ongoing related research in the acl lab...pratik satam ongoing related research in the acl lab •...

Post on 28-May-2020

4 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Pratik Satam

Ongoing related research in

the ACL Lab

• Anomaly Behavior Analysis Intrusion Detection System

to secure Wi-Fi protocol

• FCTaaS: Federated Cyber Security Testbed as a

Service

• TCIS: Tactical Cyber Immune System

Overview

Anomaly Behavior Analysis

Intrusion Detection System

to secure Wi-Fi protocol

• 1052% growth in thesize of the internetsince 2000.

• Growth of cloudcomputing andincrease in theusage of mobilecomputing devices.

• Dawn of the age ofIoT devices.

The growth of the internet

Increasing attack sophistication

• Attackers execute more

sophisticated attacks with

lesser knowledge.

• Botnets can be purchased

as a service

• Current attacks take a few

minutes to target their

victims.

• Future attacks will target

our infrastructure in

seconds

Signature based IDS vs Anomaly

based IDS

• Signature based IDS use

attack signatures to

detect attacks

• Anomaly based IDS use

their understanding of

the normal behavior to

detect attacks

Anomaly Behavior Analysis (ABA-

analysis)

• Understanding of the normal behavior is used to identify the attacks

• Any behavior outside the norm can be detected

• For networking protocols behavior outside the norm is caused by attacks

t ss ss

t

t

t

ss

dz dz

dz

dz

steady-state

behaviour

transient

behaviour

safe operating zone

anomalous operating

zone

decision

AppFlow

= f ( SysCall)

Time

AppFlow

= f ( Cpu, Mem, IO, Net)

AB-IDS design methodology• Perform threat modelling

analysis of the protocol

• Feature selection and

protocol footprinting to

characterize the behavior

of the protocol

• Use the selected set of

features to develop

machine learning models

that characterize the

normal behavior

• Also known as IEEE 802.11, is a MAC and Physical

layer protocol.

• Generally operates in the frequency range of 2.4Ghz

and 5Ghz.

• Different releases of the standard use different

frequency bands, bandwidth, modulation type and data

rates.

Wi-Fi Protocol

Wi-Fi Protocol

IEEE 802.11 Frame Header• Preamble, header and

data constitutes the

802.11 frame header.

• Major frame types are

Management frames,

Control frames and

Data frames.

• Only the data in the

frame can be

encrypted(optional).

Wi-Fi Protocol

Wi-Fi Protocol State Machine• Has 3 states.

• Management frames

of the protocol cause

the state transitions.

• Assumptions made-

Any state transition

that is outside the

state machine is

considered to be

Abnormal.

Threat modeling Wi-Fi Protocol

Architecture of the Wi-Fi IDS

• Sniffer Module:

Collects Wi-Fi frames

from the network

• Analysis Module:

Performs the behavior

analysis for the Wi-Fi

protocol

Wi-Fi IDS Architecture

List of attacks on Wi-Fi ProtocolSr. No Availability Attacks

1. Deauthentication Attack

2. Disassociation Attack

3. Fake Authentication Attack

4. Deauthentication Broadcast

Attack

5. Disassociation Broadcast Attack

6. Fake power saving Attack

7. CTS Flooding Attack

8. RTS Flooding Attack

9. Probe request flooding Attack

10. Probe response flooding Attack

11. Man in the middle Attack

12. Beacon flooding Attack

13. Modified deauthentication attack

Sr. No Encryption Attacks

1. Chopchop Attack

2. Fragmentation Attack

3. Café Latte Attack

4. Hirte Attack

5. FMS Attack

6. KoreK family of Attacks

7. PTW Attack

8. ARP injection attack

9. Dictionary attack

Performance of the machine

learning models

Experimental Analysis

• For the Isolation forest, a

dataset with 100,000

normal datapoints was

used

• For the classification

algorithms, a dataset with

30000 entries with 15

abnormal entries of

deauthentication protocol

from the attack dataset

were used

FCTaaS: Federated Cyber

Security Testbed as a

Service

Motivation

Experimental Analysis

• Growth of IoT

• Increasingly

sophisticated cyber

attacks

• Hard to gain

expertise in

individual systems

and their securityTestb

ed

Man

ag

er

Testb

ed

Man

ag

er

Federated Cyber Security Testbed

as a Service

Experimental Analysis

• Build a federated

testbed composing of

multiple cybersecurity

testbeds

• FCTaaS will be a

cloud service

• Data will be shared

between the testbeds

syntactically and

semantically

Experimental Analysis

FCTaaS Case Study: UDM smart

car connected to CLaaS• Federated Testbed

Exercise Manager

(FTEM): Manages

the experiment

setup

• Local Testbed

Manager helps

manage the testbed

interact with

FCTaaS

Tactical Cyber Immune

System (TCIS)

• Increasing attack

sophistication with a

smaller attack development

and propagation time

• Growth of IoT and Cloud

computing has increased

the attack surfaces devices

are exposed to

Motivation

• Human immune

system has different

immune system cells

to counter threats that

attack human body

• Our goal: Is to develop

a system inspired from

human biology to

secure computing

environment

TCIS: Architectural Overview

SRF (Computer) Features

SRF (User) Features (sample)Name Description

Timestamp Time record was obtained.

