Who am I? Brian E. Lavender Computer Science Legislative Data Center (Work)

Custom rules to identify attacks SNORT Experience

Statistical Packet Anomaly Detection Engine SNORT Plugin. Disappeared!!!

MS Project – What to do? Network Security Artificial Inteligence

Nprobe (Luca Deri) Genetic Algorithm Paper (Ren Hui Gong) NetGA Integration and further development (Me!)

How the Genetic Algorithm Works! Training Data

Training Data

DARPA Training Data Source

Make Rules that Match only attacks (Orange)! Training Data

Individual Chromosome

Individual Evolution

Individual Elitism New Popluation Old Popluation Clone Two best of each attack Type

Individual Crossover. Making Children

Individual Mutation Only happens on rare occasions

00,-1,-1 exec guess Fitness ,-1,02 ftp guess Fitness ,-1,-1 exec guess Fitness ,-1,02 ftp guess Fitness ,01,42 ftp rcp Fitness ,01,23 rlogin rcp Fitness ,01,57 smtp port-scan fitness Individuals Start!

00,00,14 rlogin rsh fitness is ,00,14 rlogin rsh fitness is ,00,04 rlogin port-scan fitness is ,-1,23 telnet guess fitness is ,-1, port-scan fitness is ,-1, port-scan fitness is ,-1,23 telnet guess fitness is Individuals Finish!

NetGA Plugin matches connection pool In nProbe. nProbe Layout

nProbe code Development and Testing Dummy Interface # modprobe dummy0 # ifconfig dummy TCP Replay # tcpreplay -i dummy0 sample_data01.tcpdump Run nProbe # nprobe -i dummy0 –netGA=

NetGA Isaac Newton