using bayesian networks for detecting network anomalies lane thames ece 8833 intelligent systems
TRANSCRIPT
![Page 1: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/1.jpg)
Using Bayesian Networks Using Bayesian Networks for Detecting Network for Detecting Network
AnomaliesAnomalies
Lane ThamesLane Thames
ECE 8833 Intelligent SystemsECE 8833 Intelligent Systems
![Page 2: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/2.jpg)
Goals for this ProjectGoals for this Project
To see how well a Bayesian Learning To see how well a Bayesian Learning Network performs at predicting attacks Network performs at predicting attacks within a computer networkwithin a computer network
How do the predictions change when How do the predictions change when using pure network data versus a using pure network data versus a combination of network and host datacombination of network and host data
![Page 3: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/3.jpg)
Common Types of AttacksCommon Types of Attacks
Buffer Overflow AttacksBuffer Overflow Attacks Redirects Program Control Flow which causes Redirects Program Control Flow which causes
the computer to execute carefully injected the computer to execute carefully injected malicious codemalicious code
Code be crafted to elevate the privileges of a Code be crafted to elevate the privileges of a user by obtaining super user (root) privilegesuser by obtaining super user (root) privileges
![Page 4: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/4.jpg)
Common Types of AttacksCommon Types of Attacks
Denial of ServiceDenial of Service Exhaust a computer’s resources: TCP SYN Exhaust a computer’s resources: TCP SYN
Flooding AttackFlooding Attack Consume a computer’s available networking Consume a computer’s available networking
bandwidth: ICMP Smurf Attackbandwidth: ICMP Smurf Attack
![Page 5: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/5.jpg)
Data SetsData Sets
UCI Knowledge Discovery in Databases UCI Knowledge Discovery in Databases (KDD) archive(KDD) archive
KDD Cup 1999 for Intrusion Detection KDD Cup 1999 for Intrusion Detection DatabaseDatabase
A subset of data generated by MIT Lincoln A subset of data generated by MIT Lincoln Labs that simulated a military networking Labs that simulated a military networking environment (4 weeks @ 22 hrs/day of environment (4 weeks @ 22 hrs/day of data)data)
![Page 6: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/6.jpg)
Data SetsData Sets
Contained data for training and separate, Contained data for training and separate, labeled data for testinglabeled data for testing
The test data contained noise because it The test data contained noise because it contained attack data that was not contained attack data that was not included in the training dataincluded in the training data
![Page 7: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/7.jpg)
Data SetsData Sets
22 total attack types were generated and 22 total attack types were generated and were interlaced with normal traffic flowswere interlaced with normal traffic flows
Types of Attacks within the dataTypes of Attacks within the data Denial of ServiceDenial of Service Unauthorized remote accessUnauthorized remote access Local user to super user accessLocal user to super user access Probing: Reconnaissance and network Probing: Reconnaissance and network
mappingmapping
![Page 8: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/8.jpg)
Data SetsData Sets
41 Features that could be used as 41 Features that could be used as Random Variables within a Bayesian Random Variables within a Bayesian NetworkNetwork Host Based FeaturesHost Based Features Network Based FeaturesNetwork Based Features
![Page 9: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/9.jpg)
Feature Set SnippetFeature Set Snippet
protocol service flag srcB dstB cnt srvcnt serrrate rerrrate typeAtck
tcp http SF 235 1337 8 8 0 0 normal.
tcp http SF 219 1337 6 6 0 0 normal.
icmp ecr_i SF 1032 0 511 511 0 0 smurf.
icmp ecr_i SF 1032 0 511 511 0 0 smurf.
tcp private S0 0 0 103 1 1 0 neptune.
tcp private S0 0 0 112 10 1 0 neptune.
![Page 10: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/10.jpg)
Tool Boxes Used for the ProjectTool Boxes Used for the Project
BN Power ConstructorBN Power Constructor Developed by J. Cheng at the University of Developed by J. Cheng at the University of
Alberta in CanadaAlberta in Canada Tool for generating possible network Tool for generating possible network
structures given a set of training datastructures given a set of training data Exports the structure in DNE Bayesian Exports the structure in DNE Bayesian
network file format network file format
![Page 11: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/11.jpg)
Tool Boxes Used for the ProjectTool Boxes Used for the Project
NeticaJ by NorsysNeticaJ by Norsys Java based development libraryJava based development library Used to build the Bayesian network codebase Used to build the Bayesian network codebase
for this projectfor this project Imports structure in DNE file formatImports structure in DNE file format Contains functions for doing inference and Contains functions for doing inference and
learning CPTs given a set of training datalearning CPTs given a set of training data
![Page 12: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/12.jpg)
ImplementationImplementation
2 types of structures used2 types of structures used Combination of network and host based Combination of network and host based
featuresfeatures Only network based featuresOnly network based features
![Page 13: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/13.jpg)
Host/Network StructureHost/Network Structure
![Page 14: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/14.jpg)
Host/Network Test ResultsHost/Network Test Results
Using the Noisy Test DataUsing the Noisy Test Data
65,505 Total Test Cases65,505 Total Test Cases
65,019 Correctly Classified65,019 Correctly Classified
99.26% Classification Accuracy99.26% Classification Accuracy
![Page 15: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/15.jpg)
Probabilities for a Single FlowProbabilities for a Single FlowAttack Probablities for a Normal Flow
1.00E-13
1.00E-12
1.00E-11
1.00E-10
1.00E-09
1.00E-08
1.00E-07
1.00E-06
1.00E-05
1.00E-04
1.00E-03
1.00E-02
1.00E-01
1.00E+00
1.00E+01
Attack Type
Pro
bab
ility
![Page 16: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/16.jpg)
Probabilities for a Smurf FlowProbabilities for a Smurf FlowAttack Probability during a SMURF attack
1.00E-18
1.00E-17
1.00E-16
1.00E-15
1.00E-14
1.00E-13
1.00E-12
1.00E-11
1.00E-10
1.00E-09
1.00E-08
1.00E-07
1.00E-06
1.00E-05
1.00E-04
1.00E-03
1.00E-02
1.00E-01
1.00E+00
1.00E+01
Attack Type
Pro
bab
ility
![Page 17: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/17.jpg)
Time Series of Normal ProbabilitiesTime Series of Normal ProbabilitiesTime Series Normal Classifications
0
0.2
0.4
0.6
0.8
1
1.2
0 50 100 150 200 250 300 350 400 450
Time Epoch
Pro
ba
bili
ty
![Page 18: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/18.jpg)
Network Features StructureNetwork Features Structure
![Page 19: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/19.jpg)
Network Variables Test ResultsNetwork Variables Test Results
62,047 Total Noisy Test Cases62,047 Total Noisy Test Cases
59,734 Correctly Classified59,734 Correctly Classified
96.27% Classification Accuracy96.27% Classification Accuracy
![Page 20: Using Bayesian Networks for Detecting Network Anomalies Lane Thames ECE 8833 Intelligent Systems](https://reader036.vdocument.in/reader036/viewer/2022083007/56649e195503460f94b05cc2/html5/thumbnails/20.jpg)
ConclusionConclusion
The Bayesian Network produced very The Bayesian Network produced very impressive resultsimpressive results
The reduced structure only relied on The reduced structure only relied on network data, and only suffered from a network data, and only suffered from a small decrease in accuracysmall decrease in accuracy
Term project will extend this to incorporate Term project will extend this to incorporate a SOM variable a SOM variable