Anti-Nex — Antivirus for Network Exploits

This is the first Anti-Nex release for detecting attacks and malicious network traffic using artificial intelligence (deep neural networks with Keras and Tensorflow). These tools and datasets are for quickly training models to defend applications, infrastructure and personal property.

Here are the Anti-Nex repositories on GitHub:

1. Network-Pipeline distributed capture tools
2. Network Pipeline Datasets recorded attack csv files from ZAP vulnerability scans
3. Django REST API with Swagger and JWT multi-tenant data prep and training application

Origin story

This all started in December when I read the first post about the Internet Chemotherapy system. I ended up spending the next two weeks building a simple run time jail for converting this would-be attack module into a nerfball. In the process, I wondered:

Why do we not have a free open source solution for building and sharing pre-trained defensive tools to address and learn from these attacks?

How?

In today’s age of hacks and exploits, data is treated like a treasure chest locked away in a castle. If we consider each layer of our stack as a moat to defend, we can engage attacks using pre-trained defensive AI models as they attempt to find our treasure.

If your stack is running on-premise, in the cloud or on the edge there’s common layers to defend. Not all options are reasonable for constrained environments like an IoT device running on solar power, but anything with extra CPU cycles and RAM can start to learn and share how it’s defending.

Each layer comes with its own nuances and responses to detected threats, but the core communication protocols define how data is transmitted. Ideally each layer runs pre-trained models for detecting attack traffic. To mitigate false positives, these predictions should be shared for confirmation with adjacent layer models' predictions.

Overview and Concepts

1. Training Data — OSI Layers

The defensive tools are currently learning by analyzing network traffic from layers 2 (Ethernet, ARP), 3 (IP, ICMP) and 4 (TCP, UDP) of the OSI model for communication. At some point in the future, I want to add layers 1 and above 4, but this needs to start somewhere and layers 2–4 are used almost everywhere in modern, distributed software applications.

2. Non-attack Modeling

These tools require recording your network traffic in a safe environment to learn the concept of “good, non-attack traffic” on the network. Once recorded, this snapshot is your baseline network training dataset. The more accurate the data, the better your defense will be, so please run load tests, user authentication and end-to-end tests to mitigate false positives downstream.

3. Attack Modeling

Tools like the OWASP Zed Attack Proxy (ZAP) help enterprises automate OWASP dynamic analysis by actively scanning web applications for vulnerabilities. There are many paid offerings that can simulate attack network traffic too, but this one is free. Within a few minutes of digging into ZAP, you can see how it will fit nicely into a CI/CD pipeline. With ZAP, building attack + non-attack training datasets becomes just another DevOps task kicked off after a feature is merged into a master/release build. Out of the box, ZAP supports user authentication for running applications so it seems like a good starting point for creating and sharing the initial attack dataset. Please note, it is important to record accurate attack/scan traffic because models learn what an attack record looks like from this captured data.

I also plan on releasing a dataset from the nerfed-internet chemotherapy module once I set up a controlled lab using a Think Penguin USB Wireless Adapter to host an access point and connect a couple old devices I have lying around for it to consume. Stay tuned!

4. Preparing a Dataset — Keeping it Simple

The current models learn by labeling network traffic as good (non-attack) or bad (attack). In machine learning terms this is classification. Once the data has been tagged as attack or non-attack data you can start training models to learn how to predict this type of traffic. I have created deep neural networks with accuracies above 87% within the first month of testing, and I recently added support for preparing and training with regression analysis for more fine-tuned predictions.

5. Training

This version trains a deep neural network with Keras using a Tensorflow backend from a prepared dataset. After training, model accuracies are automatically stored including weights in the database. Once stored, you can load the model anywhere else with load_model or tf.keras.models.load_model from a new host to make predictions.

Please note AI is probably not ideal for deploying and running on constrained IoT devices. I plan on integrating machine learning models like XGBoost for running predictions using pre-trained models on alternative platforms.

Components

1. Network Pipeline

The network-pipeline is a distributed python 3 framework for capturing and recording network traffic on a host and relaying it to a redis server. These capture tools produce a network feed that is consolidated in a redis endpoint. The tools are built for capturing targeted types of network traffic and run as standalone scripts. This lets you pick and choose what type of defense you need. Once traffic is published to redis, it is auto-flattened into a csv file for analysis with the REST API (see below) or with the build + train tools inside the pipeline repository.

2. REST API

The Django REST Framework with Swagger and JWT repository is a multi-tenant standalone web application for training deep neural networks to predict good and bad network traffic. It supports JWT for client authentication and Swagger if you want to prepare and train models from a browser.

3. Datasets

This initial release includes recorded datasets from ZAP attack simulations targeting the following application servers:

• Django
• Flask RESTful
• React + Redux
• Vue
• Spring

All of these are combined into one dataset for training a deep neural network to predict attack and non-attack data. They are available in the datasets repository for review and inspection for accuracy.

Call to Action and What’s Next?

1. Releasing a Non-Attack Dataset

Now that the REST API is stable and supports JWT authentication, I have created multi-user simulations that I will record and release as the first non-attack dataset. These simulations will create users, authenticate and get a JWT token, run prepare datasets, train models, and a bunch of HTTP GET requests. These are set up to run in a loop. There are many ways to create non-attack network traffic, but this way also ensures this project is tested end-to-end by beating itself up.

2. Help Creating New Attack and Non-attack Datasets

If you are interested, I would love help creating more datasets with different applications and attack types (ssh, UDP servers, ARP-poisoning, DNS cache-busting, DDOS, CVEs, etc). Also if you are interested in helping design a decryption module for decrypting payloads within network packets I would love some help there too.

Thanks for reading and please reach out if you are interested!

Until next time,

Jay