Machine learning is a very popular solution when it comes to tasks involving images and other computer vision and perception problems. However, I wanted to do something different and apply machine learning to infosec. The result: NeuroTech, an ML-based intrusion detection system.
Broadly speaking, any intrusion detection systems (IDS) can be divided into two categories: signature-based and anomaly-based. A signature-based IDS works with an exhaustive list of bad behaviour – known attack signatures are detected and logged. This approach has the advantage of low false positives, but it also risks missing unknown attack vectors. Conversely, an anomaly-based IDS operates on an exhaustive list of good behaviour – logging anything outside of the baseline norm. Much like the approach itself, the advantages and drawbacks are converse to the signature method – such an IDS will log anything even slightly suspicious, but at the cost of many false positives.
Both approaches have merit, but from the perspective of developing an ML-based IDS, the anomaly-based approach lends itself much more easily to being powered by ML. It’s very difficult to predict new attack vectors, since they could involve any mode of attack using vulnerabilities in any given system. However, it is much more easy to predict normal behaviour given a certain baseline data set – this is where ML shines. Given a significant enough teaching period, the neural net will learn baseline behaviour to easily compare network activity against later.
This is exactly the approach that was chosen for NeuroTech, a prototype of an ML-powered intrusion detection system. Working in tandem with Argus, NeuroTech learns from a period of normal network activity and displays alerts about any deviation from baseline. The web interface (displayed above) is an additional module that allows for easy overview and monitoring of the current situation and historical data.
The source code for the NeuroTech core module prototype is available on GitHub.