SlideShare a Scribd company logo

Cs724 ai in_ids

Download as ODP, PDF
Sandeep Jaina
Sandeep Jaina
1 of 11
Artificial Intelligence in Intrusion Detection / Prevension Systems - Reduction of False Positives Guide - Prof Bernard L Menezes, IIT Bombay Course - Network Security and Cryptography-II (CS 724) By - Sriharsa Mohapatra (10405004)
Outline Why do Firewalls have False Positives? How can Artificial Intelligence help? What is Genetic Algorithm? Genetic Algorithm to Evaluate Goodness Observation on the Evaluation False Positive by Client Side Firewall Configure Firewall as per goodness value
Why do Firewalls have False Positives? ● All firewall implementations are maintained by direct human effort ● They are changed as per the threat ● Network Security personnel have to put more restrictive rules than actually needed ● This leads to false positives (benign packets are dropped)
How can Artificial Intelligence help? ● False Positives hinder business ● Filter rules should no more outright drop non-conformant packets ● If a non-conformant packet has high goodness, they will allow it, else drop it ● A very lightweight Genetic Algorithm continuously lists packets' goodness
What is Genetic Algorithm? ● Each solution (packet) is an individual ● An individual is coded as a chromosome ● A chromosome is a binary string ● For our a chromosome is concatenation(source_IP,goodness) ● A population is a set of chromosome ● Cross-over and Mutation operate on selected chromosomes to generate new ones
Genetic Algorithm to Evaluate Goodness
Genetic Algorithm to Evaluate Goodness
Genetic Algorithm to Evaluate Goodness
Observation on the Evaluation ● The goodness value is relative ● Goodness imples sustained traffic ● Higher traffic rate implies a marginal increase in goodness ● Very High traffic rate / No traffic imply graceful decrement: - to deter flooding / to remove inactive connection ● Responds to the traffic quickly
False Positive by Client Side Firewall ● iptables -N LOGDROP ● iptables -A LOGDROP -p tcp -m limit --limit 3/second --limit-burst 7 -j LOG --log-prefix '** HACKERS **' --log-level 4 ● iptables -A LOGDROP -p tcp -j DROP ● iptables -A INPUT -p tcp -j LOGDROP ● Beyond 7 pkts apply limit 3pkts/sec ● Slows down / Stops browsing different pages
Configure Firewall as per goodness value ● Login as root using ”su<space>-” ● list_of_good_IP=`mysql -u traffic_monitor -h localhost --password=nopassword connection_analysis -e "select source_IP from goodness_statistics order by goodness limit 10;"` ● IP_array=`echo $list_of_good_IP | cut -d ' ' -f 2-` ● for IP in $IP_array; do echo "iptables -I INPUT -p tcp -s $IP -j ACCEPT" | /bin/bash; done ● To do the above automatically, put the above three lines in a script and schedule the script to run every 5 minutes in the /etc/crontab file ● echo ”*/5 * * * * root /path-of-script/script.sh” >> /etc/crontab OR echo ”*/5 * * * * /path-of-script/script.sh” >> /etc/crontab ● Some systems do not have the user field

Recommended

IDEF0 and Software Process Engineering Model
IDEF0 and Software Process Engineering ModelIDEF0 and Software Process Engineering Model
IDEF0 and Software Process Engineering ModelMandar Trivedi
 
Process Improvement in Software Engineering SE25
Process Improvement in Software Engineering SE25Process Improvement in Software Engineering SE25
Process Improvement in Software Engineering SE25koolkampus
 
Feature Selection Strategies for HTTP Botnet Traffic Detection
Feature Selection Strategies for HTTP Botnet Traffic DetectionFeature Selection Strategies for HTTP Botnet Traffic Detection
Feature Selection Strategies for HTTP Botnet Traffic DetectionIvan Letteri
 
Llnw bufferbloat
Llnw bufferbloatLlnw bufferbloat
Llnw bufferbloatStephen Hemminger
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?hackersuli
 
Computer network (7)
Computer network (7)Computer network (7)
Computer network (7)NYversity
 
Routing Security Considerations
Routing Security ConsiderationsRouting Security Considerations
Routing Security ConsiderationsCSUC - Consorci de Serveis Universitaris de Catalunya
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationBiting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationAlex Pinto
 

