320 likes | 500 Views
Hybrid Intelligent Systems for Detecting Network Anomalies. Lane Thames ECE 8833 Intelligent Systems. Outline. Introduce Preliminary Information about computer attacks and computer networking Present the Implementation details and test results
E N D
Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems
Outline • Introduce Preliminary Information about computer attacks and computer networking • Present the Implementation details and test results • Discuss my future work of incorporating intelligent systems into my network security research
Project Goals • Develop a hybrid system that uses Bayesian Learning in conjunction with the Self-Organizing Map • Analyze the performance of the various systems: Host-Network based features, Network only based features, Host-Network-SOM based features, and Network-SOM based features
Data Sets • UCI Knowledge Discovery in Databases (KDD) • KDD CUP 1999 for Intrusion Detection Database
Tool Boxes • BN Power Constructor • NeticaJ Java based Bayesian Learning Library
Common Types of Attacks • Buffer Overflow Attacks • Redirects program control flow which causes the computer to execute carefully injected malicious code • Code can be crafted to elevate the privileges of a user by obtaining super user privileges
Buffer Overflow-Stack Image • Overflow buf with *str so that the Return Address (RA) is overwritten • If carefully designed, the RA is overwritten with the address of the injected code (contained in the *str input—shell code) buf SFP Return Address * str Rest of Stack
Buffer Overflow • After running the program we get the infamous Microsoft alert • In Linux you get “Segmentation Fault”
Common Types of Attacks • Denial of Service (DoS) • Exhaust a computer’s resources: TCP SYN flooding attack • Consume a computer’s available networking bandwidth: ICMP Smurf Attack
ICMP Smurf Attack Victim Subnet Slaves Master
TCP/IP Layered Architecture Application Layer: (HTTP, SMTP, FTP) Transport Layer: (TCP,UDP) Network Layer: (IP,ICMP,IGMP) Link Layer: (Ethernet, PPP)
TCP/IP Encapsulation Link Header Net. Header Trans. Header App Header App Data Link Trailer
TCP Header SRC Port Addr Dst Port Addr Sequence Number Acknowledgment Number HLEN|Resv|U|A|P|R|S|F Window Size Checksum Urgent Pointer Options and Padding
Implementation • 2 Types of Bayesian Structures Used • Network / Host / SOM Based Features • Network / SOM Based Features
SOM Details • Original SOM for project 1: • Time series of 200 connections to an isolated web server • Extract port numbers from TCP Header • SOM Weight vector was a length 200 vector representing various types of destination port number sequences (after training)
SOM Details • Hybrid System: the SOM was a vector of length 3 and contains the values of the TCP destination port number, the TCP flag value, and the global flag error rate • The vector represents one connection record (not a time series of connections) • TCP flags: 6 bits (U,A,P,R,S,F) and 2^6=64 possible combinations and not all values are valid, i.e. never have an S and F set simultaneously
Hybrid System Architecture Init. Train. Data Bayesian/SOM Classifier Test Data SOM Training Modified Data IDS Classification File (Test Results) Struct. Developer Struct. File Processed Data Bayesian Trainer
Host/Network/SOM Test Results • 65,505 Total Test Cases • 65,238 Correctly Classified • 99.59% Classification Accuracy
Network/SOM Test Results • 63,297 Total Cases • 62,871 Correctly Classified • 99.33% Classification Accuracy
Future Work • Currently doing research in Network Security • NSF Funded project: • 3 GT Professors • 3 GT GRAs • 3 Year project
Future Work • Currently Developing a “Honey Net” • Honey Net: A network consisting of computers and various networking gear that you “WANT” to be hacked!
Future Work • Goal: Monitor hacker activities in order to build stronger defenses • Goal: Incorporate some of the Intelligent system concepts within the Honey Net to assist in processing the large volumes of data that will be collected (via network sniffers, traffic monitors, host-based software such as tripwire, libpcap programs, etc)