In my previous post i discussed how i used wireshark to sniff traffic between a server client model running on my machine. I raised questioned about not having much idea as to what features of the network traffic should i consider to train my neural network. After researching about it on the internet i came across an amazing research article (https://link.springer.com/article/10.1007/s10994-014-5473-9#Tab6) where the authors have explained which features are used by existing IDS systems, has described each of the feature and also pointed out that not using a subset of the features can save up resources and time take for detection and at the same time not degrade the performance of the detector.
The article has listed 41 features, some of them are basic which can be retrieved by simply looking at the packet headers, some are complex which require examining the packet contents and some are statistical for example past connections to the same ip address and port.
The purpose of the article was to built an anomaly based detection tool using machine learning and the features listed out can be used to build an IDS to detect multiple types of attack. At this stage of the project, where i am trying to detect UDP flood attack the number of features that i think i will use is quite small. For example features such as flags that tells us about the status of connection is used for TCP connections and hence will not be used at this stage. The features that require examination of packet content such as looking for number of failed logins , root access, program execution will also be excluded as in my opinion attackers performing DOS attacks aren't aiming to gain access to the system (in some cases DOS attacks are used as a distraction and the attackers are able to gain access to the system).
The article also mentions about two protocols that can be used to get the flow information such as netflow (introduced by cisco) and IPFIX. Python has a netflow library that can be used and hence I might go ahead with it but this is something i have to still research about.
My next task is to research more about network traffic features and look into how exactly can I use network analyzers and sniffers to get information about the network flow.
No comments:
Post a Comment