Recommended

IDEF0 and Software Process Engineering Model
IDEF0 and Software Process Engineering ModelIDEF0 and Software Process Engineering Model
IDEF0 and Software Process Engineering ModelMandar Trivedi
 
Process Improvement in Software Engineering SE25
Process Improvement in Software Engineering SE25Process Improvement in Software Engineering SE25
Process Improvement in Software Engineering SE25koolkampus
 
Feature Selection Strategies for HTTP Botnet Traffic Detection
Feature Selection Strategies for HTTP Botnet Traffic DetectionFeature Selection Strategies for HTTP Botnet Traffic Detection
Feature Selection Strategies for HTTP Botnet Traffic DetectionIvan Letteri
 
Llnw bufferbloat
Llnw bufferbloatLlnw bufferbloat
Llnw bufferbloatStephen Hemminger
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?hackersuli
 
Computer network (7)
Computer network (7)Computer network (7)
Computer network (7)NYversity
 
Routing Security Considerations
Routing Security ConsiderationsRouting Security Considerations
Routing Security ConsiderationsCSUC - Consorci de Serveis Universitaris de Catalunya
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationBiting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationAlex Pinto
 
Real-time Change Detection & Automatic Network Response
Real-time Change Detection & Automatic Network ResponseReal-time Change Detection & Automatic Network Response
Real-time Change Detection & Automatic Network ResponseMike Fisk
 
Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47Richard Steenbergen
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisBangladesh Network Operators Group
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2wharpreet
 
2009.08 grid peer-slides
2009.08 grid peer-slides2009.08 grid peer-slides
2009.08 grid peer-slidesYehia El-khatib
 
Next generation alerting and fault detection, SRECon Europe 2016
Next generation alerting and fault detection, SRECon Europe 2016Next generation alerting and fault detection, SRECon Europe 2016
Next generation alerting and fault detection, SRECon Europe 2016Dieter Plaetinck
 
CREDIT CARD FRAUD DETECTION
CREDIT CARD FRAUD DETECTION CREDIT CARD FRAUD DETECTION
CREDIT CARD FRAUD DETECTION K Srinivas Rao
 
Credit Card Fraudulent Transaction Detection Research Paper
Credit Card Fraudulent Transaction Detection Research PaperCredit Card Fraudulent Transaction Detection Research Paper
Credit Card Fraudulent Transaction Detection Research PaperGarvit Burad
 
Reactive by example - at Reversim Summit 2015
Reactive by example - at Reversim Summit 2015Reactive by example - at Reversim Summit 2015
Reactive by example - at Reversim Summit 2015Eran Harel
 
Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting Network Automation Forum
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESIRJET Journal
 
Evolving Custom Communication Protocols
Evolving Custom Communication ProtocolsEvolving Custom Communication Protocols
Evolving Custom Communication ProtocolsWesley Faler
 
Anomaly Detection using Deep Auto-Encoders | Gianmario Spacagna
Anomaly Detection using Deep Auto-Encoders | Gianmario SpacagnaAnomaly Detection using Deep Auto-Encoders | Gianmario Spacagna
Anomaly Detection using Deep Auto-Encoders | Gianmario SpacagnaData Science Milan
 
Gatling - Bordeaux JUG
Gatling - Bordeaux JUGGatling - Bordeaux JUG
Gatling - Bordeaux JUGslandelle
 
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...JosephTesta9
 
Grokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking VN
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
Disaster porn and the value of a generalist
Disaster porn and the value of a generalistDisaster porn and the value of a generalist
Disaster porn and the value of a generalistjssanders
 
Towards reading genomic data using deep learning-driven NLP techniques
Towards reading genomic data using deep learning-driven NLP techniquesTowards reading genomic data using deep learning-driven NLP techniques
Towards reading genomic data using deep learning-driven NLP techniquesWesley De Neve
 
Netflix SRE perf meetup_slides
Netflix SRE perf meetup_slidesNetflix SRE perf meetup_slides
Netflix SRE perf meetup_slidesEd Hunter
 

More Related Content

Similar to Cs724 ai in_ids

Real-time Change Detection & Automatic Network Response
Real-time Change Detection & Automatic Network ResponseReal-time Change Detection & Automatic Network Response
Real-time Change Detection & Automatic Network ResponseMike Fisk
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2wharpreet
 
