Network security 

Network security

A firewall is a network security device that screens approaching and active network traffic and chooses whether to permit or block explicit traffic dependent on a defined set of security rules. Firewalls have been the first line of protection in network security for more than 25 years. They set up a boundary among verified and controlled inner networks that can be trusted and untrusted outside networks, for example, the Internet. A firewall can be hardware, software, or both.

There are several types of firewalls such as:

Proxy firewall; An early sort of firewall gadget, a proxy firewall serves as the gateway from one system then onto the next for a particular application. Proxy servers can give extra usefulness, for example, content storing and security by keeping direct connections from outside the system.

Stateful inspection firewall; Presently thought of as a “customary” firewall, a stateful inspection firewall permits or blocks traffic dependent on the state, port, and protocol. It screens all activity from the opening of a connection until it is shut.

Unified threat management (UTM) firewall; An UTM device normally join, in an inexactly coupled way, the elements of a stateful inspection firewall with intrusion prevention and antivirus.

Next-generation firewall (NGFW); Firewalls have developed past straightforward packet sifting and stateful inspection. Most organizations are conveying next-generation firewalls to block modern dangers, for example progressed malware and application-layer attacks.

threat-focused NGFW; These firewalls incorporate every one of the capacities of a conventional NGFW and furthermore give propelled threat detection and remediation.

In its relevance to the network security, firewall plays the following roles:

Gives defense against outside dangers by declining unapproved connections to the router from potential attackers, for example, hackers.

It additionally shields the network infrastructure from inside. In other words, it blocks active connections from the router. It mitigates the spread of viruses, keyloggers, or malware that have sneaked past the router and on the network. Such malicious software may transmit confidential information back to the hacker, for example, passwords. Just a firewall can keep them from doing such by hindering their connection.


William R. Cheswick, Steven M. Bellovin, Aviel D. Rubin (2003). “Google Books Link”. Firewalls and Internet Security: repelling the wily hacker

o 500-700 word, double spaced, written in APA format, showing sources and a bibliography

o Prepare a 15 presentation on your final topic



Describing the technology for defeating DDOS attacks would be a great presentation.

o 500-700 word, double spaced, written in APA format, showing sources and a bibliography

o Prepare a 15 presentation on your final topic

CS6262-O01 Network Security

CS6262-O01 Network Security – Project 5 Training & Evading ML based IDS

1 Introduction/Assignment Goal The goal of this project is to introduce students to machine learning techniques and methodologies, that help to differentiate between malicious and legitimate network traffic. In summary, the students are introduced to:

• Use a machine learning based approach to create a model that learns normal network traffic. • Learn how to blend attack traffic, so that it resembles normal network traffic, and by-pass the learned model.

NOTE: To work on this project, we recommend you to use Linux OS. However, in the past, students faced no difficulty while working on this project even on Windows or Macintosh OS.

2 Readings & Resources This assignment relies on the following readings:

• “Anomalous Payload-based Worm Detection and Signature Generation”, Ke Wang, Gabriela Cretu, Salvatore J. Stolfo, RAID2004.

• “Polymorphic Blending Attacks”, Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, Wenke Lee, Usenix Security 2006.

• “True positive (true detections) and False positive (false alarms)”

3 Task A • Preliminary reading. Please refer to the above readings to learn about how the PAYL model works: a) how to

extract byte frequency from the data, b) how to train the model, and c) the definition of the parameters; threshold and smoothing factor. Note: Without this background it will be very hard to follow through the tasks.

• Code and data provided. Please look at the PAYL directory, where we provide the PAYL code and data to train the model.

• Install packages needed. Please read the file SETUP to install packages that are needed for the code to run. • PAYL Code workflow. Here is the workflow of the provided PAYL code:

– It operates in two modes: a) training mode: It reads in pcap files provided in the ‘data’ directory, and it tests parameters and reports True Positive rates, and b) testing mode: It trains a model using specific parameters and using data in the directory, it will use a specific packet to test and then will decide if the packet fits the model.

– Training mode: It reads in the normal data and separates it into training and testing. 75% of the provided normal data is for training and 25% of the normal data is for testing. It sorts the payload strings by length and generates a model for each length. Each model per length is based on [ mean frequency of each ascii, standard deviation of frequencies for each ascii]

– To run PAYL on training mode: python You will have to modify the port numbers in the read (commented in the sourcecode) according to the protocol you select.

– Testing mode: It reads in normal data from directory, it trains a model using specific parameters, and it tests the specific packet (fed from command line) against the trained model. 1. It computes the mahalanobis distance between each test payload and the model (of the same length), and 2. It labels the payload: If the mahalanobis distance is below the threshold, then it accept the payload as normal traffic. Otherwise, it reject the packet as attack traffic.

