Drupal Intrusion Detection System (DIDS)

The original proposal can be found here: http://socghop.appspot.com/student_proposal/show/google/gsoc2009/joshuar...

Overview: DIDS provides a system to allow Drupal to detect attacks such as SQL injection, spamming and DOS attacks. It should then provide a way to respond to detected attacks. Such methods would include banning users / ips, limiting page requests or by alerting an administrator.

Description: One of the greatest issues that any site can have is security. Sites are constantly under attack from outside sources. Fortunately, these attacks usually follow some form of pattern. This should allow us to recognize and foil potential attacks. Larger corporations would likely be able to afford dedicated hardware / software platforms to detect most potential attacks. Individuals, however, would most likely note have that luxury. This project aims to provide a way for a Drupal installation to detect attacks, as well as counter them.

To be a success this project must reach the following goals:

* Evaluate existing PHP software for suitability in use.  For instance: http://demo.php-ids.org/
* The system must provide a framework for easily defining new attacks.
* The system must recognize at least the following attacks:
      o SQL Injection (Especially useful for contrib mods that might not use forms api.)
      o Spamming / Too many submission in a period of time
      o Denial-Of-Service / Distributed Denial-Of-Service
* The system must also provide a framework of optional ways to cope with attacks.  This must include at least:
      o A threat level scoring system for usernames or ip address.
      o The ability to block new users / ips using existing code.
      o The ability to warn administrators that an attack may be underway.

If time permits then the following goals will be worked toward:

* The ability to rate limit page requests as a coping mechanism.
* The ability to gradually reduce a personal threat score with time (by not triggering an alert.)
* A method for detecting new attack definition updates.
* Recognizing attempts to access restricted materials

Schedule: Apart from just "bonding with the community," the "Community Bonding" period will also be used to research existing different attack attempts common to Drupal installations. The first two weeks after the official start will be used to research different methods that can be used in PHP to detect different forms of attacks. The next few weeks will be used to build the detection and coping frameworks. The following weeks will be used to write extensions that can utilize the framework for detection and coping. The last three weeks of the project will be used for bug and accuracy testing (using simulated attacks on my personal server.) Should bug and accuracy testing show acceptable results, the remaining time will be used to accomplish the optional goals.

Mentors:

Difficulty: Hard (but worth it!)