Ask Homework Help/Study Tips Expert

Project : ML for Security

Constructing & Evading network traffic based model of IDS

1 Introduction?:

The goal of this project is to introduce students to machine learning techniques and methodologies, that help to differentiate between malicious and legitimate network traffic. In summary, the students are introduced to:

1. Use a machine learning based approach to create a model that learns normal network traffic.

2. Learn how to blend attack traffic, so that it resembles normal network traffic, and bypass the learned model.

NOTE: To work on this project, we recommend you to use Linux OS. However, in the past,students faced no difficulty while working on this project even on Windows or Macintosh OS.

2 Readings & Resources:

This assignment relies on the following readings:

1. “Anomalous Payload-based Worm Detection and Signature Generation”, Ke Wang and Salva- tore J.Stolfo, RAID2004

2. “Polymorphic Blending Attacks”, Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, Wenke Lee, Usenix Security 2006

3. “True positive (true detections) and False positive (false alarms)”

3 Task A:

Preliminary reading: ?Please refer to the above readings to learn about how the PAYL model works: a) how to extract byte frequency from the data, b) how to train the model, and c) the definition of the parameters; threshold and smoothing factor.

Code and data provided: ?Please look at the PAYL directory, where we provide the PAYL code and data to train the model.

Install packages needed: ?Please read the file SETUP to install packages that are needed for the code to run.

PAYL Code workflow: ?Here is the workflow of the provided PAYL code:

It operates in two modes: a) training mode: It reads in pcap files provided in the ‘data’ directory, and it tests parameters and reports True Positive rates, and b) testing mode: It trains a model using specific parameters and using data in the directory, it will use a specific packet to test and then will decide if the packet fits the model.

Training mode: It reads in the normal data and separates it into training and testing. 75% of the provided normal data is for training and 25% of the normal data is for testing. It sorts the payload strings by length and generates a model for each length. Each model per length is based on [ mean frequency of each ascii, standard deviation of frequencies for each ascii]

To run PAYL on training mode: python wrapper.py. You will have to modify the port numbers in the read pcap.py (commented in the sourcecode) according to the protocol.

Testing mode: It reads in normal data from directory, it trains a model using specific parameters, and it tests the specific packet (fed from command line) against the trained model. 1. It computes the mahalanobis distance between each test payload and the model (of the same length), and 2. It labels the payload: If the mahalanobis distance is below the threshold, then it accept the payload as normal traffic. Otherwise, it reject the packet as attack traffic.

Tasks: Perform experiments to select proper parameters.

You are provided a single traffic trace (artificial-payload) to train a PAYL model.

After reading the reference papers above, it should make sense that you cannot train the PAYL model on the entire traffic because it contains several protocols.

Modify the IP addresses/port numbers (also commented in the python files) in the source code according to the traffic you are working with.

Use the artificial traffic corresponding to the protocol that you have chosen and proceed to train PAYL.

Use the provided code in the training mode and make sure that you are going to use the normal traffic(artificial payload) that is fed to your code while training. Provide a range of the two parameters (threshold and smoothing factor).

For each pair of parameters you will observe a True Positive Rate. Select a pair of parameters that gives 96% or more True Positive; more than 99% true positive rate is possible. You may find multiple pairs of parameters that can achieve that.

Task B:

Download your unique attack payload: To download your unique attack payload, and replace “einstein7” with your GTID.

Use PAYL in testing mode. Feed the training data that you used before, use the same pair of parameters that you found from Task A and provide the attack trace.

Verify that your attack trace gets rejected - in other words that it doesn’t doesn’t fit the model.

You should run as follows and observe the following output:

Finally, use the artificial payload of the protocol provided. Test the artificial payload against your model(use testing mode as explained above). This packet should be accepted by your model. You should get an output that says “It fits the model”.

Task C:

Preliminary reading. ?Please refer to the “Polymorphic Blending Attacks” paper. In particular, section 4.2 that describes how to evade 1-gram and the model implementation. More specifically we are focusing on the case where m <= n and the substitution is one-to-many.

We assume that the attacker has a specific payload (attack payload) that he would like to blend in with the normal traffic. Also, we assume that the attacker has access to one packet (artificial profile payload) that is normal and is accepted as normal by the PAYL model.

The attacker’s goal is to transform the byte frequency of the attack traffic so that is matches the byte frequency of the normal traffic, and thus bypass the PAYL model.

Code provided: ?Please look at the Polymorphic blend directory. All files (including attack payload) for this task should be in this directory.

How to run the code: ?Run task1.py

Main function: ?task1.py contains all the functions that are called.