– To run PAYL on testing mode: python [FILE.pcap]

1 #Sample Output: 2 $ python 3 Attack data not provided, training and testing model based on pcap files in data/

folder alone.


4 To provide attack data, run the code as: python <attack-data-file-name> 5 ——————————————— 6 Training 7 Testing 8 Total Number of testing samples: 7616 9 Percentage of True positives: XX.XX

10 Exiting now


• You are provided a single traffic trace (artificial-payload) to train a PAYL model. • After reading the reference papers above, it should make sense that you cannot train the PAYL model on the entire

traffic because it contains several protocols. Select a protocol: a) HTTP or b) IRC to train PAYL. • Modify the IP addresses/port numbers (also commented in the python files) in the source code according to the

traffic you choose (HTTP/IRC). • Use the artificial traffic corresponding to the protocol that you have chosen and proceed to train PAYL. Use the

provided code in the training mode and make sure that you are going to use the normal traffic(artificial payload) that is fed to your code while training. Provide a range of the two parameters (threshold and smoothing factor). For each pair of parameters you will observe a True Positive Rate. Select a pair of parameters that gives 95% or more True Positive; more than 99% true positive rate is possible. You may find multiple pairs of parameters that can achieve that.

4 Task B • Download your unique attack payload: To download your unique attack payload, visit the following url:˜rgiri8/6262_P5/einstein7.pcap and replace “einstein7” with your GTID.

• Use PAYL in testing mode. Feed the same training data that you selected from Task A, use the same pair of parameters that you found from Task A and provide the attack trace.

• Verify that your attack trace gets rejected – in other words that it doesn’t doesn’t fit the model. • You should run as follows and observe the following output: 1

2 \$ python attack-trace-test.pcap 3 Attack data provided, as command line argument attack-trace.pcap 4 ——————————————— 5 Training 6 Testing 7 Total Number of testing samples: 7616 8 Percentage of True positives: XX.XX 9 ————————————–

10 Analysing attack data, of length1 11 No, calculated distance of ZZZZ is greater than the threshold of XXXX. IT DOESN’T

FIT THE MODEL. 12 Total number of True Negatives: 100.0 13 Total number of False Positives: 0.0 14

15 \texttt{Number of samples with same length as attack payload: 1

• Finally, use the artificial payload of the protocol you have selected. Test the artificial payload against your model (use testing mode as explained above). This packet should be accepted by your model. You should get an output that says “It fits the model”.

5 Task C 1. Preliminary reading. Please refer to the “Polymorphic Blending Attacks” paper. In particular, section 4.2 that

describes how to evade 1-gram and the model implementation. More specifically we are focusing on the case where m <= n and the substitution is one-to-many.

2. We assume that the attacker has a specific payload (attack payload) that he would like to blend in with the normal traffic. Also, we assume that the attacker has access to one packet (artificial profile payload) that is normal and is accepted as normal by the PAYL model.


3. The attackers goal is to transform the byte frequency of the attack traffic so that is matches the byte frequency of the normal traffic, and thus by-pass the PAYL model.

• Code provided: Please look at the Polymorphic blend directory. All files (including attack payload) for this task should be under this directory. • How to run the code: Run You will have to modify the port numbers according to the protocol you

select in (also commented in the sourcecode). • Main function: contains all the functions that are called. • Output: The code should generate a new payload that can successfully by-pass the PAYL model that you

have found above (using your selected parameters). The new payload (output) is shellcode.bin + encrypted attack body + XOR table + padding. Please refer to the paper for full descriptions and definitions of Shellcode, attack body, XOR table and padding. The Shellcode is provided. • Substitution table: We provide the skeleton for the code needed to generate a substitution table, based on the

byte frequency of attack payload and artificial profile payload. According to the paper the substitution table has to be an array of length 256. For the purpose of implementation, the substitution table can be a python dictionary data structure. Since we are going to verify your substitution table, for the purpose of consistency, we ask you to use a dictionary data structure only(refer to appendix). You can use a list of values for a key in your substitution table. Your task is to complete the code for the substitution function. Also you are asked to implement the mapping as one-to-many. • Padding: Similarly we have provided a skeleton for the padding function and we are asking you to complete

the rest. • Main tasks: Please complete the code for the and, to generate the new payload. • Deliverables: Please deliver your code of the substitution, padding and the substitution table output (use print

command to get it) along with the output of your code. Please see the deliverable section.

