Saturday, March 31, 2018

DAY 2

In my previous post i discussed how i used wireshark to sniff traffic between a server client model running on my machine. I raised questioned about not having much idea as to what features of the network traffic should i consider to train my neural network. After researching about it on the internet i came across an amazing research article (https://link.springer.com/article/10.1007/s10994-014-5473-9#Tab6) where the authors have explained which features are used by existing IDS systems, has described each of the feature and also pointed out that not using a subset of the features can save up resources and time take for detection and at the same time not degrade the performance of the detector.

The article has listed 41 features, some of them are basic which can be retrieved by simply looking at the packet headers, some are complex which require examining the packet contents and some are statistical for example past connections to the same ip address and port.

The purpose of the article was to built an anomaly based detection tool using machine learning and the features listed out can be used to build an IDS to detect multiple types of attack. At this stage of the project, where i am trying to detect UDP flood attack the number of features that i think i will use is quite small. For example features such as flags that tells us about the status of connection is used for TCP connections and hence will not be used at this stage. The features that require examination of packet content such as looking for number of failed logins , root access, program execution will also be excluded as in my opinion attackers performing DOS attacks aren't aiming to gain access to the system (in some cases DOS attacks are used as a distraction and the attackers are able to gain access to the system).

The article also mentions about two protocols that can be used to get the flow information such as netflow (introduced by cisco) and IPFIX. Python has a netflow library that can be used and hence I might go ahead with it but this is something i have to still research about.

My next task is to research more about network traffic features and look into how exactly can I use network analyzers and sniffers to get information about the network flow.


Tuesday, March 27, 2018

DAY 1



For past few days I have been researching about detection of DOS attacks using artificial intelligent tools. From what i have understood after hours of research is that current detection tools use something called signature based or anomaly based detection techniques. If you are familiar about how a firewall works , these techniques are similar to the techniques used in a firewall or an antivirus.
In signature based detection , the software has something like a rule book or a signature log that has the signatures of different kind of attacks. This could include the packet contents , the rate at which the packets are received, the source ip address etc. So all the traffic coming into the network is matched against the rule book to check for attacks.
Anomaly based techniques works similar to the neural networks ( as per my opinion ), it detects when the behavior of the traffic is unusual or is deviated from the usual flow of the traffic.
Both these detection methods has its own pros and cons. For signature based , the new attacks (not recorded in the rule book) might not be detected and for anomaly based, attackers can make sure to mask the traffic to avoid detection.

I am a computer science student majoring in cyber security and i don't have much idea artificial intelligence. I do have theoretical knowledge about the way neural network works due to a course that i am enrolled in on udemy but i don't have practical knowledge. As on the security side, it is the same but it's something i have been learning about for the past 4 years and i am really interested in it. So my aim for this project and subsequent projects is to improve my skills in cyber security and experiment to make it better by using artificially intelligent tools.

DOS detection using neural networks is a topic that has been researched about previously by various people. My goal is to make a small working model of this tool. Hence on Day 1, my first task was to collect data to train my neural network.

As per my research there are different types of DOS attacks such UDP flood, TCP SYN and ping of death. The first step of my project is to build a neural network that can detect UDP flood for my server-client model.

For the above reason i programmed a small python code that can act as a server and receive UDP requests from clients.

The following is the simple code for server and client.



The way I was planning to go about this was to run this server on my mac and run kali on virtual machine. The Kali virtual machine(attacker) will attack the server by flooding it on port 6789 and then try to connect to the server using a client and check if the attack was successful and also collect the traffic data using wireshark on my mac(server). When I tried to do this , wireshark was not able to sniff the traffic going from the virtual guest to the host. After looking up the problem on google, i realized this was due to the way networking was handles on an OS level and not on the hardware level. To solve the issue I tried to run wireshark on kali and voila!! I was able to sniff the traffic between server and client . Now it was time to flood the server with UDP requests using hping3 tool in KALI


Before attack 


After attack

As you can see above the source ip addresses is randomized and all the flood is targeted towards port number 6789. Doing this slowed down my laptop and this was the first time that I was happy about it because this was a sign of a successful attack. 

My next task will be to collect this data and at the same time collect genuine data coming from genuine clients. The data i will collect here will definitely not be suitable for a neural network training because of various reasons such as the neural network will simply train itself to differentiate the ip addresses (as my server and client both are on the same network while the attack is coming from random ip addresses). 

There are more problems related to data because the way I am executing my server and client and this is something i will have to think about. But for now this is just a learning step. My final plan is to develop tool to which individuals and businesses can add their own data set and the program is automated to train the neural network and detect attacks. For now this is a project through which i want to learn about dos attacks, networking protocols, packet sniffing, artificial intelligence etc.