Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

TCP 與 UDP 協定分析第 22 組 b 陳贊羽 b 馬家驤 b 林怡賢 b 王奕棠.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

1 Reading Log Files. 2 Segment Format

Firewalls and Intrusion Detection Systems

Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Lecture 15 Denial of Service Attacks

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Gursharan Singh Tatla Transport Layer 16-May

Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 24 November 11, 2004.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

Hybrid Intelligent Systems for Network Security Lane Thames Georgia Institute of Technology Savannah, GA

TCP/IP Yang Wang Professor: M.ANVARI.

Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.

TCP : Transmission Control Protocol Computer Network System Sirak Kaewjamnong.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

TCP/IP Protocols Contains Five Layers

CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.

ECE453 – Introduction to Computer Networks Lecture 17 – Top – Down Approach (A Review)

Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.

Packet Filtering COMP 423. Packets packets datagram To understand how firewalls work, you must first understand packets. Packets are discrete blocks of.

DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.

Cisco Networking Academy S2 C9 TCP/IP. ensure communication across any set of interconnected networks Stack components such as protocols to support file.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Network Programming and Network Security Lane Thames Graduate Research Assistant.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.

Shellcode Development -Femi Oloyede -Pallavi Murudkar.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Hybrid Intelligent Systems for Network Security Lane Thames Georgia Institute of Technology Savannah, GA

Page 12/9/2016 Chapter 10 Intermediate TCP : TCP and UDP segments, Transport Layer Ports CCNA2 Chapter 10.

McGraw-Hill©2003 The McGraw-Hill Companies, Inc. Chapter 3 Transport Layer.

Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified

CITA 352 Chapter 2 TCP/IP Concepts Review. Overview of TCP/IP Protocol –Language used by computers –Transmission Control Protocol/Internet Protocol (TCP/IP)

IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.

Roadmap  Introduction to Basics  Computer Network – Components | Classification  Internet  Clients and Servers  Network Models  Protocol Layers.

CompTIA Security+ Study Guide (SY0-401)

Snort – IDS / IPS.

Introduction to TCP/IP

TCP Transport layer Er. Vikram Dhiman LPU.

CompTIA Security+ Study Guide (SY0-401)

Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.

The IP, TCP, UDP protocols

Lecture 3: Secure Network Architecture

Module 4: Packet analysis

Network Architecture Models: Layered Communications

Session 20 INST 346 Technologies, Infrastructure and Architecture

Transport Layer 9/22/2019.

TCP Connection Management

Presentation transcript:

Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems

Outline Introduce Preliminary Information about computer attacks and computer networking Present the Implementation details and test results Discuss my future work of incorporating intelligent systems into my network security research

Project Goals Develop a hybrid system that uses Bayesian Learning in conjunction with the Self-Organizing Map Analyze the performance of the various systems: Host-Network based features, Network only based features, Host- Network-SOM based features, and Network-SOM based features

Data Sets UCI Knowledge Discovery in Databases (KDD) KDD CUP 1999 for Intrusion Detection Database

Tool Boxes BN Power Constructor NeticaJ Java based Bayesian Learning Library

Common Types of Attacks Buffer Overflow Attacks Redirects program control flow which causes the computer to execute carefully injected malicious code Redirects program control flow which causes the computer to execute carefully injected malicious code Code can be crafted to elevate the privileges of a user by obtaining super user privileges Code can be crafted to elevate the privileges of a user by obtaining super user privileges

Buffer Overflow

Buffer Overflow-Stack Image Overflow buf with *str so that the Return Address (RA) is overwritten If carefully designed, the RA is overwritten with the address of the injected code (contained in the *str input—shell code) buf SFP Return Address * str Rest of Stack

Buffer Overflow After running the program we get the infamous Microsoft alert In Linux you get “Segmentation Fault”

Buffer Overflow—Exception Info

Buffer Overflow—Stack Trace

Common Types of Attacks Denial of Service (DoS) Exhaust a computer’s resources: TCP SYN flooding attack Exhaust a computer’s resources: TCP SYN flooding attack Consume a computer’s available networking bandwidth: ICMP Smurf Attack Consume a computer’s available networking bandwidth: ICMP Smurf Attack

TCP SYN Flooding Attack

ICMP Smurf Attack Victim Subnet Slaves Master

TCP/IP Layered Architecture Application Layer:(HTTP, SMTP, FTP) Transport Layer:(TCP,UDP) Network Layer:(IP,ICMP,IGMP) Link Layer:(Ethernet, PPP)

TCP/IP Encapsulation Link HeaderNet. HeaderTrans. HeaderApp HeaderApp DataLink Trailer

TCP Header Checksum Dst Port Addr Sequence Number Acknowledgment Number HLEN|Resv|U|A|P|R|S|FWindow Size SRC Port Addr Urgent Pointer Options and Padding

Implementation 2 Types of Bayesian Structures Used Network / Host / SOM Based Features Network / Host / SOM Based Features Network / SOM Based Features Network / SOM Based Features

SOM Details Original SOM for project 1: Time series of 200 connections to an isolated web server Time series of 200 connections to an isolated web server Extract port numbers from TCP Header Extract port numbers from TCP Header SOM Weight vector was a length 200 vector representing various types of destination port number sequences (after training) SOM Weight vector was a length 200 vector representing various types of destination port number sequences (after training)

SOM Details Hybrid System: the SOM was a vector of length 3 and contains the values of the TCP destination port number, the TCP flag value, and the global flag error rate The vector represents one connection record (not a time series of connections) TCP flags: 6 bits (U,A,P,R,S,F) and 2^6=64 possible combinations and not all values are valid, i.e. never have an S and F set simultaneously

Hybrid System Architecture Hybrid System Architecture Init. Train. Data SOM Training Modified Data Struct. Developer Struct. FileProcessed Data Bayesian Trainer Bayesian/SOM Classifier Test Data IDS Classification File (Test Results)

Modified Data Example protocolserviceflagsrcBdstBcntSOMoutserrratererrratetypeAtck tcphttpSF normal. tcphttpSF normal. icmpecr_iSF smurf. icmpecr_iSF smurf. tcpprivateS neptune. tcpprivateS neptune.

Host/Network/SOM Structure

Host/Network/SOM Test Results 65,505 Total Test Cases 65,238 Correctly Classified 99.59% Classification Accuracy

Network/SOM Structure

Network/SOM Test Results 63,297 Total Cases 62,871 Correctly Classified 99.33% Classification Accuracy

Attack Probabilities for a single flow

IDS Output for 30,000 Flows

Table of Results H/NH/N/SNN/S TotalCases CorrectlyClassified % Accuracy 99.26%99.59%96.27%99.33%

Future Work Currently doing research in Network Security NSF Funded project: 3 GT Professors 3 GT Professors 3 GT GRAs 3 GT GRAs 3 Year project 3 Year project

Future Work Currently Developing a “Honey Net” Honey Net: A network consisting of computers and various networking gear that you “WANT” to be hacked!

Future Work Goal: Monitor hacker activities in order to build stronger defenses Goal: Incorporate some of the Intelligent system concepts within the Honey Net to assist in processing the large volumes of data that will be collected (via network sniffers, traffic monitors, host-based software such as tripwire, libpcap programs, etc)