Terrier:基于神经网络的端口扫描检测器

  • T8_189897
    了解作者
  • 25.1KB
    文件大小
  • zip
    文件格式
  • 0
    收藏次数
  • VIP专享
    资源类型
  • 0
    下载次数
  • 2022-05-28 05:22
    上传日期
概述 我们的项目旨在识别和响应针对一个或多个系统的一个或多个系统的端口扫描。 该项目实施了一个神经网络,旨在捕获较慢的被动扫描、快速主动扫描、针对多个系统的水平扫描以及针对使用潜在欺骗地址的单个系统的垂直扫描。 根据神经网络的结果,我们的系统会发出警报并激活其他应用程序以保护系统免受扫描。 我们的项目旨在开发一种检测系统,可以更早地识别扫描,并检测绕过现有端口扫描检测软件的隐蔽扫描。 过程 我们的系统由四部分组成:收集代理、检测代理、响应代理和数据库。 收集代理捕获进入系统的所有数据包,并将有关数据包的相关信息记录到数据库中。 这些信息是: 目的端口 目的地地址 源地址 时间到了 生活时间 Snort 检查恶意数据包的结果(假设这不会减慢太多) 一旦收集代理达到阈值,n 个数据包进入收集代理或经过 n 秒,收集代理将从它收集的数据包中创建一组唯一的源地址。 对于每个唯一的源地址,它会
Terrier-master.zip
  • Terrier-master
  • main.py
    331B
  • training
  • base
  • heap.go
    745B
  • base.go
    4.3KB
  • seeddata
  • README
    113B
  • tgout.go
    8.3KB
  • tgpp.go
    5.9KB
  • tgcls.go
    6.1KB
  • config.json
    101B
  • future.md
    1.7KB
  • nn.trained
    32KB
  • validation.py
    14.5KB
  • db_schema.py
    344B
  • .gitignore
    492B
  • neural_net.py
    6.3KB
  • README.md
    3.7KB
  • .gitattributes
    483B
内容介绍
# Overview Our projects aims to identify and respond to port scans against one or more systems from one or more systems. The project implements a neural net designed to catch slower passive scans, fast aggressive scans, horizontal scans against many systems, and vertical scans against a single system using potentially spoofed addresses. Based on the results from the neural net, our system would alarm and activate other applications to protect the system against scans. Our projects aims to develops a detection system that identifies scans earlier, and detects stealthy scans that slip past existing port scan detection software. # Process ![System architecture](https://docs.google.com/drawings/d/1RNIRRjpCY45OXpBxJLRGVe2dGiWd20gSED2H-Dn1qjk/pub?w=960&h=720) Our system consists of four parts: the collection agent, the detection agent, the response agent, and a database. The collection agent captures all packets entering a system, and logs relevant information about the packets to the database. These pieces of information are: - Destination port - Destination address - Source address - Time arrived - Time to live - ~~Result of Snort check for malicious packets (assuming this does not slow down too far)~~ Once the collection agent has reached a threshold, either n packets entering the collection agent or n seconds passing by, the collection agent will create a set of unique source address from the packets it has collected. For each unique source address, it places a job in to the detection agent’s queue. The detection agent pulls jobs off its queue, and pulls all related packets from the database for the source address. It then calculates several features about the packet data, and enters those features into the neural net for classification. These features are: 1. Seen subnet scan before 2. Number of irregular ports (not traditionally running services) 3. Average time between different ports 4. Number of ports in n seconds 5. Ratio of packets to number of ports 6. Average TTL of packets from same source 7. Difference between max and min TTL 8. ~~A bias on where the traffic came from geographically.~~(IP to geo currently not supported) 9. ~~Number of flagged packets~~ (Snort integration not supported) 10. ~~A count of the number of ports that the screening system found to be undesirable. Malformed packets/empty payloads/etc.~~ (Snort integration not supported) If the neural net detects a port scan, a job is placed on the response agent’s queue containing the source address of the attacker. The response agent pulls jobs off its queue and logs the relevant information. It then activates any number of scripts to further protect the system, including blocking the scanning system or trying to identify further information about the attacker. Our system is designed to allow multiple response agents to be running in parallel, allowing the system to scale up to an attack load. # Data We used the DARPA Intrusion Detection Data Sets from 1999. (http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/) # Evaluation We measured effectiveness by doing 10-fold cross validation on the training data. # Presentation [Slides for the final presentation](https://docs.google.com/presentation/d/1th6rvQ79YW52-BZvkmWwdCs9tmTbjGukOMyATNWydDw/edit?usp=sharing) # External Links ### Libraries: http://www.pybrain.org/docs/ http://scikit-learn.org/stable/ http://www.rabbitmq.com/ ### Data: http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/1999data.html ### Papers: https://media.blackhat.com/bh-us-10/whitepapers/Engebretson_Pauli_Cronin/BlackHat-USA-2010-Engebretson-Pauli-Cronin-SprayPAL-wp.pdf http://www.dsu.edu/research/ia/documents/%5B15%5D-Attack-Traffic-Libraries-for-Testing-and-Teaching-Intrusion-Detection-Systems.pdf
评论
    相关推荐
    • JAVA实现bp神经网络
      利用java实现bp神经网络,给定了UCI数据库的疝气病证预测病马数据,使用训练集训练BP神经网络并预测测试集的标签,错误率控制在30%以下。
    • mnist-neural-network:神经网络使用MNIST数据库识别手写数字
      mnist神经网络 mnist-neural-network实现了一个神经网络来识别手写数字。 我使用来训练网络。 安装及使用 我们可以使用make实用程序来安装软件: $ cd implementation && make 安装后,我们可以执行以下软件: $ ...
    • 里德神经网络分类法:分类和分类数据库
      分类者Rede神经 Descrição 修改神经分类学分类法,在通用分类学基础上进行注册(1994年,欧洲联盟)。 每年至少获得5,000万美元的赔偿。 最小权重百分比->基线分类器= 0.7559(ZeroR)。 Resultados-Validaçã...
    • neuro_net:用于从mnist数据库中识别手写数字的工作进度神经网络
      neuro_net:用于从mnist数据库中识别手写数字的工作进度神经网络
    • neural-chess:基于神经网络的国际象棋引擎
      这是一个简单的国际象棋引擎,使用的神经网络经过训练,可从数据库中的800,000多个历史游戏中提取2300万个棋盘+动作对。 还没有关于如何下棋或如何评估棋盘位置的任何知识。 它不希望探讨可能采取的行动的后果。 它...
    • 人脸识别代码神经网络
      本实验流程说明书描述了怎样利用一个基于神经网络的自动人脸识别模型来进行人脸图片识别的流程,以及试验环境和参数输入规范。
    • 深层神经网络算法源码
      包含测试程序用的Mnist数据库,以及可以直接用VS打开的工程文件,可根据自己的需要进行下载
    • 神经网络实现人脸识别
      使用耶鲁大学数据集,用神经网络的方法实现人脸识别,具体内容如下 使用无监督学习中的自编码器生成分类器,再用有监督学习里的支持向量机加三层卷积神经网络对其进行训练,最终达到预想的准确率,代码注释很详细,...
    • C++实现的神经网络
      虽然用C++实现神经网络会比较麻烦,不过如果注意到以下下的trick, 在用C++实现神经网络时会舒服很多,代码也会非常简明,核心代码在百行左右也不是问题。 C++没有内置的向量,矩阵库,可以自己先轮几个Vector, ...
    • SIM800C_MQTT.rar
      使用SIM800C模块,使用MQTT协议,连接中国移动onenet平台,能实现数据的订阅、发布、存储等