Introduction

This project is designed to discover anomalous behaviour of a computer network. In many cases, this anomalous behaviour may be malicious, but this may not always be the case. This project is at its most general an attempt to discover information about a computer network from the incomplete information available to an end machine. It is this attempt to discover information from an unprivileged position on the network (but with administrative access to the local machine) in an unobtrusive way that makes this project interesting.

Note here: "an unprivileged position"! Intrusion detection systems (IDSs) already exist that are designed to run in the core of a network - but few systems exist that are designed to detect malicious operation of the network from the perspective of a normal user's machine, and even fewer that are prepared to use active techniques to investigate the network. It is also important to note that not all anomalies are outright malicious, although clearly some are. They may be as innocuous as control traffic that was not anticipated, or simply be the result of incorrect configuration. Indeed, many anomalies have been discovered during the development of the system that were entirely benign.

Towards the end of the production of the initial release of this project, Virgin Media (who provide my home Internet connection) were ordered by a UK court to blocked access to The Pirate Bay. This served as a good real world example of my project in action. This interception was detected first time without any modification to the system.

The current version of Hyperion is: 2012070101. Hyperion Source and Documentation