Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems.

Published byBeryl Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems."— Presentation transcript:

1 Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems

2 Outline Introduce Preliminary Information about computer attacks and computer networking Present the Implementation details and test results Discuss my future work of incorporating intelligent systems into my network security research

3 Project Goals Develop a hybrid system that uses Bayesian Learning in conjunction with the Self-Organizing Map Analyze the performance of the various systems: Host-Network based features, Network only based features, Host- Network-SOM based features, and Network-SOM based features

4 Data Sets UCI Knowledge Discovery in Databases (KDD) KDD CUP 1999 for Intrusion Detection Database

5 Tool Boxes BN Power Constructor NeticaJ Java based Bayesian Learning Library

6 Common Types of Attacks Buffer Overflow Attacks Redirects program control flow which causes the computer to execute carefully injected malicious code Redirects program control flow which causes the computer to execute carefully injected malicious code Code can be crafted to elevate the privileges of a user by obtaining super user privileges Code can be crafted to elevate the privileges of a user by obtaining super user privileges

7 Buffer Overflow

8 Buffer Overflow-Stack Image Overflow buf with *str so that the Return Address (RA) is overwritten If carefully designed, the RA is overwritten with the address of the injected code (contained in the *str input—shell code) buf SFP Return Address * str Rest of Stack

9 Buffer Overflow After running the program we get the infamous Microsoft alert In Linux you get “Segmentation Fault”

10 Buffer Overflow—Exception Info

11 Buffer Overflow—Stack Trace

12 Common Types of Attacks Denial of Service (DoS) Exhaust a computer’s resources: TCP SYN flooding attack Exhaust a computer’s resources: TCP SYN flooding attack Consume a computer’s available networking bandwidth: ICMP Smurf Attack Consume a computer’s available networking bandwidth: ICMP Smurf Attack

13 TCP SYN Flooding Attack

14 ICMP Smurf Attack Victim Subnet Slaves Master

15 TCP/IP Layered Architecture Application Layer:(HTTP, SMTP, FTP) Transport Layer:(TCP,UDP) Network Layer:(IP,ICMP,IGMP) Link Layer:(Ethernet, PPP)

16 TCP/IP Encapsulation Link HeaderNet. HeaderTrans. HeaderApp HeaderApp DataLink Trailer

17 TCP Header Checksum Dst Port Addr Sequence Number Acknowledgment Number HLEN|Resv|U|A|P|R|S|FWindow Size SRC Port Addr Urgent Pointer Options and Padding

18 Implementation 2 Types of Bayesian Structures Used Network / Host / SOM Based Features Network / Host / SOM Based Features Network / SOM Based Features Network / SOM Based Features

19 SOM Details Original SOM for project 1: Time series of 200 connections to an isolated web server Time series of 200 connections to an isolated web server Extract port numbers from TCP Header Extract port numbers from TCP Header SOM Weight vector was a length 200 vector representing various types of destination port number sequences (after training) SOM Weight vector was a length 200 vector representing various types of destination port number sequences (after training)

20 SOM Details Hybrid System: the SOM was a vector of length 3 and contains the values of the TCP destination port number, the TCP flag value, and the global flag error rate The vector represents one connection record (not a time series of connections) TCP flags: 6 bits (U,A,P,R,S,F) and 2^6=64 possible combinations and not all values are valid, i.e. never have an S and F set simultaneously

21 Hybrid System Architecture Hybrid System Architecture Init. Train. Data SOM Training Modified Data Struct. Developer Struct. FileProcessed Data Bayesian Trainer Bayesian/SOM Classifier Test Data IDS Classification File (Test Results)

22 Modified Data Example protocolserviceflagsrcBdstBcntSOMoutserrratererrratetypeAtck tcphttpSF23513378000normal. tcphttpSF21913376000normal. icmpecr_iSF10320511100smurf. icmpecr_iSF10320511100smurf. tcpprivateS000103110neptune. tcpprivateS000112110neptune.

23 Host/Network/SOM Structure

24 Host/Network/SOM Test Results 65,505 Total Test Cases 65,238 Correctly Classified 99.59% Classification Accuracy

25 Network/SOM Structure

26 Network/SOM Test Results 63,297 Total Cases 62,871 Correctly Classified 99.33% Classification Accuracy

27 Attack Probabilities for a single flow

28 IDS Output for 30,000 Flows

29 Table of Results H/NH/N/SNN/S TotalCases65505655056204762047 CorrectlyClassified65019653285973461631 % Accuracy 99.26%99.59%96.27%99.33%

30 Future Work Currently doing research in Network Security NSF Funded project: 3 GT Professors 3 GT Professors 3 GT GRAs 3 GT GRAs 3 Year project 3 Year project

31 Future Work Currently Developing a “Honey Net” Honey Net: A network consisting of computers and various networking gear that you “WANT” to be hacked!

32 Future Work Goal: Monitor hacker activities in order to build stronger defenses Goal: Incorporate some of the Intelligent system concepts within the Honey Net to assist in processing the large volumes of data that will be collected (via network sniffers, traffic monitors, host-based software such as tripwire, libpcap programs, etc)

Download ppt "Hybrid Intelligent Systems for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP 與 UDP 協定分析 第 22 組 b91902049 陳贊羽 b91902064 馬家驤 b91902067 林怡賢 b91902077 王奕棠.

TCP 與 UDP 協定分析 第 22 組 b 陳贊羽 b 馬家驤 b 林怡賢 b 王奕棠.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.

Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.

IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.

Defining Network Protocols Application Protocols –Application Layer –Presentation Layer –Session Layer Transport Protocols –Transport Layer Network Protocols.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46.

Basic Elements of Attacks and Their Detection. Contents Elements of TCP/IP addressing Layers in Internet communication Phases of an attack 2/46.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google