1 / 32

Hybrid Intelligent Systems for Detecting Network Anomalies

Hybrid Intelligent Systems for Detecting Network Anomalies. Lane Thames ECE 8833 Intelligent Systems. Outline. Introduce Preliminary Information about computer attacks and computer networking Present the Implementation details and test results

brenna
Télécharger la présentation

Hybrid Intelligent Systems for Detecting Network Anomalies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems

  2. Outline • Introduce Preliminary Information about computer attacks and computer networking • Present the Implementation details and test results • Discuss my future work of incorporating intelligent systems into my network security research

  3. Project Goals • Develop a hybrid system that uses Bayesian Learning in conjunction with the Self-Organizing Map • Analyze the performance of the various systems: Host-Network based features, Network only based features, Host-Network-SOM based features, and Network-SOM based features

  4. Data Sets • UCI Knowledge Discovery in Databases (KDD) • KDD CUP 1999 for Intrusion Detection Database

  5. Tool Boxes • BN Power Constructor • NeticaJ Java based Bayesian Learning Library

  6. Common Types of Attacks • Buffer Overflow Attacks • Redirects program control flow which causes the computer to execute carefully injected malicious code • Code can be crafted to elevate the privileges of a user by obtaining super user privileges

  7. Buffer Overflow

  8. Buffer Overflow-Stack Image • Overflow buf with *str so that the Return Address (RA) is overwritten • If carefully designed, the RA is overwritten with the address of the injected code (contained in the *str input—shell code) buf SFP Return Address * str Rest of Stack

  9. Buffer Overflow • After running the program we get the infamous Microsoft alert • In Linux you get “Segmentation Fault”

  10. Buffer Overflow—Exception Info

  11. Buffer Overflow—Stack Trace

  12. Common Types of Attacks • Denial of Service (DoS) • Exhaust a computer’s resources: TCP SYN flooding attack • Consume a computer’s available networking bandwidth: ICMP Smurf Attack

  13. TCP SYN Flooding Attack

  14. ICMP Smurf Attack Victim Subnet Slaves Master

  15. TCP/IP Layered Architecture Application Layer: (HTTP, SMTP, FTP) Transport Layer: (TCP,UDP) Network Layer: (IP,ICMP,IGMP) Link Layer: (Ethernet, PPP)

  16. TCP/IP Encapsulation Link Header Net. Header Trans. Header App Header App Data Link Trailer

  17. TCP Header SRC Port Addr Dst Port Addr Sequence Number Acknowledgment Number HLEN|Resv|U|A|P|R|S|F Window Size Checksum Urgent Pointer Options and Padding

  18. Implementation • 2 Types of Bayesian Structures Used • Network / Host / SOM Based Features • Network / SOM Based Features

  19. SOM Details • Original SOM for project 1: • Time series of 200 connections to an isolated web server • Extract port numbers from TCP Header • SOM Weight vector was a length 200 vector representing various types of destination port number sequences (after training)

  20. SOM Details • Hybrid System: the SOM was a vector of length 3 and contains the values of the TCP destination port number, the TCP flag value, and the global flag error rate • The vector represents one connection record (not a time series of connections) • TCP flags: 6 bits (U,A,P,R,S,F) and 2^6=64 possible combinations and not all values are valid, i.e. never have an S and F set simultaneously

  21. Hybrid System Architecture Init. Train. Data Bayesian/SOM Classifier Test Data SOM Training Modified Data IDS Classification File (Test Results) Struct. Developer Struct. File Processed Data Bayesian Trainer

  22. Modified Data Example

  23. Host/Network/SOM Structure

  24. Host/Network/SOM Test Results • 65,505 Total Test Cases • 65,238 Correctly Classified • 99.59% Classification Accuracy

  25. Network/SOM Structure

  26. Network/SOM Test Results • 63,297 Total Cases • 62,871 Correctly Classified • 99.33% Classification Accuracy

  27. Attack Probabilities for a single flow

  28. IDS Output for 30,000 Flows

  29. Table of Results

  30. Future Work • Currently doing research in Network Security • NSF Funded project: • 3 GT Professors • 3 GT GRAs • 3 Year project

  31. Future Work • Currently Developing a “Honey Net” • Honey Net: A network consisting of computers and various networking gear that you “WANT” to be hacked!

  32. Future Work • Goal: Monitor hacker activities in order to build stronger defenses • Goal: Incorporate some of the Intelligent system concepts within the Honey Net to assist in processing the large volumes of data that will be collected (via network sniffers, traffic monitors, host-based software such as tripwire, libpcap programs, etc)

More Related