traffic (LNIDS), and stores alerts generated from several instances of LIDS agents and one LNIDS agent on a single instance of a LIDS-D agent. An overview of each agent (sub-system) follows.
Lightweight Intrusion Detection System (LIDS) Agent
- The LIDS agent detects alerts (malicious network interactions) and is meant to be lightweight on resource consumption, and terminal and graphic interfaces. This is a detection system that monitors network traffic on the DAC cyber analyst’s computer and produces alerts when malicious network packets are detected. The LIDS agent stores both malicious network packets and alerts in the DAC cyber analyst’s computer. The LIDS agent sends alerts to the LIDS-D agent. The LIDS agent makes use of a configuration file to identify whitelist nodes and server connection information. The LIDS agent has a graphical interface and a Command Line Interface. The LIDS system may have several instances of LIDS agents.
Lightweight Network Intrusion Detection System (LNIDS) Agent
- The LNIDS agent detects alerts (malicious network interactions) and is meant to be lightweight on resource consumption and placed on the network SPAN port. The LNIDS agent stores the network traffic in external storage and sends alerts to the LIDS-D agent. The LNIDS agent makes use of a configuration file to identify whitelist nodes and server connection information. The LIDS system has one LNIDS agent.
Lightweight Intrusion Detection System Distributed (LIDS-D) Agent
- The LIDS-D agent accepts connection requests from all LIDS agents and the LNIDS agent on a network. The LIDS-D agent stores the alerts received from LIDS agents and the LNIDS agent. The LIDS-D agent notifies the DAC cyber analysts of alerts as received and allows analysts to review all the alerts at any moment, display the list of nodes, save alerts to external storage, and export alerts. The LIDS-D agent has a terminal interface and a graphic interface. The LIDS system has one LIDS-D agent.
- Ms. Diana RamĂrez 
- Ms. Herandy Vázquez
- Mr. Sebastián Quiñones 
- Dr. Gurijala
- Darinka Carrasco-Cardona
- Carlos Cepeda 
- Courtney Woods 
- Christian Gomez 
- Christopher Porras 
- Sergio Velasco 
- David Gonzalez 
- Tony Alanis
- Installation
- Troubleshooting
- LIDS GUI Information
- CLI Information
- Available Scripts
- Testing
- Contact Information
- Release Date
-
Linux Lite 6.6:
- Download Linux Lite 6.6 from official website.
- Follow the installation instructions provided on the website.
-
VMware:
- Download and install VMware from the official website.
- Follow the installation instructions for your operating system.
-
Python v3.10.12:
- Download and install Python v3.10.12 from the official Python website.
- Follow the installation instructions for your operating system.
-
JavaScript v12.22.09:
- JavaScript is typically included in web browsers. Ensure you have a web browser that supports JavaScript.
-
React v18.2.0:
- Install React using npm:
npm install -g react@18.2.0
- Install React using npm:
-
Flask v2.0.1:
- Install Flask using pip:
pip install Flask==2.0.1
- Install Flask using pip:
-
Pyshark v3.1.2:
- Install pyshark using pip:
pip install pyshark==3.1.2
- Install pyshark using pip:
-
JSON v3.10.12
- No need of using pip isntall. Just have the following line of code:
import json
- No need of using pip isntall. Just have the following line of code:
-
Collection v3.10.12
- No need of using pip isntall. Just have the following line of code:
from collections
- XML v3.10.12
- No need of using pip isntall. Just have the following line of code:
import xml
- Scapy v2.5.0
- Install scapy using pip:
pip install scapy
- Cryptography v41.0.7
- Install cryptography using pip:
pip install cryptography
- Socket v3.10.12
- No need of using pip isntall. Just have the following line of code:
import socket
- Netifaces v2.0.0.19
- Install netifaces using pip:
pip install netifaces
- Threading v3.10.12
- No need of using pip isntall. Just have the following line of code:
import threading
- Tabulate v0.9.0
- Install tabulate using pip:
pip install tabulate
- Defusedxml v0.7.1
- Install defusedxml using pip:
pip install defusedxml
If you encounter any issues during the installation process, consider the following:
-
Linux Lite Installation Issues: If you are facing problems with Linux Lite installation:
- Check the official Linux Lite documentation for comprehensive installation guidance.
- Visit the Linux Lite Community Forums to seek assistance from the community.
-
VMware Installation Issues:
- Ensure your system meets VMware's requirements. Refer to the official VMware Compatibility Guide for hardware compatibility.
- Check the VMware Documentation for troubleshooting steps.
-
Python Installation Issues:
- Double-check that you downloaded the correct version from the official Python website.
- Refer to the Python Installation Guide for troubleshooting steps.
- Upgrade pip using:
pip install --upgrade pip
-
React Installation Issues:
- Ensure you have Node.js and npm installed. You can install them using:
sudo apt-get install nodejs sudo apt-get install npm
- Ensure you have Node.js and npm installed. You can install them using:
-
Flask Installation Issues:
- Confirm that Python and pip are correctly installed. You can upgrade pip using:
pip install --upgrade pip
- Confirm that Python and pip are correctly installed. You can upgrade pip using:
-
Pyshark Installation Issues:
- Verify independencies.
- Confirm that Python and pip are correctly installed. Upgrade pip using:
pip install --upgrade pip
- Refer to the Pyshark Documentation for troubleshooting guidance.
- Ensure that dependencies, such as the wireshark library, are installed. On Linux, you can use:
sudo apt-get install libwireshark-dev
-
JSON Import Issues:
- Unable to import json.
- Ensure your Python environment is correctly set up.
- Confirm that the Python version is 3.10.12 or compatible.
- Verify that there are no typos or syntax errors in your import statement.
