Embed Size (px)
Citation preview
Hybrid Intelligent Systems Hybrid Intelligent Systems for Detecting Network for Detecting Network
AnomaliesAnomalies
Lane ThamesLane Thames
ECE 8833 Intelligent SystemsECE 8833 Intelligent Systems
OutlineOutline
Introduce Preliminary Information about Introduce Preliminary Information about computer attacks and computer computer attacks and computer networkingnetworking
Present the Implementation details and Present the Implementation details and test resultstest results
Discuss my future work of incorporating Discuss my future work of incorporating intelligent systems into my network intelligent systems into my network security researchsecurity research
Project GoalsProject Goals
Develop a hybrid system that uses Develop a hybrid system that uses Bayesian Learning in conjunction with the Bayesian Learning in conjunction with the Self-Organizing MapSelf-Organizing Map
Analyze the performance of the various Analyze the performance of the various systems: Host-Network based features, systems: Host-Network based features, Network only based features, Host-Network only based features, Host-Network-SOM based features, and Network-SOM based features, and Network-SOM based featuresNetwork-SOM based features
Data SetsData Sets
UCI Knowledge Discovery in Databases UCI Knowledge Discovery in Databases (KDD)(KDD)
KDD CUP 1999 for Intrusion Detection KDD CUP 1999 for Intrusion Detection DatabaseDatabase
Tool BoxesTool Boxes
BN Power ConstructorBN Power Constructor
NeticaJ Java based Bayesian Learning NeticaJ Java based Bayesian Learning LibraryLibrary
Common Types of AttacksCommon Types of Attacks
Buffer Overflow AttacksBuffer Overflow Attacks Redirects program control flow which causes Redirects program control flow which causes
the computer to execute carefully injected the computer to execute carefully injected malicious codemalicious code
Code can be crafted to elevate the privileges Code can be crafted to elevate the privileges of a user by obtaining super user privilegesof a user by obtaining super user privileges
Buffer OverflowBuffer Overflow
Buffer Overflow-Stack ImageBuffer Overflow-Stack Image
Overflow buf with *str Overflow buf with *str so that the Return so that the Return Address (RA) is Address (RA) is overwrittenoverwritten
If carefully designed, If carefully designed, the RA is overwritten the RA is overwritten with the address of with the address of the injected code the injected code (contained in the *str (contained in the *str input—shell code)input—shell code)
buf
SFP
Return Address
* str
Rest of Stack
Buffer OverflowBuffer Overflow
After running the After running the program we get the program we get the infamous Microsoft infamous Microsoft alertalert
In Linux you get In Linux you get “Segmentation Fault”“Segmentation Fault”
Buffer Overflow—Exception InfoBuffer Overflow—Exception Info
Buffer Overflow—Stack TraceBuffer Overflow—Stack Trace
Common Types of AttacksCommon Types of Attacks
Denial of Service (DoS)Denial of Service (DoS) Exhaust a computer’s resources: TCP SYN Exhaust a computer’s resources: TCP SYN
flooding attackflooding attack Consume a computer’s available networking Consume a computer’s available networking
bandwidth: ICMP Smurf Attackbandwidth: ICMP Smurf Attack
TCP SYN Flooding AttackTCP SYN Flooding Attack
ICMP Smurf AttackICMP Smurf Attack
Victim
Subnet Slaves
Master
TCP/IP Layered ArchitectureTCP/IP Layered Architecture
Application Layer: (HTTP, SMTP, FTP)
Transport Layer: (TCP,UDP)
Network Layer: (IP,ICMP,IGMP)
Link Layer: (Ethernet, PPP)
TCP/IP EncapsulationTCP/IP Encapsulation
Link Header Net. Header Trans. Header App Header App Data Link Trailer
TCP HeaderTCP Header
Checksum
Dst Port Addr
Sequence Number
Acknowledgment Number
HLEN|Resv|U|A|P|R|S|F Window Size
SRC Port Addr
Urgent Pointer
Options and Padding
ImplementationImplementation
2 Types of Bayesian Structures Used2 Types of Bayesian Structures Used Network / Host / SOM Based FeaturesNetwork / Host / SOM Based Features Network / SOM Based FeaturesNetwork / SOM Based Features
SOM DetailsSOM Details
Original SOM for project 1:Original SOM for project 1: Time series of 200 connections to an isolated Time series of 200 connections to an isolated
web serverweb server Extract port numbers from TCP HeaderExtract port numbers from TCP Header SOM Weight vector was a length 200 vector SOM Weight vector was a length 200 vector
representing various types of destination port representing various types of destination port number sequences (after training)number sequences (after training)
SOM DetailsSOM Details
Hybrid System: the SOM was a vector of length Hybrid System: the SOM was a vector of length 3 and contains the values of the TCP destination 3 and contains the values of the TCP destination port number, the TCP flag value, and the global port number, the TCP flag value, and the global flag error rateflag error rate
The vector represents one connection record The vector represents one connection record (not a time series of connections)(not a time series of connections)
TCP flags: 6 bits (U,A,P,R,S,F) and 2^6=64 TCP flags: 6 bits (U,A,P,R,S,F) and 2^6=64 possible combinations and not all values are possible combinations and not all values are valid, i.e. never have an S and F set valid, i.e. never have an S and F set simultaneouslysimultaneously
Hybrid System ArchitectureHybrid System ArchitectureInit. Train. Data
SOM Training
Modified Data
Struct. Developer
Struct. File Processed Data
Bayesian Trainer
Bayesian/SOMClassifier
Test Data
IDS ClassificationFile (Test Results)
Modified Data ExampleModified Data Example
protocol service flag srcB dstB cnt SOMout serrrate rerrrate typeAtck
tcp http SF 235 1337 8 0 0 0 normal.
