For past few days I have been researching about detection of DOS attacks using artificial intelligent tools. From what i have understood after hours of research is that current detection tools use something called signature based or anomaly based detection techniques. If you are familiar about how a firewall works , these techniques are similar to the techniques used in a firewall or an antivirus.
In signature based detection , the software has something like a rule book or a signature log that has the signatures of different kind of attacks. This could include the packet contents , the rate at which the packets are received, the source ip address etc. So all the traffic coming into the network is matched against the rule book to check for attacks.
Anomaly based techniques works similar to the neural networks ( as per my opinion ), it detects when the behavior of the traffic is unusual or is deviated from the usual flow of the traffic.
Both these detection methods has its own pros and cons. For signature based , the new attacks (not recorded in the rule book) might not be detected and for anomaly based, attackers can make sure to mask the traffic to avoid detection.
I am a computer science student majoring in cyber security and i don't have much idea artificial intelligence. I do have theoretical knowledge about the way neural network works due to a course that i am enrolled in on udemy but i don't have practical knowledge. As on the security side, it is the same but it's something i have been learning about for the past 4 years and i am really interested in it. So my aim for this project and subsequent projects is to improve my skills in cyber security and experiment to make it better by using artificially intelligent tools.
DOS detection using neural networks is a topic that has been researched about previously by various people. My goal is to make a small working model of this tool. Hence on Day 1, my first task was to collect data to train my neural network.
As per my research there are different types of DOS attacks such UDP flood, TCP SYN and ping of death. The first step of my project is to build a neural network that can detect UDP flood for my server-client model.
For the above reason i programmed a small python code that can act as a server and receive UDP requests from clients.
The following is the simple code for server and client.
The way I was planning to go about this was to run this server on my mac and run kali on virtual machine. The Kali virtual machine(attacker) will attack the server by flooding it on port 6789 and then try to connect to the server using a client and check if the attack was successful and also collect the traffic data using wireshark on my mac(server). When I tried to do this , wireshark was not able to sniff the traffic going from the virtual guest to the host. After looking up the problem on google, i realized this was due to the way networking was handles on an OS level and not on the hardware level. To solve the issue I tried to run wireshark on kali and voila!! I was able to sniff the traffic between server and client . Now it was time to flood the server with UDP requests using hping3 tool in KALI
Before attack
After attack
As you can see above the source ip addresses is randomized and all the flood is targeted towards port number 6789. Doing this slowed down my laptop and this was the first time that I was happy about it because this was a sign of a successful attack.
My next task will be to collect this data and at the same time collect genuine data coming from genuine clients. The data i will collect here will definitely not be suitable for a neural network training because of various reasons such as the neural network will simply train itself to differentiate the ip addresses (as my server and client both are on the same network while the attack is coming from random ip addresses).
There are more problems related to data because the way I am executing my server and client and this is something i will have to think about. But for now this is just a learning step. My final plan is to develop tool to which individuals and businesses can add their own data set and the program is automated to train the neural network and detect attacks. For now this is a project through which i want to learn about dos attacks, networking protocols, packet sniffing, artificial intelligence etc.
No comments:
Post a Comment