-
Collections Import Issues
- Unable to import collections.
- Double-check your Python environment.
- Confirm that the Python version is 3.10.12 or compatible.
- Verify the correct import statement (from collections import ...).
-
XML Import Issues
- Unable to import xml.
- Ensure Python environment correctness.
- Confirm Python version is 3.10.12 or compatible.
- Check the correct import statement (import xml).
-
Scapy Import Issues
- Unable to import or use scapy.
- Install scapy using pip install scapy.
- Confirm the scapy version is 2.5.0 or compatible.
- Check for any error messages during installation.
-
Cryptography Import Issues
- Unable to import or use cryptography.
- Install cryptography using pip install cryptography.
- Confirm the cryptography version is 41.0.7 or compatible.
- Check for any error messages during installation.
-
Socket Import Issues
- Unable to import socket.
- Confirm Python version is 3.10.12 or compatible.
- Verify the correct import statement (import socket).
-
Netifaces Installation Issues
- Unable to import or use netifaces.
- Install netifaces using pip install netifaces.
- Confirm the netifaces version is 2.0.0.19 or compatible.
- Check for any error messages during installation.
- Unable to import threading.
- Confirm Python version is 3.10.12 or compatible.
- Verify the correct import statement (import threading).
-
Tabulate Installation Issues
- Unable to import or use tabulate.
- Install tabulate using pip install tabulate.
- Confirm the tabulate version is 0.9.0 or compatible.
- Check for any error messages during installation.
-
Threading Import Issues
- Unable to import threading.
- Confirm Python version is 3.10.12 or compatible.
- Verify the correct import statement (import threading).
-
Defusedxml Installation Issues
- Unable to import or use defusedxml.
- Install defusedxml using pip install defusedxml.
- Confirm the defusedxml version is 0.7.1 or compatible.
- Check for any error messages during installation.
- Remember to replace ... in the import statements with the specific components you are importing from each library or module. Always ensure that your Python environment is correctly set up, and the versions of the installed libraries match the expected versions.
The LIDS (Log-based Intrusion Detection System) GUI provides users with a user-friendly interface for managing system alerts. Here's an overview of the key features and functionalities:
On the first page of the LIDS GUI, users can upload a configuration file for the system to read.
Once the configuration file is successfully processed, the LIDS GUI transfers to the second screen, where alerts are organized into data tables with the following information:
- Ranges from Low (least important) to High (most important).
- Order can be customized from lowest to highest or highest to lowest.
- Represents the time it took to catch the alert.
- Can be reordered from shortest to longest and vice versa.
- Displays the IP addresses of the connecting device.
- Shows the port numbers used by the connecting device.
- Can be reordered from smallest to largest.
- Provides a description of the actions being taken by the connecting device.
- Highlights any notifications being sent to LIDS.
- Lists any errors encountered by LIDS during its operation.
- Ranges from Low (least important) to High (most important).
- Order can be customized from lowest to highest or highest to lowest.
- Represents the time it took to catch the alert.
- Can be reordered from shortest to longest and vice versa.
- Displays the IP addresses of the connecting device.
- Shows the port numbers used by the connecting device.
- Can be reordered from smallest to largest.
- Provides a description of the actions being taken by the connecting device.
- A table that provides a list of all known devices that are connected in real time to the network. The table provides information such as id, user, protocol, operating system, date, and time.
- A table that provides a list of all unknown devices that are connected in real time to the network. The table provides information such as id, user, protocol, operating system, date, and time.
- Button that allows the user to provide or change the current configuration file. Once the configuration file was changed, the server will be restarted.
- Button that provides a summary of the relevant information from the server to the user. Relevant information such as number of malicious packets, number of known/unknown devices, number of alerts, and the current configuration file.
- A table that provides a list of current detected alerts in the network.
- A page that provides multiple settings for the LIDS device.
- A button that allows the user to disconnect or turn off the LIDS device.
The CLI or Command Line Interface is mainly to start the program from the command line or terminal. Once the script is ran, it will open up the LIDS program where you will begin to detect.
A Command Line Interface (CLI) is a text-based interface that enables users to interact with a computer or software application by entering commands into a terminal or command prompt. Unlike graphical user interfaces (GUIs), which rely on visual elements, CLIs operate solely through text-based commands.
-
Commands: Users communicate with the system by typing specific commands, usually followed by optional arguments and parameters. These commands instruct the computer to perform various tasks or operations.
-
Prompt: The CLI displays a prompt, such as a dollar sign ('$') or a greater-than sign ('>'), indicating that the system is ready to receive a command.
-
Text Output: The results of executed commands are displayed as text output in the same terminal. This output provides information about the success or failure of the command and any relevant data.
Runs the app in the development mode. Opens http://localhost:3000 to view it in your browser.
The page will reload when you make changes. You may also see any lint errors in the console.
Installs the necessary files so t hat you are able to run the app in developement mode.
python3 main_dev.py [tag][filename]
Tag used for running the Command User Interface (CLI)
Tag for running the GUI
the file path of where your current configuration file resides.
For testing we use a Docker container encapsulating an operating system serves as a "mini network," executing the Docker file for config_file.xml to construct a mini network with a subnet of 10.0.0./24, featuring IP addresses aligning with the configuration file. Additional Docker containers include an analyst container equipped with lids, a server container, and a final container simulating an attacker transmitting data to the lids.
Builds Run Background
sudo docker -compose up-dAnalyst
sudo docker exec -it my_att /bin/bashLIDS Agent
python3 LIDS_demo.py -c 'config_file.xml'This project is licensed under the terms of the license provided by The University of Texas at El Paso.
November 13, 2023, 9:30 AM