tcp http SF 219 1337 6 0 0 0 normal.
icmp ecr_i SF 1032 0 511 1 0 0 smurf.
icmp ecr_i SF 1032 0 511 1 0 0 smurf.
tcp private S0 0 0 103 1 1 0 neptune.
tcp private S0 0 0 112 1 1 0 neptune.
Host/Network/SOM StructureHost/Network/SOM Structure
Host/Network/SOM Test Host/Network/SOM Test ResultsResults
65,505 Total Test Cases65,505 Total Test Cases
65,238 Correctly Classified65,238 Correctly Classified
99.59% Classification Accuracy99.59% Classification Accuracy
Network/SOM StructureNetwork/SOM Structure
Network/SOM Test ResultsNetwork/SOM Test Results
63,297 Total Cases63,297 Total Cases
62,871 Correctly Classified62,871 Correctly Classified
99.33% Classification Accuracy99.33% Classification Accuracy
Attack Probabilities for a single flowAttack Probabilities for a single flowProbabilities of Various Attacks (Hybrid-Net Only) for Normal Flow
1.00E-12
1.00E-11
1.00E-10
1.00E-09
1.00E-08
1.00E-07
1.00E-06
1.00E-05
1.00E-04
1.00E-03
1.00E-02
1.00E-01
1.00E+00
1.00E+01
0 2 4 6 8 10 12 14 16 18
Attack Types (Enumerated)
Pro
b(a
ttac
kTyp
e)
IDS Output for 30,000 FlowsIDS Output for 30,000 FlowsIDS(Net only) Output--95/5
0
0.5
1
1.5
2
2.5
0 5000 10000 15000 20000 25000 30000 35000
Time Epoch
Ou
tpu
t
Table of ResultsTable of Results
H/NH/N H/N/SH/N/S NN N/SN/S
TotalTotal
CasesCases
6550565505 6550565505 6204762047 6204762047
CorrectlyCorrectly
ClassifiedClassified
6501965019 6532865328 5973459734 6163161631
% % AccuracyAccuracy
99.26%99.26% 99.59%99.59% 96.27%96.27% 99.33%99.33%
Future WorkFuture Work
Currently doing research in Network Currently doing research in Network SecuritySecurity
NSF Funded project:NSF Funded project: 3 GT Professors3 GT Professors 3 GT GRAs3 GT GRAs 3 Year project3 Year project
Future WorkFuture Work
Currently Developing a “Honey Net”Currently Developing a “Honey Net”
Honey Net: A network consisting of Honey Net: A network consisting of computers and various networking gear computers and various networking gear that you “WANT” to be hacked!that you “WANT” to be hacked!
Future WorkFuture Work
Goal: Monitor hacker activities in order to Goal: Monitor hacker activities in order to build stronger defensesbuild stronger defensesGoal: Incorporate some of the Intelligent Goal: Incorporate some of the Intelligent system concepts within the Honey Net to system concepts within the Honey Net to assist in processing the large volumes of assist in processing the large volumes of data that will be collected (via network data that will be collected (via network sniffers, traffic monitors, host-based sniffers, traffic monitors, host-based software such as tripwire, libpcap software such as tripwire, libpcap programs, etc)programs, etc)
