IT 31 - Detection and Response: Enhancing Intrusion Detection Systems

The Issue

In today's digital age, cybersecurity threats continue to evolve, presenting significant challenges for organizations worldwide. Among these threats, brute force attacks stand out as a particularly insidious method employed by malicious actors to gain unauthorized access to systems and sensitive data. These attacks involve systematic trial-and-error attempts to guess passwords or encryption keys, exploiting vulnerabilities in authentication systems. The consequences of successful brute force attacks can be catastrophic, ranging from data breaches and financial losses to reputational damage and legal liabilities.

Objective and Methods

Our project's main objective is to enhance intrusion detection systems to effectively detect brute force attacks in real-time industrial environments. To achieve this, we adopted a systematic approach, combining traditional cybersecurity methodologies with cutting-edge machine-learning techniques.

In this setup, there are two virtual machines hosted on VMware Workstation. The CentOS machine acts as the victim machine with FTP and SSH services enabled. On the other hand, Kali Linux acts as the attacker machine, equipped with a guest list of commonly used usernames and passwords. The attacker machine needs to establish a connection with the victim machine to execute the brute force attack. The attack is facilitated using the built-in Kali tool, Patator, targeting the CentOS machine with the guest list. Additionally, the CentOS server hosts the CIC flow meter, capturing bidirectional network traffic information and storing it in a CSV format for further analysis. This setup simulates a controlled environment for testing and analyzing brute-force attack scenarios.

Our Approach

Our methodology comprises several key steps:

•             Data Collection: We collected network traffic data from a CIC flow meter hosted on a CentOS server. This data provided insights into the bidirectional flow of network traffic, enabling us to identify patterns indicative of brute-force attacks.

•             Data Preprocessing: Before analysis, we cleaned and prepared the dataset to ensure data integrity and consistency. This involved removing irrelevant columns, handling missing values, and standardizing data formats.

•             Feature Scaling: To enhance the effectiveness of our models, we employed feature scaling techniques such as MinMax scaling and encode categorical or textual output labels into numerical representations to ensure that all features contributed proportionally to the overall prediction.

•             Feature Selection: With a multitude of features available, we prioritized the most influential ones using feature importance functions. This step allowed us to identify and focus on key features crucial for detecting brute force attacks.

•             Model Training: We trained multiple machine learning models, including Decision Tree, Random Forest, Neural Network, Naive Bayes, and KNN, to learn patterns indicative of malicious activities. Each model was meticulously fine-tuned to maximize prediction accuracy.

•             Performance Analysis: Finally, we rigorously evaluated the performance of each model using metrics such as precision, recall, F1 score, accuracy, false positive rate and false negative rate. This comprehensive analysis allowed us to identify the most effective model for real-world deployment. Then, an analysis of the processing time for both training and prediction phases was done. 

Results and Findings

Our experimentation yielded promising results:

•             We observed that Decision Tree outperformed Random Forest in terms of computational and performance efficiency, making it the preferred choice for real-time detection in industrial environments.

•             Feature selection significantly improved model performance, allowing us to focus on key features crucial for detecting brute force attacks while reducing computational overhead.

Recommendations

Based on our findings, we offer the following recommendations for enhancing intrusion detection systems:

•             Implement Decision Tree Model: Deploy the Decision Tree model for real-time detection of brute force attacks in industrial environments due to its superior performance and computational efficiency.

•             Continuous Monitoring: Implement continuous monitoring of network traffic using intrusion detection systems to promptly identify and mitigate brute force attacks as they occur.

•             Regular Updates and Training: Regularly update and retrain intrusion detection models to adapt to evolving attack patterns and ensure optimal performance.

•             Collaborative Efforts: Foster collaboration between cybersecurity experts, data scientists, and industry stakeholders to share insights and best practices in combating brute force attacks effectively.

Conclusion

In conclusion, our project demonstrates the efficacy of leveraging machine learning techniques to enhance intrusion detection systems, providing organizations with proactive measures to safeguard their critical systems and data against brute force attacks. By implementing our recommendations, organizations can fortify their cybersecurity posture and mitigate the risks posed by malicious actors in today's digital landscape.