Autore Topic: Machine Learning Linux IPS: Stratosphere  (Letto 264 volte)

0 Utenti e 1 Visitatore stanno visualizzando questo topic.

Offline Flavio58

Machine Learning Linux IPS: Stratosphere
« Risposta #1 il: Giugno 18, 2018, 03:55:08 pm »
Advertisement
This is the linux version of the Stratosphere IPS, a behavioral-based intrusion detection and prevention system that uses machine learning algorithms to detect malicious behaviors. It is part of a larger suite of programs that include the Stratosphere Windows IPS and the Stratosphere Testing Framework. This alpha version receives flows from a ra client (Argus Suite) and process them using a specific algorithm. The purpose of the Alpha version is to get feedback from the community.

 

Platform
Slips (using argus) has been tested on Linux Debian 8 and Apple IOS 10.9.5 so far.

 

Architecture
The idea of slips is to focus on the machine learning part of the detection and not in capturing the network traffic. That is why the traffic is received from an external Argus instance. Argus captures the packets in the networks and makes them availableto anyone connecting to the Argus port. Argus do not send the packets until somebody ask for them.

The basic architecture is to read the flows from an Argus instance using the ra tool and to send the flows to slips as standard input. This way of working is very good because we can analyze the traffic of our own computer, and also we can analyze the traffic of a remote network or any other computer where an Argus instance is running. Actually if you run the Argus program in any Windows, Mac or router, slips can analyze the traffic.

 

Usage
To use this alpha version you will need an argus instance running and listening in one port.



If you don’t have an Argus instance, first install it:
Source install from Argus.
In Debian and Ubuntu you can do
sudo apt-get install argus argus-clients
To run argus in your own computer you should do:
argus -B localhost -F [slipsfolder]/argus.conf
This will run argus in your interface, open the port 902 in the localhost address only and run in background. See the argus configuration file and the Argus documentation for more information. (port 902 is used because is not in the default port list of nmap, so there are fewer chances that anybody will find it).

Then you start the slips program receiving packets from a ra client.ra -F [slipsfolder]/ra.conf -n -Z b -S 127.0.0.1:902 | ./slips.py -m models -pThis will read the network traffic in your computer and try to detect some malicious behavior by applying the models in the folder models.
Warning! You should wait at least one hour before Argus starts sending flows to slips. After this first hour the flows will arrive continually, but Argus is configured to read packets for one hour before it can create the flows. The best way of avoiding this is to let Argus run in the computer all the time and just connect with slips when you want. Remember: when is running Argus do not store the packets.

 

Detection Models
The core of the slips program is not only the machine learning algorithm, but more importantly the behavioral models. The behavioral models are created with the Stratosphere Testing Framework and are exported by Stratosphere research team. This is very important because the models are curated to maximize the detection. If you want to play and create your own behavioral models see the Stratosphere Testing Framework documentation.

The behavioral models are stored in the models folder and will be updated regularly. In this version you should pull the git repository by hand to update the models.

 

Features
This alpha version of slips comes with the following features:

If you execute slips without the -m parameter it will not detect any behavior in the network but just print the tuples. So actually you can also use slips to see what is happening in your network even without detection.
Use -a to restrict the minimum amount of letters that the tuples had to have to be considered for detection. The default is a minimum of 3 letters which is enough for having at least one periodic letter.
slips works by separating the traffic in time windows. This allows it to report to the user the detections in a fixed amount of time. The default time window is now 1 minute but you can change it with the parameter -w (a time window of five minutes is also recommended).
If you want to tell slips to actually try to detect something, you should specify -m to tell slips where to find the behavioral models.
The -p option tells slips to print the tuples that were detected. Even if the detection is working, without -p the tuples are not printed.
If you want to be alerted of any detection without looking at the screen you can specify -s to have a sound alert. You need to install the pygames libraries.
If you want to avoid doing any detection you should use -D.
If you want to anonymize the source IP addresses before doing any processing, you can use -A. This will force all the source IPs to be hashed to MD5 in memory. Also a file is created in the current folder with the relationship of original IP addresses and new hashed IP addresses. So you can later relate the detections.
 

https://github.com/stratosphereips/StratosphereLinuxIps


Consulente in Informatica dal 1984

Software automazione, progettazione elettronica, computer vision, intelligenza artificiale, IoT, sicurezza informatica, tecnologie di sicurezza militare, SIGINT. 

Facebook:https://www.facebook.com/flaviobernardotti58
Twitter : https://www.twitter.com/Flavio58

Cell:  +39 366 3416556

f.bernardotti@deeplearningitalia.eu

#deeplearning #computervision #embeddedboard #iot #ai

 

Related Topics

  Oggetto / Aperto da Risposte Ultimo post
0 Risposte
102 Visite
Ultimo post Maggio 02, 2018, 03:29:58 am
da Flavio58
0 Risposte
122 Visite
Ultimo post Novembre 13, 2018, 04:36:00 am
da Flavio58
0 Risposte
121 Visite
Ultimo post Novembre 21, 2018, 06:01:26 am
da Flavio58
0 Risposte
7 Visite
Ultimo post Dicembre 19, 2019, 09:00:09 pm
da Ruggero Respigo
0 Risposte
2 Visite
Ultimo post Gennaio 17, 2020, 06:23:06 am
da Flavio58

Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326