NIAD+ML
Context
Background

Background

Network security

Definition: Network security refers to the practice of implementing measures and safeguards to protect a computer network and its resources from unauthorised access, use or modification.

  • The primary goal of network security is to ensure the confidentiality, integrity, and availability of data and services within the network.
  • One critical aspect of network security is intrusion and anomaly detection, which aims to identify and respond to unauthorised or malicious activities within a computer network.

Network intrusions

Definition: Network intrusion refers to the unauthorised and malicious act of gaining access to a computer network or system by an individual or entity (often referred to as an intruder or hacker).

The goal network intrusions can be summarised as: Compromising, disrupting, or stealing sensitive information, or causing harm to the network or its users

Network anomalies

Definition: Network anomalies refer to unusual or atypical behaviour within a network that deviates from the expected or normal operation.

These anomalies can be caused by various factors, including hardware failures, software glitches, malicious activities, or even genuine changes in network conditions.

Types of network anomalies

  • Traffic Anomalies: Unusual patterns in network traffic, such as sudden spikes or drops in data volume, abnormal protocol usage, or unexpected communication between devices
  • Connectivity Anomalies: Irregularities in network connectivity, including unexpected disconnections or new connections to unfamiliar devices
  • Performance Anomalies: Deviations from normal network performance metrics, such as increased latency, decreased throughput, or excessive resource utilisation
  • Security Anomalies: Indications of potential security breaches or unauthorised access attempts, like unusual login patterns or a surge in failed authentication attempts
    • Unusual Traffic Patterns: Significant deviations in network traffic volume, patterns, or protocols can signal an ongoing cyber attack, potential security breach or abnormal user behaviour
    • Port Scanning: An attacker may perform port scanning to identify open ports and potential vulnerabilities on networked devices
    • Unusual User Behaviour: Abnormal user activities, such as excessive login attempts, access to unauthorised resources, or unusual data transfers, may indicate unauthorised access
    • Network Performance Anomalies: Sudden drops in network performance or latency spikes can be signs of security incidents or hardware/software malfunctions

Intrusion detection systems

Definition: An Intrusion Detection System (IDS) is a device or software application that monitors a computer network for malicious activity

  • Network intrusion detection systems (NIDS): A system that analyses the network traffic
  • Host-based intrusion detection systems (HIDS): A system that monitors important operating system files, network activity and processes

Intrusion detection approaches

  • Signature-based: detection of possible threats by looking for specific patterns, such as byte sequences in network traffic (e.g., using Deep Packet Inspection), or known malicious instruction sequences used by malware. Limitation: cannot detect unknown attacks or variations of known attacks
  • Deep Packet Inspection (DPI): DPI involves inspecting the content of network packets in detail, including application-layer data, to identify potential threats. DPI can help identify more sophisticated attacks and unauthorised activities, but it can also introduce privacy concerns as it involves analysing the content of the data being transmitted
  • Heuristic-Based Detection: Heuristic-based detection involves using predefined rules or algorithms to identify suspicious behaviour or patterns. (e.g., “if the number of failed login attempts from a single IP address exceeds a certain threshold (e.g., 5 failed attempts within 1 minute), raise an alert for a possible brute-force attack”)
    • It may not rely on a predefined signature database and can be tailored to specific threats. However, heuristic approaches may not always be comprehensive, and their effectiveness depends on the quality of the rules defined
  • Machine Learning-Based Detection: Machine learning techniques, such as supervised and unsupervised learning, are increasingly being used in intrusion detection systems. These algorithms can analyse vast amounts of data to identify patterns and anomalies in network traffic and system activity
  • Hybrid Approaches: Many modern intrusion detection systems use a combination of the above methods to improve accuracy and coverage. Hybrid approaches may combine signature-based detection with machine learning or incorporate behavioural analysis alongside heuristic rules

Motivations and objectives behind cyber attacks

  • Financial information: Financial institutions and online payment systems are often targeted for stealing credit card details, bank account credentials, and other financial information. This data can be used for fraudulent transactions or identity theft.

  • Personal Identifiable Information (PII): Intruders seek personal information such as names, addresses, social security numbers, and birthdates, which can be sold on the dark web or used for identity theft and other malicious purposes.

  • Intellectual Property: Businesses and organizations possessing valuable intellectual property, trade secrets, proprietary software, and research data may be targeted to gain a competitive advantage or for extortion.

  • Government and Military: State-sponsored hackers and cyber-espionage groups may target government agencies, defence organisations, and military institutions to steal sensitive information or gain geopolitical advantages

  • Critical Infrastructure: Essential infrastructure like power grids, transportation systems, and communication networks may be targeted to cause disruptions and chaos or for strategic purposes

  • E-commerce and Retail: Online stores and retailers are attractive targets for credit card information theft, as well as to disrupt operations and demand ransom

Impact of cyber-attacks

Cyberattack (known as Stuxnet) against the Iranian nuclear program in 2010:

  • A sophisticated malware specifically designed to disrupt Iran’s nuclear program, particularly its uranium enrichment efforts. Stuxnet used various methods to propagate and spread, including USB drives and network vulnerabilities.
  • Stuxnet generated different types of anomalies: physical anomalies, such as centrifuges spinning at erratic speed, as well as network anomalies when the malware tried to spread across the whole network looking for vulnerable devices to infect
  • Cyberattack against the Ukrainian power grid in December 2015:
    • Russia hacked the power grid of Ukraine, resulting in power outages for more than 200,000 people that lasted for 1–6 hours. The attackers used malware called BlackEnergy and KillDisk, along with phishing emails to gain initial access to the systems.
    • The attackers gained unauthorised remote access to the control systems and networks of multiple power distribution companies in Ukraine. The attackers launched DDoS attacks against the power companies’ websites and customer service centres

The volumetric DDoS attack in 2016 based on the Mirai malware (600Gbps):

  • Leveraging unsecured IoT devices (cameras, routers, etc), targeting systems operated by DNS provider DYN. The Mirai-powered DDoS attack caused widespread outages and disruptions for many high-profile websites and online services, including Twitter, Netflix, GitHub, Reddit, Airbnb, Spotify, and others. Users worldwide experienced difficulties accessing these services during the attack
  • The IoT devices’ unusual behaviour, such as sudden spikes in network traffic and communication with C&C servers, deviated from their regular patterns, making them anomalies in the network

memcached amplification DDoS attack in 2018 towards Github (1.3Tbps):

  • Memcached is an open-source, distributed memory object caching system. It’s designed to reduce database load in dynamic web applications by caching data in RAM for quicker access
  • Memcached should only be accessible on internal networks, but many instances were publicly exposed
  • An amplification attack occurs when an attacker sends small queries that generate significantly larger responses
  • Attackers were able to generate an enormous amount of traffic, creating a network anomaly by causing a sudden spike in inbound traffic towards GitHub’s servers
  • It didn’t require a botnet or malware to hijack numerous computers, as it exploited a misconfiguration of Memcached servers
Basics of Networking