Discipline: Computer Sciences and Information Management
Subcategory: Computer Science & Information Systems
Blake Bowers - Tennessee State University
Computer networks all over the world are being compromised every day. According to the U.S. Computer Emergency Readiness Team (US-CERT) there were 22,156 cyber incidents reported in fiscal year 2012 that involved personally identifiable information. There were also more than 48,000 other types of incidents reported across the federal government that same year. Most computer systems have software installed to help keep them secure. Also, many of these computers have network connections that are protected by firewalls. These types of security measures work well but have a weakness of needing frequent updates. The problem is that attackers are one step ahead of the update cycles. Software companies often do not know about a potential problem until their systems are already compromised and patches can often take more than a week to roll out. If network administrators are not adamant about monitoring patch release cycles and their update configurations, systems will be left vulnerable. Wired network traffic can be easily harvested by systems connected to the network by simply being put into a “promiscuous” or monitor mode. Once a system is in this mode it can monitor the network traffic of all the other devices connected to the same hub. The 802.11 specification also specifies monitor as one of six modes that wireless cards, supporting that specification, can operate in. Once these cards are placed in monitor mode they can “sniff” or capture all of the network packets around them or focus on the traffic of a single access point. Once these network packets are collected data can be stripped from them and analyzed.
To collect test data an Alfa Network AWUS036H network adapter is being used to capture both legitimate and malicious packets. Several internet capable devices will be used to generate legitimate network traffic including but not limited to a Samsung Galaxy Note 4, a Dell Latitude laptop running Windows 7, a Raspberry Pi running Raspbian, and a Samsung Galaxy Tab 2. All devices generating legitimate traffic will be using the latest updates for their respective systems. Multiple web servers will be setup with the Apache web server software. The victim devices will be virtual machines running Ubuntu Linux and Microsoft Windows. Some security updates will not be installed on these systems so they can be compromised. The devices will connect to these web servers to simulate legitimate network traffic and the attacking systems will be using Kali Linux with its’ included suite of tools to simulate the attackers. Another system will capture the packets being generated. Once a large enough pool of network traffic has been harvested this data will be analyzed in order to develop the real time analyses model. The software tools that will be used to analyze this traffic will be Python with the pandas, numpy, and matplotlib libraries. The R language and some of its libraries may also be used. The real time analysis model will be built using Spark with the Python API. The packets will be analyzed using several commonly known methods for data analysis including but not limited to clustering, classification, and association. Once the network traffic is captured it will be saved as a comma delimited file then opened and analyzed by the model.
Funder Acknowledgement(s): National Science Foundation Research Initiation Award
Faculty Advisor: Sachin Shetty,