Pratik Satam
Ongoing related research in
the ACL Lab
• Anomaly Behavior Analysis Intrusion Detection System
to secure Wi-Fi protocol
• FCTaaS: Federated Cyber Security Testbed as a
Service
• TCIS: Tactical Cyber Immune System
Overview
Anomaly Behavior Analysis
Intrusion Detection System
to secure Wi-Fi protocol
• 1052% growth in thesize of the internetsince 2000.
• Growth of cloudcomputing andincrease in theusage of mobilecomputing devices.
• Dawn of the age ofIoT devices.
The growth of the internet
Increasing attack sophistication
• Attackers execute more
sophisticated attacks with
lesser knowledge.
• Botnets can be purchased
as a service
• Current attacks take a few
minutes to target their
victims.
• Future attacks will target
our infrastructure in
seconds
Signature based IDS vs Anomaly
based IDS
• Signature based IDS use
attack signatures to
detect attacks
• Anomaly based IDS use
their understanding of
the normal behavior to
detect attacks
Anomaly Behavior Analysis (ABA-
analysis)
• Understanding of the normal behavior is used to identify the attacks
• Any behavior outside the norm can be detected
• For networking protocols behavior outside the norm is caused by attacks
t ss ss
t
t
t
ss
dz dz
dz
dz
steady-state
behaviour
transient
behaviour
safe operating zone
anomalous operating
zone
decision
AppFlow
= f ( SysCall)
Time
AppFlow
= f ( Cpu, Mem, IO, Net)
AB-IDS design methodology• Perform threat modelling
analysis of the protocol
• Feature selection and
protocol footprinting to
characterize the behavior
of the protocol
• Use the selected set of
features to develop
machine learning models
that characterize the
normal behavior
• Also known as IEEE 802.11, is a MAC and Physical
layer protocol.
• Generally operates in the frequency range of 2.4Ghz
and 5Ghz.
• Different releases of the standard use different
frequency bands, bandwidth, modulation type and data
rates.
Wi-Fi Protocol
Wi-Fi Protocol
IEEE 802.11 Frame Header• Preamble, header and
data constitutes the
802.11 frame header.
• Major frame types are
Management frames,
Control frames and
Data frames.
• Only the data in the
frame can be
encrypted(optional).
Wi-Fi Protocol
Wi-Fi Protocol State Machine• Has 3 states.
• Management frames
of the protocol cause
the state transitions.
• Assumptions made-
Any state transition
that is outside the
state machine is
considered to be
Abnormal.
Threat modeling Wi-Fi Protocol
Architecture of the Wi-Fi IDS
• Sniffer Module:
Collects Wi-Fi frames
from the network
• Analysis Module:
Performs the behavior
analysis for the Wi-Fi
protocol
Wi-Fi IDS Architecture
List of attacks on Wi-Fi ProtocolSr. No Availability Attacks
1. Deauthentication Attack
2. Disassociation Attack
3. Fake Authentication Attack
4. Deauthentication Broadcast
Attack
5. Disassociation Broadcast Attack
6. Fake power saving Attack
7. CTS Flooding Attack
8. RTS Flooding Attack
9. Probe request flooding Attack
10. Probe response flooding Attack
11. Man in the middle Attack
12. Beacon flooding Attack
13. Modified deauthentication attack
Sr. No Encryption Attacks
1. Chopchop Attack
2. Fragmentation Attack
3. Café Latte Attack
4. Hirte Attack
5. FMS Attack
6. KoreK family of Attacks
7. PTW Attack
8. ARP injection attack
9. Dictionary attack
Performance of the machine
learning models
Experimental Analysis
• For the Isolation forest, a
dataset with 100,000
normal datapoints was
used
• For the classification
algorithms, a dataset with
30000 entries with 15
abnormal entries of
deauthentication protocol
from the attack dataset
were used
FCTaaS: Federated Cyber
Security Testbed as a
Service
Motivation
Experimental Analysis
• Growth of IoT
• Increasingly
sophisticated cyber
attacks
• Hard to gain
expertise in
individual systems
and their securityTestb
ed
Man
ag
er
Testb
ed
Man
ag
er
Federated Cyber Security Testbed
as a Service
Experimental Analysis
• Build a federated
testbed composing of
multiple cybersecurity
testbeds
• FCTaaS will be a
cloud service
• Data will be shared
between the testbeds
syntactically and
semantically
Experimental Analysis
FCTaaS Case Study: UDM smart
car connected to CLaaS• Federated Testbed
Exercise Manager
(FTEM): Manages
the experiment
setup
• Local Testbed
Manager helps
manage the testbed
interact with
FCTaaS
Tactical Cyber Immune
System (TCIS)
• Increasing attack
sophistication with a
smaller attack development
and propagation time
• Growth of IoT and Cloud
computing has increased
the attack surfaces devices
are exposed to
Motivation
• Human immune
system has different
immune system cells
to counter threats that
attack human body
• Our goal: Is to develop
a system inspired from
human biology to
secure computing
environment
TCIS: Architectural Overview
SRF (Computer) Features
SRF (User) Features (sample)Name Description
Timestamp Time record was obtained.
