0

I am trying to create a tool that identifies network attacks using machine learning, something like a small intrusion detection system. I have collected benign traffic from the network and then deployed a couple of nmap scanning, hping, etc. To identify attacks, I am focusing on processing attributes from each packet individually and not a series of packets and this seems to work great so far, specifically with desicion trees.

For example some attacks that I have deployed on this network include: DoS using hping, man in the middle, spoofing, various scans with nmap.

However, I am questioning it as I am not sure if one packet is enough to indicate these attacks? Could you explain in which cases one packet could be enough and in which ones it wouldn’t?

Irene Ant
  • 659
  • 7
  • 19
  • 2
    One packet is enough to detect certain attacks (or at least indicate a potential attack). For others, only a series of correlated packets can reveal the malicious intent. – DarkMatter Oct 25 '18 at 17:49
  • You're essentially asking for the intellectual property of proprietary IDS/IPS vendors and or the open-source intelligence behind snort sigs or the like. As DarkMatter said, there are situations for both. For the open-source side, download the sigs and analyze how the community has determined to identiy X or Y attack. That type of Q&A is too exhaustive for a forum like this. – thepip3r Oct 25 '18 at 19:55
  • @thepip3r She seems to want to implement this exclusively by training a machine learning model, so by itself it would not require any intellectual property or signatures. She only wants to decide whether to provide the model with one or multiple packets, deciding which _might_ require looking at the signatures of the packets but it might well be enough to make a guess (or suggest ways to test and verify both ways). Even the last question, while broad, does not necessarily require a huge list of signatures. – gbr Oct 26 '18 at 18:55

0 Answers0