Embed Size (px)
Citation preview
http://brie.com/brian/netga/
Who am I?
Brian E. Lavender
Computer Science
Legislative Data Center (Work)
Custom rules to identify attacks
SNORT Experience
Statistical Packet Anomaly Detection Engine
SNORT Plugin. Disappeared!!!
MS Project – What to do?
NetworkSecurity
ArtificialInteligence
Nprobe (Luca Deri)
Genetic AlgorithmPaper (Ren Hui Gong)
NetGAhttp://brie.com/brian/netga/
Integration and further development (Me!)
How the Genetic Algorithm Works! Training
Data
Training Data
DARPA
http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/1998data.html
Training Data Source
Duration Protocol SRC IP DST IP Attack Type
H M S 0 1 2 3 0 1 2 3
0 0 11 ftp 1892 21 192 168 1 30 192 168 0 20 -
0 0 0 smtp 1900 25 192 168 1 30 192 168 0 20 -
0 0 2 rsh 1023 1021 192 168 1 30 192 168 0 20 rcp
0 0 23 telnet 1906 23 192 168 1 30 192 168 0 20 guess
0 0 14 rlogin 1022 513 192 168 1 30 192 168 0 20 rlogin
0 0 2 rsh 1022 1021 192 168 1 30 192 168 0 20 rsh
0 0 15 ftp 43549 21 192 168 0 40 192 168 0 20 -
0 0 40 telnet 1914 23 192 168 1 30 192 168 0 20 guess
0 1 24 telnet 43560 23 192 168 0 40 192 168 0 20 -
0 0 13 ftp 43566 21 192 168 0 40 192 168 0 20 -
SRC PORT
DST PRT
Make Rules that Match only attacks (Orange)!
Training Data
Feature Name FormatDuration h:m:s 3Protocol Int 1Source_port Int 1Destination_port Int 1Source_IP a.b.c.d 4Destination_IP a.b.c.d 4Attack_name Int 1
Number of Genes
Individual Chromosome
Individual Evolution
Individual Elitism
New PopluationOld Popluation
Clone Two best of each attack Type
Individual Crossover. Making Children
Duration Protocol SRC IP DST IP Attack Type
H M S 0 1 2 3 0 1 2 3
-1 0 -1 rsh -1 1021 192 168 -1 -1 192 168 0 -1 rsh
0 0 2 rsh -1 1021 192 168 1 30 192 168 0 20 guess
-1 0 -1 rsh -1 1021 192 168 1 30 192 168 0 -1 rsh New Child 10 0 2 rsh -1 1021 192 168 -1 -1 192 168 0 20 guess New Child 2
Midsection Crossover
SRC PORT
DST PRT
Duration Protocol SRC IP DST IP Attack Type
H M S 0 1 2 3 0 1 2 30 0 2 rsh -1 1021 192 168 -1 30 192 168 0 -1 rsh Mutation
-1
SRC PORT
DST PRT
Individual Mutation
Only happens on rare occasions
00,-1,-1 exec 00043517 00000079 192.168.001.040 010.168.000.020 guessFitness 0.0000
00,-1,02 ftp 00001847 00001021 192.168.001.030 192.168.000.020 guessFitness 0.0000
00,-1,-1 exec 00043517 00000079 192.168.001.040 010.168.000.020 guessFitness 0.0000
00,-1,02 ftp 00001847 00001021 192.168.001.030 192.168.000.020 guessFitness 0.0000
00,01,42 ftp 00043538 00000513 192.168.000.030 010.168.000.020 rcpFitness 0.0000
00,01,23 rlogin 00001769 00000512 192.168.000.040 010.168.000.020 rcpFitness 0.0000
00,01,57 smtp -0000001 00000512 192.-01.000.030 010.168.000.-01 port-scanfitness 0.0000
Individuals Start!
00,00,14 rlogin -0000001 00000513 192.168.001.030 192.168.000.020 rshfitness is 0.8031
00,00,14 rlogin -0000001 00000513 192.168.001.030 192.168.000.020 rshfitness is 0.8031
00,00,04 rlogin -0000001 -0000001 192.168.001.030 192.168.000.020 port-scanfitness is 0.8031
00,-1,23 telnet -0000001 00000023 192.168.001.030 192.168.000.020 guessfitness is 0.8063
00,-1,05 -0001 -0000001 -0000001 192.168.001.030 192.168.000.020 port-scanfitness is 0.8063
-1,-1,05 -0001 -0000001 -0000001 192.168.001.030 192.168.000.020 port-scanfitness is 0.8063
00,-1,23 telnet -0000001 00000023 192.168.001.030 192.168.000.020 guessfitness is 0.8063
Individuals Finish!
NetGA Plugin matches connection poolIn nProbe.
nProbe Layout
nProbe code Development and Testing
Dummy Interface# modprobe dummy0
# ifconfig dummy0 0.0.0.0
TCP Replay# tcpreplay -i dummy0 sample_data01.tcpdump
Run nProbe# nprobe -i dummy0 –netGA=<netga.conf> <other options>
NetGA
http://brie.com/brian/netga/
Isaac Newton
