hybrid intelligent systems for detecting network anomalies lane thames ece 8833 intelligent systems

Hybrid Intelligent Systems Hybrid Intelligent Systems for Detecting Network for Detecting Network

AnomaliesAnomalies

Lane ThamesLane Thames

ECE 8833 Intelligent SystemsECE 8833 Intelligent Systems

OutlineOutline

Introduce Preliminary Information about Introduce Preliminary Information about computer attacks and computer computer attacks and computer networkingnetworking

Present the Implementation details and Present the Implementation details and test resultstest results

Discuss my future work of incorporating Discuss my future work of incorporating intelligent systems into my network intelligent systems into my network security researchsecurity research

Project GoalsProject Goals

Develop a hybrid system that uses Develop a hybrid system that uses Bayesian Learning in conjunction with the Bayesian Learning in conjunction with the Self-Organizing MapSelf-Organizing Map

Analyze the performance of the various Analyze the performance of the various systems: Host-Network based features, systems: Host-Network based features, Network only based features, Host-Network only based features, Host-Network-SOM based features, and Network-SOM based features, and Network-SOM based featuresNetwork-SOM based features

Data SetsData Sets

UCI Knowledge Discovery in Databases UCI Knowledge Discovery in Databases (KDD)(KDD)

KDD CUP 1999 for Intrusion Detection KDD CUP 1999 for Intrusion Detection DatabaseDatabase

Tool BoxesTool Boxes

BN Power ConstructorBN Power Constructor

NeticaJ Java based Bayesian Learning NeticaJ Java based Bayesian Learning LibraryLibrary

Common Types of AttacksCommon Types of Attacks

Buffer Overflow AttacksBuffer Overflow Attacks Redirects program control flow which causes Redirects program control flow which causes

the computer to execute carefully injected the computer to execute carefully injected malicious codemalicious code

Code can be crafted to elevate the privileges Code can be crafted to elevate the privileges of a user by obtaining super user privilegesof a user by obtaining super user privileges

Buffer OverflowBuffer Overflow

Buffer Overflow-Stack ImageBuffer Overflow-Stack Image

Overflow buf with *str Overflow buf with *str so that the Return so that the Return Address (RA) is Address (RA) is overwrittenoverwritten

If carefully designed, If carefully designed, the RA is overwritten the RA is overwritten with the address of with the address of the injected code the injected code (contained in the *str (contained in the *str input—shell code)input—shell code)

buf

SFP

Return Address

* str

Rest of Stack

Buffer OverflowBuffer Overflow

After running the After running the program we get the program we get the infamous Microsoft infamous Microsoft alertalert

In Linux you get In Linux you get “Segmentation Fault”“Segmentation Fault”

Buffer Overflow—Exception InfoBuffer Overflow—Exception Info

Buffer Overflow—Stack TraceBuffer Overflow—Stack Trace

Common Types of AttacksCommon Types of Attacks

Denial of Service (DoS)Denial of Service (DoS) Exhaust a computer’s resources: TCP SYN Exhaust a computer’s resources: TCP SYN

flooding attackflooding attack Consume a computer’s available networking Consume a computer’s available networking

bandwidth: ICMP Smurf Attackbandwidth: ICMP Smurf Attack

TCP SYN Flooding AttackTCP SYN Flooding Attack

ICMP Smurf AttackICMP Smurf Attack

Victim

Subnet Slaves

Master

TCP/IP Layered ArchitectureTCP/IP Layered Architecture

Application Layer: (HTTP, SMTP, FTP)

Transport Layer: (TCP,UDP)

Network Layer: (IP,ICMP,IGMP)

Link Layer: (Ethernet, PPP)

TCP/IP EncapsulationTCP/IP Encapsulation

Link Header Net. Header Trans. Header App Header App Data Link Trailer

TCP HeaderTCP Header

Checksum

Dst Port Addr

Sequence Number

Acknowledgment Number

HLEN|Resv|U|A|P|R|S|F Window Size

SRC Port Addr

Urgent Pointer

Options and Padding

ImplementationImplementation

2 Types of Bayesian Structures Used2 Types of Bayesian Structures Used Network / Host / SOM Based FeaturesNetwork / Host / SOM Based Features Network / SOM Based FeaturesNetwork / SOM Based Features

SOM DetailsSOM Details

Original SOM for project 1:Original SOM for project 1: Time series of 200 connections to an isolated Time series of 200 connections to an isolated

web serverweb server Extract port numbers from TCP HeaderExtract port numbers from TCP Header SOM Weight vector was a length 200 vector SOM Weight vector was a length 200 vector

representing various types of destination port representing various types of destination port number sequences (after training)number sequences (after training)