2009.08 grid peer-slides
2009.08 grid peer-slides2009.08 grid peer-slides
2009.08 grid peer-slidesYehia El-khatib
 
Next generation alerting and fault detection, SRECon Europe 2016
Next generation alerting and fault detection, SRECon Europe 2016Next generation alerting and fault detection, SRECon Europe 2016
Next generation alerting and fault detection, SRECon Europe 2016Dieter Plaetinck
 
CREDIT CARD FRAUD DETECTION
CREDIT CARD FRAUD DETECTION CREDIT CARD FRAUD DETECTION
CREDIT CARD FRAUD DETECTION K Srinivas Rao
 
Credit Card Fraudulent Transaction Detection Research Paper
Credit Card Fraudulent Transaction Detection Research PaperCredit Card Fraudulent Transaction Detection Research Paper
Credit Card Fraudulent Transaction Detection Research PaperGarvit Burad
 
Reactive by example - at Reversim Summit 2015
Reactive by example - at Reversim Summit 2015Reactive by example - at Reversim Summit 2015
Reactive by example - at Reversim Summit 2015Eran Harel
 
Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting Network Automation Forum
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESIRJET Journal
 
Evolving Custom Communication Protocols
Evolving Custom Communication ProtocolsEvolving Custom Communication Protocols
Evolving Custom Communication ProtocolsWesley Faler
 
Anomaly Detection using Deep Auto-Encoders | Gianmario Spacagna
Anomaly Detection using Deep Auto-Encoders | Gianmario SpacagnaAnomaly Detection using Deep Auto-Encoders | Gianmario Spacagna
Anomaly Detection using Deep Auto-Encoders | Gianmario SpacagnaData Science Milan
 
Gatling - Bordeaux JUG
Gatling - Bordeaux JUGGatling - Bordeaux JUG
Gatling - Bordeaux JUGslandelle
 
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...JosephTesta9
 
Grokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking VN
 
Disaster porn and the value of a generalist
Disaster porn and the value of a generalistDisaster porn and the value of a generalist
Disaster porn and the value of a generalistjssanders
 
Towards reading genomic data using deep learning-driven NLP techniques
Towards reading genomic data using deep learning-driven NLP techniquesTowards reading genomic data using deep learning-driven NLP techniques
Towards reading genomic data using deep learning-driven NLP techniquesWesley De Neve
 
Netflix SRE perf meetup_slides
Netflix SRE perf meetup_slidesNetflix SRE perf meetup_slides
Netflix SRE perf meetup_slidesEd Hunter
 

Similar to Cs724 ai in_ids (20)

Real-time Change Detection & Automatic Network Response
Real-time Change Detection & Automatic Network ResponseReal-time Change Detection & Automatic Network Response
Real-time Change Detection & Automatic Network Response
 
Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47Scripting on Routers - NANOG 47
Scripting on Routers - NANOG 47
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
Offensive Security basics part 2
Offensive Security basics part 2Offensive Security basics part 2
Offensive Security basics part 2
 
2009.08 grid peer-slides
2009.08 grid peer-slides2009.08 grid peer-slides
2009.08 grid peer-slides
 
Next generation alerting and fault detection, SRECon Europe 2016
Next generation alerting and fault detection, SRECon Europe 2016Next generation alerting and fault detection, SRECon Europe 2016
Next generation alerting and fault detection, SRECon Europe 2016
 
CREDIT CARD FRAUD DETECTION
CREDIT CARD FRAUD DETECTION CREDIT CARD FRAUD DETECTION
CREDIT CARD FRAUD DETECTION
 
Credit Card Fraudulent Transaction Detection Research Paper
Credit Card Fraudulent Transaction Detection Research PaperCredit Card Fraudulent Transaction Detection Research Paper
Credit Card Fraudulent Transaction Detection Research Paper
 
Reactive by example - at Reversim Summit 2015
Reactive by example - at Reversim Summit 2015Reactive by example - at Reversim Summit 2015
Reactive by example - at Reversim Summit 2015
 
Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting Simplified Troubleshooting through API Scripting
Simplified Troubleshooting through API Scripting
 
A REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURESA REVIEW ON NMAP AND ITS FEATURES
A REVIEW ON NMAP AND ITS FEATURES
 
Evolving Custom Communication Protocols
Evolving Custom Communication ProtocolsEvolving Custom Communication Protocols
Evolving Custom Communication Protocols
 
