Who am I? Brian E. Lavender Computer Science Legislative Data Center (Work)
Custom rules to identify attacks SNORT Experience
Statistical Packet Anomaly Detection Engine SNORT Plugin. Disappeared!!!
MS Project – What to do? Network Security Artificial Inteligence
Nprobe (Luca Deri) Genetic Algorithm Paper (Ren Hui Gong) NetGA Integration and further development (Me!)
How the Genetic Algorithm Works! Training Data
Training Data
DARPA Training Data Source
Make Rules that Match only attacks (Orange)! Training Data
Individual Chromosome
Individual Evolution
Individual Elitism New Popluation Old Popluation Clone Two best of each attack Type
Individual Crossover. Making Children
Individual Mutation Only happens on rare occasions
00,-1,-1 exec guess Fitness ,-1,02 ftp guess Fitness ,-1,-1 exec guess Fitness ,-1,02 ftp guess Fitness ,01,42 ftp rcp Fitness ,01,23 rlogin rcp Fitness ,01,57 smtp port-scan fitness Individuals Start!
00,00,14 rlogin rsh fitness is ,00,14 rlogin rsh fitness is ,00,04 rlogin port-scan fitness is ,-1,23 telnet guess fitness is ,-1, port-scan fitness is ,-1, port-scan fitness is ,-1,23 telnet guess fitness is Individuals Finish!
NetGA Plugin matches connection pool In nProbe. nProbe Layout
nProbe code Development and Testing Dummy Interface # modprobe dummy0 # ifconfig dummy TCP Replay # tcpreplay -i dummy0 sample_data01.tcpdump Run nProbe # nprobe -i dummy0 –netGA=
NetGA Isaac Newton