Neural Network-based Approach Towards Port Scan Attack Detection in Linux-based IoT Systems

Started Sept. 29, 2022

Abstract or project description

In the era of a rapidly evolving technology space, the Internet of Things (IoT) has transformed our interaction with technology through lightweight devices. As the number of IoT devices grows, their security and privacy have become crucial. Port scanning attacks, a common and harmful network attack on IoT systems, are used by malicious actors to find network vulnerabilities and often serve as precursors to cyberattacks. This paper discusses the various neural network techniques evaluated for detecting port scanning attacks and also describes the methodology and results achieved. This paper uses the public ToN_IoT Linux datasets, a recent collection of data from various IoT network attacks, to train and evaluate neural network models for accurate port scanning attack detection. Two datasets were analyzed, including data from Linux disk audit traces and snapshots of Linux system processes recorded alongside the attacks. Various neural network techniques are investigated, showing results of varied performance across models evaluated using True Positive Rate (TPR) and False Positive Rate (FPR). The evaluated models demonstrated both high TPRs and FPRs, indicating a tradeoff. To maintain system credibility and avoid false alarms, a 1% FPR was set. Under this rule, RNN achieved the highest TPR (72.63%) for Linux disk activities, and ANN had the highest accuracy (63.78%) for Linux system processes. This research contributes valuable insights for network security professionals and researchers seeking to develop effective intrusion detection systems and further enhance network security.

Making existing network analysis tools/applications more user friendly.

Started Dec. 3, 2021

Abstract or project description

CapyNet: A user-friendly network analysis application, with improved features from wireshark: more user-friendly filtering system, match up domain names with ip addresses, extended analytics to identify network anomalies using a pre-existing network packet parsing library.

Github Repo Link: https://github.com/williamnamgyal/capynet

Prerequisites: Version of Python <=3.8 Installed packages from requirements.txt on github (Scapy, tkinter, matplotlib)

Basic Use of App: When opened, it will display a list of your network interfaces on your network. Click on whichever network interface you want to scan - Note it lists all network interfaces, and some interfaces may be inactive, so make sure you know which interface to sniff on. It will prompt you how many packets you want to sniff after clicking your network interface name Enter the amount of packets (Notice extremely large amounts of packets like 100,000 might cause application to freeze for a couple seconds, and then load.)

Features: Filtering network packets display by Network Protocol, Source, and Destination Viewing more detailed information about packets IPv6 Support Generate I/O Graphs from packets Opening pcap/pcapng files to analyze Saving sniffed packets into file on computer DNS Host name resolution for DNS Response packets

Filtering network packets: Click on Big top left button that says filter, and choose 3 options, either Network Protocol, Source, or Destination. When choosing a single one, a textbox will be prompted, and input either the network protocol (Ex: TCP, HTTP, etc.), or source/destination address (Ex: 24.5.91.64, 2345:0425:2CA1:0000:0000:0567:5673:23b5, etc.). Once finished inputting, click the red filter button, which will implement the filtering.

Viewing more detailed information about packets: To View more information about packets, just double click on them, and on the top half of the screen it will display the information and field descriptions about the packet.

Generating I/O Graphs: After having sniffed packets open, click on statistics in the menu header on the top left, and click Generate I/O Graph, which will generate a graph for the packets, and give you options to zoom in, out, move around, and save. (MatPlotLib)

Opening pcap files: Navigate to the menu header labeled "File" in the top left, and hover/click on it, and then click open as one of the dropdown options. Then, select the pcap or pcapng file.

Saving sniffed packets: Navigate to the menu header labeled "File" in the top left, and hover/click on it, and click "Save As" from the dropdown menu. It will then open up a menu telling the directory it was saved in (default directory) and the file name.

DNS response packet host name resolution: Navigate to the menu header labeled "View", and hover/click over it and select "Resolve DNS Hostnames" which will resolve all the DNS hosts to their domain hostnames.