Username Username of the user whose record was obtained.
SSID Unique identifier for the user.
Domain Domain for the user. Usually is the computer’s
hostname unless the user is in an active directory
domain.
Hostname Hostname of the machine the user is using.
IP Address IP address of the machine the user is using.
MAC Address MAC Address of the machine the user is using.
Operating System Operating system running on the machine the user is
using. At the moment this is either a version of Windows
or Ubuntu.
CPU Load Percent of CPU capacity used by the user.
Memory Load Amount of memory used by the user in bytes.
SRF (Application) FeaturesName Description
Timestamp Time record was obtained.
Process ID Process ID assigned by the operating system to the
process. A unique identifier for the life of the process.
Name The name of the process executable.
CPU Load Percent of CPU capacity used by the user.
Memory Load Amount of memory used by the user in bytes.
Username Username of the user executing the process.
SSID Unique identifier for the user executing the process.
Domain Domain for the user executing the process. Usually is
the computer’s hostname unless the user is in an active
directory domain.
Hostname Hostname of the machine where the process is being
executed.
IP Address IP address of the machine where the process is being
executed.
Name Description
MAC Address MAC Address of the machine where the process is being
executed.
Operating System Operating system running on the machine where the process is
being executed. At the moment this is either a version of
Windows or Ubuntu.
Read I/O Operations Number of read operations performed by the process.
Write I/O Operations Number of write operations performed by the process.
Data I/O Operations Number of read and write operations performed by the process.
Read Bytes/Sec Rate at which the process is reading data in bytes per second.
Write Bytes/Sec Rate at which the process is writing data in bytes per second.
Data Bytes/Sec Aggregate rate at which the process reads and writes data in
bytes per second.
Start Time The date and time the application started execution.
Handle Count Number of handles application has obtained to files, resources,
message queues, and other operating system objects.
SRF (Application) Features
Samples of User Monitored Data Time User
Name
SSID Domai
n
Host
name
Ip
Addres
s
Mac
Addres
s
OS CPU
Load
Memor
y Load,
etc
Samples of Application and Host Monitored
Data Time Proces
Name
PID CPU
Load
Memor
y-IO
Disk
Networ
k Load
UserNa
me
SSID Domai
n
Host,
IP,
MacAd
ress,
OS,
etc.
Time Host IP
Addres
s
MAC
Addres
s
OS TCP
Conne
ctions
Update
d
Enable
d
Firewal
l Active
Shred
Folders
Public
addres,
etc.
Experimental Results and Validation
Self-Recognition Agent
Detection Results
Self Entity Modeled Non-self Entity
Compared to
Non-self detection
accuracy
Computer 7 Computer 12 97.55713 %
Computer 7 Computer 19 95.4023 %
Computer 7 Computer 25 98.08429 %
Computer 7 Computer 26 100 %
Computer 7 Computer 4 99.53775 %
Self-Recognition Agent
Detection Results
30
Self Entity Modeled Non-self Entity
Compared to
Non-self detection
accuracy
Computer 25 Computer 12 77.0686 %
Computer 25 Computer 19 98.27586 %
Computer 25 Computer 26 100 %
Computer 25 Computer 4 100 %
Self-Recognition Agent
Detection Results
Self Entity Modeled Non-self Entity
Compared to
Non-self detection
accuracy
User 253 User 127 98.98683 %
User 253 User 209 99.763407 %
User 253 User 216 100 %
User 253 User 242 94.76744 %
User 253 User 247 100 %
User 253 User 249 98.08429 %
Self-Recognition Agent
Detection Results
Self Entity Modeled Non-self Entity
Compared to
Non-self detection
accuracy
User 242 User 127 100 %
User 242 User 209 94.40063 %
User 242 User 216 100 %
User 242 User 247 100 %
User 242 User 249 73.7548 %
User 242 User 253 100%
User and Computer Attacks
Modeled and Tested• HeavyLoad – HeavyLoad was run on the computers in order to
simulate an attack / malicious program that maximizes theusage of the computer’s resources.
• HTTP Flood – Using a program called LOIC (Low Orbit IonCannon) we flooded each of the computers with thousands ofHTTP packets simulating a denial of service attack.
• Slow HTTP attack – The Slowloris attack is an applicationlayer denial of service attack that opens as many connectionsto a web server as possible and keeps them open as long aspossible.