Username Username of the user whose record was obtained.

SSID Unique identifier for the user.

Domain Domain for the user. Usually is the computer’s

hostname unless the user is in an active directory

domain.

Hostname Hostname of the machine the user is using.

IP Address IP address of the machine the user is using.

MAC Address MAC Address of the machine the user is using.

Operating System Operating system running on the machine the user is

using. At the moment this is either a version of Windows

or Ubuntu.

CPU Load Percent of CPU capacity used by the user.

Memory Load Amount of memory used by the user in bytes.

SRF (Application) FeaturesName Description

Timestamp Time record was obtained.

Process ID Process ID assigned by the operating system to the

process. A unique identifier for the life of the process.

Name The name of the process executable.

CPU Load Percent of CPU capacity used by the user.

Memory Load Amount of memory used by the user in bytes.

Username Username of the user executing the process.

SSID Unique identifier for the user executing the process.

Domain Domain for the user executing the process. Usually is

the computer’s hostname unless the user is in an active

directory domain.

Hostname Hostname of the machine where the process is being

executed.

IP Address IP address of the machine where the process is being

executed.

Name Description

MAC Address MAC Address of the machine where the process is being

executed.

Operating System Operating system running on the machine where the process is

being executed. At the moment this is either a version of

Windows or Ubuntu.

Read I/O Operations Number of read operations performed by the process.

Write I/O Operations Number of write operations performed by the process.

Data I/O Operations Number of read and write operations performed by the process.

Read Bytes/Sec Rate at which the process is reading data in bytes per second.

Write Bytes/Sec Rate at which the process is writing data in bytes per second.

Data Bytes/Sec Aggregate rate at which the process reads and writes data in

bytes per second.

Start Time The date and time the application started execution.

Handle Count Number of handles application has obtained to files, resources,

message queues, and other operating system objects.

SRF (Application) Features

Samples of User Monitored Data Time User

Name

SSID Domai

n

Host

name

Ip

Addres

s

Mac

Addres

s

OS CPU

Load

Memor

y Load,

etc

Samples of Application and Host Monitored

Data Time Proces

Name

PID CPU

Load

Memor

y-IO

Disk

Networ

k Load

UserNa

me

SSID Domai

n

Host,

IP,

MacAd

ress,

OS,

etc.

Time Host IP

Addres

s

MAC

Addres

s

OS TCP

Conne

ctions

Update

d

Enable

d

Firewal

l Active

Shred

Folders

Public

addres,

etc.

Experimental Results and Validation

Self-Recognition Agent

Detection Results

Self Entity Modeled Non-self Entity

Compared to

Non-self detection

accuracy

Computer 7 Computer 12 97.55713 %

Computer 7 Computer 19 95.4023 %

Computer 7 Computer 25 98.08429 %

Computer 7 Computer 26 100 %

Computer 7 Computer 4 99.53775 %

Self-Recognition Agent

Detection Results

30

Self Entity Modeled Non-self Entity

Compared to

Non-self detection

accuracy

Computer 25 Computer 12 77.0686 %

Computer 25 Computer 19 98.27586 %

Computer 25 Computer 26 100 %

Computer 25 Computer 4 100 %

Self-Recognition Agent

Detection Results

Self Entity Modeled Non-self Entity

Compared to

Non-self detection

accuracy

User 253 User 127 98.98683 %

User 253 User 209 99.763407 %

User 253 User 216 100 %

User 253 User 242 94.76744 %

User 253 User 247 100 %

User 253 User 249 98.08429 %

Self-Recognition Agent

Detection Results

Self Entity Modeled Non-self Entity

Compared to

Non-self detection

accuracy

User 242 User 127 100 %

User 242 User 209 94.40063 %

User 242 User 216 100 %

User 242 User 247 100 %

User 242 User 249 73.7548 %

User 242 User 253 100%

User and Computer Attacks

Modeled and Tested• HeavyLoad – HeavyLoad was run on the computers in order to

simulate an attack / malicious program that maximizes theusage of the computer’s resources.

• HTTP Flood – Using a program called LOIC (Low Orbit IonCannon) we flooded each of the computers with thousands ofHTTP packets simulating a denial of service attack.

• Slow HTTP attack – The Slowloris attack is an applicationlayer denial of service attack that opens as many connectionsto a web server as possible and keeps them open as long aspossible.