4. Test your output. Test your output (below noted as output) against the PAYL model and verify that it is accepted. FP should be 100% indicating that the payload got accepted as legit, even though is malicious. You should run as follows and observe the following output:

1 $ python Output 2 Attack data provided, as command line argument Output 3 ——————————————— 4 Training 5 Testing 6 Total Number of testing samples: 7616 7 Percentage of True positives: XX.XX 8 ————————————– 9 Analysing attack data, of length1

10 Yes, calculated distance of YYYY is lesser than the threshold of XXXX. IT FITS THE MODEL.

11 Total number of True Negatives: 0.0 12 Total number of False Positives: 100.0 13

6 Deliverables & Rubric • Task A: 35 points Please report the protocol that you used and the parameters that you found in a file named parameters. Please report a decimal with 2 digit accuracy for each parameter. Format: |Protocol:HTTP| or |Protocol:IRC| |Threshold:1.23| |SmoothingFactor:1.24| |TruePositiveRate:80.95|

• Task B: 5 points Please append a new line in parameters with the score of the attack payload after completing Task B. Format: |Distance:2000|

• Task C: 60 points – Code: 40 points. Please submit the code for, substitution table.txt and

– Output: 20 points. Please submit your output of Task C generated as a new file after running


A How to verify your task C: If you only have 64-bit compiler, you need to run following:

1 sudo apt-get install lib32gcc-4.9-dev # Or whatever your current gcc version is 2 sudo apt-get install gcc-multilib

Next, then create a Makefile with following:

1 a.out: shellcode.o payload.o 2 gcc -g3 -m32 shellcode.o payload.o -o a.out 3 shellcode.o: shellcode.S 4 gcc -g3 -c shellcode.S -m32 -o shellcode.o 5 payload.o: payload.bin 6 objcopy -I binary -O elf32-i386 -B i386 payload.bin payload.o

Now, modify the hardcoded attack payload length at line no. 10 of shellcode.S with the length of your malicious at- tack payload. It should be an integer value equal to or the next multiple of 4 of your attack payload length. You can also get this number from and seeing what len(adjusted attack body) is. Without this the code wont point to the correct xor table location.

Next, you need to generate your payload. So, somewhere near the end of add the following to create your payload.bin:

1 with open(“payload.bin”, “wb”) as payload_file: 2 payload_file.write(’’.join(adjusted_attack_body + xor_table))

Now, run to generate payload.bin and once it’s generated, run the makefile with make and then run a.out:

1 make 2 ./a.out

If all is well you should see your original packet contents. If not and you get a bunch of funny letters.. it didn’t work. Note: It was only tested on Linux, you might need to make a few modifications according to your system configuration.

A Sample substitution table.txt: Below is the one-line output generated using “print substitution table” in python. Your substitution table.txt should look like this:

1 {’t’: [(’Z’, 0.69), (’4’, 0.54), (’.’, 0.11), (’2’, 0.09), (’!’, 0.09), (’-’, 0.09), (’u ’, 0.07), (’x’, 0.07), (’9’, 0.05), (’v’, 0.05), (’,’, 0.04), (’k’, 0.04), (’)’, 0.009), (’(’, 0.008), (’5’, 0.008), (’F’, 0.007), (’&’, 0.0065), (’G’, 0.005), (’%’, 0.001), (’6’, 0.0001), (’B’, 0.0001), (’I’, 0.001), (’K’, 0.001), (’S’, 0.001), (’g’, 0.001), (’W’, 0.001)], ’.’: [(’s’, 0.041)], ’5’: [(’=’, 0.0225)], ’0’: [(’v’, 0.036)

], ’3’: [(’h’, 0.028)], ’1’: [(’\n’, 0.009)], ’9’: [(’”’, 0.025)], ’:’: [(“’”, 0.009) ], ’<’: [(’\’, 0.054)], ’F’: [(’m’, 0.029)], ’q’: [(’5’, 0.009)], ’b’: [(’c’, 0.04)], ’s’: [(’0’, 0.012)], ’u’: [(’b’, 0.0123)], ’o’: [(’>’, 0.035)], ’x’: [(’d’, 0.02)]}


  • Introduction/Assignment Goal
  • Readings & Resources
  • Task A
  • Task B
  • Task C
  • Deliverables & Rubric
  • How to verify your task C:
  • Sample substitution_table.txt:

Network Security

Must answer both bullets completely and at least 200 words


“Network Security”  Please respond to the following:

  • As a corporate network administrator the industry standard suggests your job is to maintain the confidentiality, availability, and integrity of all network resources. Choose an attack that affects one (1) of the three (3) areas in question. Describe the attack, and provide one (1) example that illustrates the primary manner in which such an attack could damage a company. Suggest at least one (1) strategy that a company can use in order to protect itself against the identified attack.
  • Explain three (3) approaches to protecting an enterprise network against malware or viruses. Suggest two (2) security products that one may use in conjunction with one another to help protect network resources. Of the two (2) suggested products, give your opinion of the one (1) that provides the greatest degree of protection for the enterprise. Provide a rationale for your response.