• T50 – Using the T50 tool in Kali Linux, a version of Linux thatcontains multiple attack tools: TCP, UDP, ICMP, IGMPv2,IGMPv3, EGP, DCCP, RSVP, RIPv1, RIPv2, GRE, ESP, AH,EIGRP and OSPF.
Application Attacks Modeled
and Tested• Infinite JavaScript loop – A JavaScript script that runs
an infinite loop. This has the effect of making the process
running the script hang.
• JavaScript Fork Bomb - A JavaScript script that runs a
function that calls itself twice causing death by recursion.
• Heap of Death – This script infinitely expands an array in
memory greatly increasing the process’s memory usage
until it runs out of allocated memory.
Normal vs Malicious
Comparison• Computer Data before and after HeavyLoad
Fan speed has
increased
GPU temperature
has increased
CPU Utilization is
now maximum
Normal vs Malicious
Comparison• Computer Data before and after DoS attack
36
Dramatic increase in
active TCP
connections
Computer SRA
0 1
Target Class
0
1
Ou
tpu
t C
las
s
Confusion Matrix
13858
94.8%
0
0.0%
100%
0.0%
0
0.0%
755
5.2%
100%
0.0%
100%
0.0%
100%
0.0%
100%
0.0%
Normal
Malicious
Malicious Normal• Classifier Performance
• Accuracy: 100
• Sensitivity: 100
• Specificity: 100
Computer SRA – Threat Identification
38
0 1 2 4
Target Class
0
1
2
4
Ou
tpu
t C
las
s
Confusion Matrix
13849
94.8%
0
0.0%
4
0.0%
5
0.0%
99.9%
0.1%
1
0.0%
694
4.7%
0
0.0%
0
0.0%
99.9%
0.1%
10
0.1%
0
0.0%
30
0.2%
0
0.0%
75.0%
25.0%
3
0.0%
0
0.0%
0
0.0%
17
0.1%
85.0%
15.0%
99.9%
0.1%
100%
0.0%
88.2%
11.8%
77.3%
22.7%
99.8%
0.2%
Normal vs Malicious
Comparison• User Data before and after HeavyLoad
CPU Utilization is
now near the max
User SRA
0 1
Target Class
0
1
Ou
tpu
t C
las
s
Confusion Matrix
13131
93.9%
1
0.0%
100.0%
0.0%
4
0.0%
844
6.0%
99.5%
0.5%
100.0%
0.0%
99.9%
0.1%
100.0%
0.0%
Normal
Malicious
Normal Malicious
• Classifier Performance
• Accuracy: 99.9642
• Sensitivity:
99.7603
• Specificity:
99.7603
User SRA – Threat Identification
0 1 2 3 4
Target Class
0
1
2
3
4
Ou
tpu
t C
las
s
Confusion Matrix
13122
93.9%
2
0.0%
0
0.0%
0
0.0%
8
0.1%
99.9%
0.1%
3
0.0%
693
5.0%
0
0.0%
0
0.0%
0
0.0%
99.6%
0.4%
39
0.3%
0
0.0%
0
0.0%
0
0.0%
0
0.0%
0.0%
100%
31
0.2%
0
0.0%
0
0.0%
0
0.0%
0
0.0%
0.0%
100%
80
0.6%
0
0.0%
0
0.0%
0
0.0%
2
0.0%
2.4%
97.6%
98.8%
1.2%
99.7%
0.3%
NaN%
NaN%
NaN%
NaN%
20.0%
80.0%
98.8%
1.2%
Normal vs Malicious
Comparison
Increased CPU
activity
Increased memory
usage
• Microsoft Edge Data before and after attempting to load page with
malicious JS
Application SRA
43
• Classifier Performance
• Accuracy: 99.5335
• Sensitivity: 94.9187
• Specificity: 94.9187
0 1
Target Class
0
1
Ou
tpu
t C
las
s
Confusion Matrix
5113
95.4%
0
0.0%
100%
0.0%
25
0.5%
221
4.1%
89.8%
10.2%
99.5%
0.5%
100%
0.0%
99.5%
0.5%
Normal
Malicious
Normal Malicious
Application SRA – Threat Identification
0 1 2 3
Target Class
0
1
2
3
Ou
tpu
t C
las
s
Confusion Matrix
5112
95.4%
0
0.0%
1
0.0%
0
0.0%
100.0%
0.0%
2
0.0%
112
2.1%
0
0.0%
0
0.0%
98.2%
1.8%
2
0.0%
0
0.0%
23
0.4%
0
0.0%
92.0%
8.0%
0
0.0%
0
0.0%
0
0.0%
107
2.0%
100%
0.0%
99.9%
0.1%
100%
0.0%
95.8%
4.2%
100%
0.0%
99.9%
0.1%