• T50 – Using the T50 tool in Kali Linux, a version of Linux thatcontains multiple attack tools: TCP, UDP, ICMP, IGMPv2,IGMPv3, EGP, DCCP, RSVP, RIPv1, RIPv2, GRE, ESP, AH,EIGRP and OSPF.

Application Attacks Modeled

and Tested• Infinite JavaScript loop – A JavaScript script that runs

an infinite loop. This has the effect of making the process

running the script hang.

• JavaScript Fork Bomb - A JavaScript script that runs a

function that calls itself twice causing death by recursion.

• Heap of Death – This script infinitely expands an array in

memory greatly increasing the process’s memory usage

until it runs out of allocated memory.

Normal vs Malicious

Comparison• Computer Data before and after HeavyLoad

Fan speed has

increased

GPU temperature

has increased

CPU Utilization is

now maximum

Normal vs Malicious

Comparison• Computer Data before and after DoS attack

36

Dramatic increase in

active TCP

connections

Computer SRA

0 1

Target Class

0

1

Ou

tpu

t C

las

s

Confusion Matrix

13858

94.8%

0

0.0%

100%

0.0%

0

0.0%

755

5.2%

100%

0.0%

100%

0.0%

100%

0.0%

100%

0.0%

Normal

Malicious

Malicious Normal• Classifier Performance

• Accuracy: 100

• Sensitivity: 100

• Specificity: 100

Computer SRA – Threat Identification

38

0 1 2 4

Target Class

0

1

2

4

Ou

tpu

t C

las

s

Confusion Matrix

13849

94.8%

0

0.0%

4

0.0%

5

0.0%

99.9%

0.1%

1

0.0%

694

4.7%

0

0.0%

0

0.0%

99.9%

0.1%

10

0.1%

0

0.0%

30

0.2%

0

0.0%

75.0%

25.0%

3

0.0%

0

0.0%

0

0.0%

17

0.1%

85.0%

15.0%

99.9%

0.1%

100%

0.0%

88.2%

11.8%

77.3%

22.7%

99.8%

0.2%

Normal vs Malicious

Comparison• User Data before and after HeavyLoad

CPU Utilization is

now near the max

User SRA

0 1

Target Class

0

1

Ou

tpu

t C

las

s

Confusion Matrix

13131

93.9%

1

0.0%

100.0%

0.0%

4

0.0%

844

6.0%

99.5%

0.5%

100.0%

0.0%

99.9%

0.1%

100.0%

0.0%

Normal

Malicious

Normal Malicious

• Classifier Performance

• Accuracy: 99.9642

• Sensitivity:

99.7603

• Specificity:

99.7603

User SRA – Threat Identification

0 1 2 3 4

Target Class

0

1

2

3

4

Ou

tpu

t C

las

s

Confusion Matrix

13122

93.9%

2

0.0%

0

0.0%

0

0.0%

8

0.1%

99.9%

0.1%

3

0.0%

693

5.0%

0

0.0%

0

0.0%

0

0.0%

99.6%

0.4%

39

0.3%

0

0.0%

0

0.0%

0

0.0%

0

0.0%

0.0%

100%

31

0.2%

0

0.0%

0

0.0%

0

0.0%

0

0.0%

0.0%

100%

80

0.6%

0

0.0%

0

0.0%

0

0.0%

2

0.0%

2.4%

97.6%

98.8%

1.2%

99.7%

0.3%

NaN%

NaN%

NaN%

NaN%

20.0%

80.0%

98.8%

1.2%

Normal vs Malicious

Comparison

Increased CPU

activity

Increased memory

usage

• Microsoft Edge Data before and after attempting to load page with

malicious JS

Application SRA

43

• Classifier Performance

• Accuracy: 99.5335

• Sensitivity: 94.9187

• Specificity: 94.9187

0 1

Target Class

0

1

Ou

tpu

t C

las

s

Confusion Matrix

5113

95.4%

0

0.0%

100%

0.0%

25

0.5%

221

4.1%

89.8%

10.2%

99.5%

0.5%

100%

0.0%

99.5%

0.5%

Normal

Malicious

Normal Malicious

Application SRA – Threat Identification

0 1 2 3

Target Class

0

1

2

3

Ou

tpu

t C

las

s

Confusion Matrix

5112

95.4%

0

0.0%

1

0.0%

0

0.0%

100.0%

0.0%

2

0.0%

112

2.1%

0

0.0%

0

0.0%

98.2%

1.8%

2

0.0%

0

0.0%

23

0.4%

0

0.0%

92.0%

8.0%

0

0.0%

0

0.0%

0

0.0%

107

2.0%

100%

0.0%

99.9%

0.1%

100%

0.0%

95.8%

4.2%

100%

0.0%

99.9%

0.1%

top related