Anomaly Detection using Deep Auto-Encoders | Gianmario Spacagna
Anomaly Detection using Deep Auto-Encoders | Gianmario SpacagnaAnomaly Detection using Deep Auto-Encoders | Gianmario Spacagna
Anomaly Detection using Deep Auto-Encoders | Gianmario Spacagna
 
Gatling - Bordeaux JUG
Gatling - Bordeaux JUGGatling - Bordeaux JUG
Gatling - Bordeaux JUG
 
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
 
Grokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applicationsGrokking Techtalk #39: Gossip protocol and applications
Grokking Techtalk #39: Gossip protocol and applications
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014
 
Disaster porn and the value of a generalist
Disaster porn and the value of a generalistDisaster porn and the value of a generalist
Disaster porn and the value of a generalist
 
Towards reading genomic data using deep learning-driven NLP techniques
Towards reading genomic data using deep learning-driven NLP techniquesTowards reading genomic data using deep learning-driven NLP techniques
Towards reading genomic data using deep learning-driven NLP techniques
 
Netflix SRE perf meetup_slides
Netflix SRE perf meetup_slidesNetflix SRE perf meetup_slides
Netflix SRE perf meetup_slides
 

Cs724 ai in_ids

  • 1. Artificial Intelligence in Intrusion Detection / Prevension Systems - Reduction of False Positives Guide - Prof Bernard L Menezes, IIT Bombay Course - Network Security and Cryptography-II (CS 724) By - Sriharsa Mohapatra (10405004)
  • 2. Outline Why do Firewalls have False Positives? How can Artificial Intelligence help? What is Genetic Algorithm? Genetic Algorithm to Evaluate Goodness Observation on the Evaluation False Positive by Client Side Firewall Configure Firewall as per goodness value
  • 3. Why do Firewalls have False Positives? ● All firewall implementations are maintained by direct human effort ● They are changed as per the threat ● Network Security personnel have to put more restrictive rules than actually needed ● This leads to false positives (benign packets are dropped)
  • 4. How can Artificial Intelligence help? ● False Positives hinder business ● Filter rules should no more outright drop non-conformant packets ● If a non-conformant packet has high goodness, they will allow it, else drop it ● A very lightweight Genetic Algorithm continuously lists packets' goodness
  • 5. What is Genetic Algorithm? ● Each solution (packet) is an individual ● An individual is coded as a chromosome ● A chromosome is a binary string ● For our a chromosome is concatenation(source_IP,goodness) ● A population is a set of chromosome ● Cross-over and Mutation operate on selected chromosomes to generate new ones
  • 6. Genetic Algorithm to Evaluate Goodness
  • 7. Genetic Algorithm to Evaluate Goodness
  • 8. Genetic Algorithm to Evaluate Goodness
  • 9. Observation on the Evaluation ● The goodness value is relative ● Goodness imples sustained traffic ● Higher traffic rate implies a marginal increase in goodness ● Very High traffic rate / No traffic imply graceful decrement: - to deter flooding / to remove inactive connection ● Responds to the traffic quickly
  • 10. False Positive by Client Side Firewall ● iptables -N LOGDROP ● iptables -A LOGDROP -p tcp -m limit --limit 3/second --limit-burst 7 -j LOG --log-prefix '** HACKERS **' --log-level 4 ● iptables -A LOGDROP -p tcp -j DROP ● iptables -A INPUT -p tcp -j LOGDROP ● Beyond 7 pkts apply limit 3pkts/sec ● Slows down / Stops browsing different pages
  • 11. Configure Firewall as per goodness value ● Login as root using ”su<space>-” ● list_of_good_IP=`mysql -u traffic_monitor -h localhost --password=nopassword connection_analysis -e "select source_IP from goodness_statistics order by goodness limit 10;"` ● IP_array=`echo $list_of_good_IP | cut -d ' ' -f 2-` ● for IP in $IP_array; do echo "iptables -I INPUT -p tcp -s $IP -j ACCEPT" | /bin/bash; done ● To do the above automatically, put the above three lines in a script and schedule the script to run every 5 minutes in the /etc/crontab file ● echo ”*/5 * * * * root /path-of-script/script.sh” >> /etc/crontab OR echo ”*/5 * * * * /path-of-script/script.sh” >> /etc/crontab ● Some systems do not have the user field