Output: ?The code should generate a new payload that can successfully bypass the PAYL model that you have found above (using your selected parameters). The new payload (output) is shellcode.bin + encrypted attack body + XOR table + padding. Please refer to the paper for full descriptions and definitions of Shellcode, attack body, XOR table and padding. The Shellcode is provided.

Substitution table: ?We provide the skeleton for the code needed to generate a substitution table, based on the byte frequency of attack payload and artificial profile payload. According to the paper the substitution table has to be an array of length 256. For the purpose of implementation, the substitution table can be e.g.a python dictionary table. We ask that you complete the code for the substitution function. The substitution is one-to-many.

Padding: ?Similarly we have provided a skeleton for the padding function and we are asking you to complete the rest.

Main tasks: ?Please complete the code for the substitution.py and padding.py, to generate the new payload.

Deliverables: ?Please deliver your code for the substitution and the padding, and the output of your code. Please see section deliverables.

Test your output. ?Test your output (below noted as output) against the PAYL model and verify that it is accepted. FP should be 100% indicating that the payload got accepted as legit, even though is malicious. You should run as follows and observe the following output.

Attachment:- Project -ML for Security.rar

Homework Help/Study Tips, Others

  • Category:- Homework Help/Study Tips
  • Reference No.:- M92791919
  • Price:- $110

Priced at Now at $110, Verified Solution

Have any Question?


Related Questions in Homework Help/Study Tips

Review the website airmail service from the smithsonian

Review the website Airmail Service from the Smithsonian National Postal Museum that is dedicated to the history of the U.S. Air Mail Service. Go to the Airmail in America link and explore the additional tabs along the le ...

Read the article frank whittle and the race for the jet

Read the article Frank Whittle and the Race for the Jet from "Historynet" describing the historical influences of Sir Frank Whittle and his early work contributions to jet engine technologies. Prepare a presentation high ...

Overviewnow that we have had an introduction to the context

Overview Now that we have had an introduction to the context of Jesus' life and an overview of the Biblical gospels, we are now ready to take a look at the earliest gospel written about Jesus - the Gospel of Mark. In thi ...

Fitness projectstudents will design and implement a six

Fitness Project Students will design and implement a six week long fitness program for a family member, friend or co-worker. The fitness program will be based on concepts discussed in class. Students will provide justifi ...

Read grand canyon collision - the greatest commercial air

Read Grand Canyon Collision - The greatest commercial air tragedy of its day! from doney, which details the circumstances surrounding one of the most prolific aircraft accidents of all time-the June 1956 mid-air collisio ...

Qestion anti-trustprior to completing the assignment

Question: Anti-Trust Prior to completing the assignment, review Chapter 4 of your course text. You are a manager with 5 years of experience and need to write a report for senior management on how your firm can avoid the ...

Question how has the patient and affordable care act of

Question: How has the Patient and Affordable Care Act of 2010 (the "Health Care Reform Act") reshaped financial arrangements between hospitals, physicians, and other providers with Medicare making a single payment for al ...

Plate tectonicsthe learning objectives for chapter 2 and

Plate Tectonics The Learning Objectives for Chapter 2 and this web quest is to learn about and become familiar with: Plate Boundary Types Plate Boundary Interactions Plate Tectonic Map of the World Past Plate Movement an ...

Question critical case for billing amp codingcomplete the

Question: Critical Case for Billing & Coding Complete the Critical Case for Billing & Coding simulation within the LearnScape platform. You will need to create a single Microsoft Word file and save it to your computer. A ...

Review the cba provided in the resources section between

Review the CBA provided in the resources section between the Trustees of Columbia University and Local 2110 International Union of Technical, Office, and Professional Workers. Describe how this is similar to a "contract" ...

  • 4,153,160 Questions Asked
  • 13,132 Experts
  • 2,558,936 Questions Answered

Ask Experts for help!!

Looking for Assignment Help?

Start excelling in your Courses, Get help with Assignment

Write us your full requirement for evaluation and you will receive response within 20 minutes turnaround time.

Ask Now Help with Problems, Get a Best Answer

Why might a bank avoid the use of interest rate swaps even

Why might a bank avoid the use of interest rate swaps, even when the institution is exposed to significant interest rate

Describe the difference between zero coupon bonds and

Describe the difference between zero coupon bonds and coupon bonds. Under what conditions will a coupon bond sell at a p

Compute the present value of an annuity of 880 per year

Compute the present value of an annuity of $ 880 per year for 16 years, given a discount rate of 6 percent per annum. As

Compute the present value of an 1150 payment made in ten

Compute the present value of an $1,150 payment made in ten years when the discount rate is 12 percent. (Do not round int

Compute the present value of an annuity of 699 per year

Compute the present value of an annuity of $ 699 per year for 19 years, given a discount rate of 6 percent per annum. As