🀟 WIA Standards
WIA-SEC-016 β€Ί Simulator

🚨 Intrusion Detection Simulator

Interactive demonstration of IDS/IPS, anomaly detection, and network monitoring

Data Format
Detection Algorithms
IDS/IPS Protocol
SIEM Integration
QR & VC
Network Traffic Data Formats
πŸ“¦
Packet Capture
Raw network packets in PCAP/PCAPNG format. Contains full packet headers and payload data.
Normal Traffic
🌊
NetFlow/IPFIX
Flow-based network telemetry. Aggregated traffic statistics including src/dst IP, ports, protocol, bytes.
Normal Traffic
πŸ“
Syslog Events
System and application logs in CEF/LEEF format. Authentication events, firewall logs, system errors.
⚠️ Auth Failure
🚨
Alert Events
IDS/IPS alerts with signature ID, severity, source/destination, and matched rule details.
πŸ”΄ SQL Injection

PCAP Packet Structure

Ethernet
Header
IP
Header
TCP/UDP
Header
Application
Payload
// IDS Alert Format (JSON) { "timestamp": "2025-12-25T10:30:15Z", "signature_id": 2100498, "signature": "ET EXPLOIT SQL Injection Attempt", "severity": "HIGH", "source_ip": "203.0.113.45", "dest_ip": "192.168.1.100", "dest_port": 3306, "protocol": "TCP", "payload": "' OR 1=1--" }
Intrusion Detection Algorithms
Signature-Based Detection
Matches network traffic against known attack signatures (rules). Fast and accurate for known threats. Uses Snort/Suricata rule syntax.
99.5%
Accuracy
0.1%
False Positive
<1ms
Latency
Anomaly-Based Detection
Detects deviations from normal behavior baseline using statistical analysis or ML. Can identify zero-day attacks.
85%
Detection Rate
5-10%
False Positive
10-50ms
Latency
Protocol Analysis
Deep packet inspection to validate protocol compliance (HTTP, DNS, TLS). Detects protocol anomalies and evasion techniques.
95%
Coverage
1-2%
False Positive
5ms
Latency
// Anomaly Detection Algorithm (Simplified) function detectAnomaly(traffic) { const baseline = calculateBaseline(historicalData); const currentMetric = { packetsPerSec: traffic.count / traffic.duration, avgPacketSize: traffic.totalBytes / traffic.count, uniqueIPs: new Set(traffic.srcIPs).size }; const deviation = calculateDeviation(currentMetric, baseline); if (deviation > THRESHOLD) { return { alert: true, severity: classifySeverity(deviation), description: "Abnormal traffic pattern detected" }; } return { alert: false }; }
IDS/IPS Detection & Response Protocol
1️⃣ Traffic
Capture
β†’
2️⃣ Packet
Analysis
β†’
3️⃣ Signature
Match
β†’
4️⃣ Alert
Generation
β†’
5️⃣ Response
Action

Detection Pipeline Steps

Step 1: Traffic Capture

Network tap or SPAN port captures all packets. Supports 1Gbps-100Gbps throughput with hardware acceleration.

Step 2: Packet Analysis

Decodes packet headers (L2-L7). Reassembles TCP streams and defragments IP packets for full payload inspection.

Step 3: Signature Matching

Applies 100,000+ signatures using Aho-Corasick multi-pattern matching. Checks both header fields and payload content.

Step 4: Alert Generation

Creates structured alert with signature ID, severity, source/dest, timestamp. Enriches with GeoIP and threat intelligence.

Step 5: Response Action (IPS Mode)

Drop malicious packets, reset TCP connections, block IPs via firewall, send SNMP trap to NOC.

// Snort Rule Example alert tcp any any -> $HOME_NET 80 ( msg:"ET EXPLOIT SQL Injection SELECT FROM"; flow:to_server,established; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:0; classtype:web-application-attack; sid:2100498; rev:3; ) // IPS Response Action if (alert.severity >= "HIGH") { dropPacket(packet); blockIP(alert.source_ip, duration: "1h"); sendAlert(alert, channels: ["email", "siem"]); }
SIEM Integration & Correlation
1,247
Events/sec
23
Active Alerts
5
High Severity
847GB
Data Indexed

Supported SIEM Platforms

πŸ”·
Splunk
TCP/UDP syslog, HTTP Event Collector (HEC), Splunk Forwarder integration with custom dashboards.
πŸ”Ά
Elastic SIEM
Elasticsearch REST API, Beats agents (Filebeat, Packetbeat). Real-time indexing with ECS schema.
πŸ”΅
IBM QRadar
Syslog, LEEF format support. QRadar DSM for normalized event parsing and correlation rules.
🟒
Microsoft Sentinel
Azure Monitor Agent, CEF over Syslog. KQL queries for hunting and automated playbooks.
// SIEM Integration - Splunk HEC const sendToSplunk = async (alert) => { const event = { time: Date.now() / 1000, source: "wia-ids", sourcetype: "ids:alert", event: { signature_id: alert.signature_id, signature: alert.signature, severity: alert.severity, src_ip: alert.source_ip, dst_ip: alert.dest_ip, protocol: alert.protocol } }; await fetch("https://splunk:8088/services/collector", { method: "POST", headers: { "Authorization": `Splunk ${HEC_TOKEN}` }, body: JSON.stringify(event) }); }; // Correlation Rule Example if ( countEvents("failed_login", source_ip, window: "5m") > 5 && countEvents("port_scan", source_ip, window: "10m") > 1 ) { raiseCorrelatedAlert({ type: "Brute Force + Recon Attack", severity: "CRITICAL" }); }
QR Codes & Verifiable Credentials

IDS Configuration QR Code

Scan QR code to quickly configure IDS sensor settings, import signature rules, and establish SIEM connection parameters.

🚨
wia://sec-016/ids-config/v1

Verifiable Credential - IDS Certification

Security Analyst Certification

W3C Verifiable Credential proving proficiency in intrusion detection, incident response, and SIEM analysis.

Credential Type: IDS Security Analyst
Issuer: WIA (did:wia:sec)
Validity: 2 years
Skills Verified: Signature Analysis, Anomaly Detection, SIEM, Incident Response
// Verifiable Credential Structure { "@context": ["https://www.w3.org/2018/credentials/v1"], "type": ["VerifiableCredential", "IDSSecurityAnalystCertificate"], "issuer": "did:wia:sec:016", "issuanceDate": "2025-12-25T00:00:00Z", "expirationDate": "2027-12-25T00:00:00Z", "credentialSubject": { "id": "did:example:analyst123", "skills": [ "Signature-based Detection", "Anomaly Detection", "SIEM Administration", "Incident Response", "Network Traffic Analysis" ], "certificationLevel": "Professional" }, "proof": { "type": "Ed25519Signature2020", "created": "2025-12-25T00:00:00Z", "proofPurpose": "assertionMethod", "verificationMethod": "did:wia:sec:016#key-1" } }