SOM DetailsSOM Details

Hybrid System: the SOM was a vector of length Hybrid System: the SOM was a vector of length 3 and contains the values of the TCP destination 3 and contains the values of the TCP destination port number, the TCP flag value, and the global port number, the TCP flag value, and the global flag error rateflag error rate

The vector represents one connection record The vector represents one connection record (not a time series of connections)(not a time series of connections)

TCP flags: 6 bits (U,A,P,R,S,F) and 2^6=64 TCP flags: 6 bits (U,A,P,R,S,F) and 2^6=64 possible combinations and not all values are possible combinations and not all values are valid, i.e. never have an S and F set valid, i.e. never have an S and F set simultaneouslysimultaneously

Hybrid System ArchitectureHybrid System ArchitectureInit. Train. Data

SOM Training

Modified Data

Struct. Developer

Struct. File Processed Data

Bayesian Trainer

Bayesian/SOMClassifier

Test Data

IDS ClassificationFile (Test Results)

Modified Data ExampleModified Data Example

protocol service flag srcB dstB cnt SOMout serrrate rerrrate typeAtck

tcp http SF 235 1337 8 0 0 0 normal.

tcp http SF 219 1337 6 0 0 0 normal.

icmp ecr_i SF 1032 0 511 1 0 0 smurf.

icmp ecr_i SF 1032 0 511 1 0 0 smurf.

tcp private S0 0 0 103 1 1 0 neptune.

tcp private S0 0 0 112 1 1 0 neptune.

Host/Network/SOM StructureHost/Network/SOM Structure

Host/Network/SOM Test Host/Network/SOM Test ResultsResults

65,505 Total Test Cases65,505 Total Test Cases

65,238 Correctly Classified65,238 Correctly Classified

99.59% Classification Accuracy99.59% Classification Accuracy

Network/SOM StructureNetwork/SOM Structure

Network/SOM Test ResultsNetwork/SOM Test Results

63,297 Total Cases63,297 Total Cases

62,871 Correctly Classified62,871 Correctly Classified

99.33% Classification Accuracy99.33% Classification Accuracy

Attack Probabilities for a single flowAttack Probabilities for a single flowProbabilities of Various Attacks (Hybrid-Net Only) for Normal Flow

1.00E-12

1.00E-11

1.00E-10

1.00E-09

1.00E-08

1.00E-07

1.00E-06

1.00E-05

1.00E-04

1.00E-03

1.00E-02

1.00E-01

1.00E+00

1.00E+01

0 2 4 6 8 10 12 14 16 18

Attack Types (Enumerated)

Pro

b(a

ttac

kTyp

e)

IDS Output for 30,000 FlowsIDS Output for 30,000 FlowsIDS(Net only) Output--95/5

0

0.5

1

1.5

2

2.5

0 5000 10000 15000 20000 25000 30000 35000

Time Epoch

Ou

tpu

t

Table of ResultsTable of Results

H/NH/N H/N/SH/N/S NN N/SN/S

TotalTotal

CasesCases

6550565505 6550565505 6204762047 6204762047

CorrectlyCorrectly

ClassifiedClassified

6501965019 6532865328 5973459734 6163161631

% % AccuracyAccuracy

99.26%99.26% 99.59%99.59% 96.27%96.27% 99.33%99.33%

Future WorkFuture Work

Currently doing research in Network Currently doing research in Network SecuritySecurity

NSF Funded project:NSF Funded project: 3 GT Professors3 GT Professors 3 GT GRAs3 GT GRAs 3 Year project3 Year project

Future WorkFuture Work

Currently Developing a “Honey Net”Currently Developing a “Honey Net”

Honey Net: A network consisting of Honey Net: A network consisting of computers and various networking gear computers and various networking gear that you “WANT” to be hacked!that you “WANT” to be hacked!

Future WorkFuture Work

Goal: Monitor hacker activities in order to Goal: Monitor hacker activities in order to build stronger defensesbuild stronger defensesGoal: Incorporate some of the Intelligent Goal: Incorporate some of the Intelligent system concepts within the Honey Net to system concepts within the Honey Net to assist in processing the large volumes of assist in processing the large volumes of data that will be collected (via network data that will be collected (via network sniffers, traffic monitors, host-based sniffers, traffic monitors, host-based software such as tripwire, libpcap software such as tripwire, libpcap programs, etc)programs, etc)