F2B_ML

Inspiration

In the past, I have implemented firewall blacklisting using Fail2Ban which is a tool that blocks IP addresses that are doing malicious activities such as multiple failed login attempts and other known malicious activities

What it does

Currently, a csv file is extracted from the packet capture and sorted by three different perspectives. Source IP, Destination IP, and Source->Destination IP are the three ways things are connected. Each of these is sorted by count of packets, average time between packets, packet length, and packet type count.

How I built it

I used wireshark to analyze the pcapng files. After this, I extracted the data from wireshark and imported it into python where I looped through the information and created summaries for each IP or IP pair

Challenges I ran into

I wasn't able to get to the machine learning piece of my blacklisting which is a major part of what this tool is supposed to do. I think I have an idea of how I will build the model going forward.

Accomplishments that I'm proud of

The dictionary that was built is something that I'm happy with and converting those dictionary builders into usable snippets.

What I learned

Pcapng files are very large. Protecting networks has to not only be from the system level, but also the user and sensor levels. Plan to fail and have a contingency plan. Security tools should be open to analysis by a community. Obscurity != Security

What's next for F2B_ML

Build the algorithm that detects the anomalies and determines whether an IP needs blacklisted.
Turn the current code into an API that can easily hook up to other tools and hopefully be fast enough to stream live.

Built With

python

Submitted to

MD5 Physical Cyber Hackathon

Created by

I worked on creation of the network bridge. As well as the two factor authentication for people trying to access the JACE initially. I also came up with the idea for utilization of machine learning & a rasberry pi to implement papcket filtering to controllers. The machine learning portion comes from Kevin's idea of using machine learning. However, each controller in a BAS needs this packet filtering so it can tell if the JACE is trying to do something strange.

Harrison Koll
Aaron Curry
Kevin Bird

Updates

Harrison Koll posted an update — Apr 08, 2018 11:25 AM EDT

this one https://github.com/Hamison8067/Bridge

Log in or sign up for Devpost to join the conversation.

Harrison Koll posted an update — Apr 08, 2018 11:19 AM EDT

#!/usr/bin/python2

import sys import socket import smtplib from email.MIMEMultipart import MIMEMultipart from email.MIMEText import MIMEText from threading import Thread,Lock from scapy.all import sniff,IP,sendp,srp1,Ether,ARP,get_if_list,get_if_hwaddr go = True defuser = 'user@gmail.com' defpass = 'pass' while go == True: go = False user =input("Enter Username: ") if user != defuser: go = True passw = input("Enter Password: ") if passw != defpass go = True

msg = MIMEMultipart() msg['From'] = user msg['To'] = user msg['Subj'] = 'LOGGED IN' msg.attach(MIMEText('YOU JUST LOGGED IN'))

try: mailServer - smtplib.SMTP('smtp.gmail.com', 587)

mailServer.ehlo()
mailServer.starttls()
mailServer.ehlo()
mailServer.login(user, passw)
mailServer.sendmail(user, user, msg.as_String())
mailServer.close()

except: goto 13

s = socket.socket(AF_INET, SOCK_STREAM)
s.bind(socket.gethostbyaddr(), 47808)
dest = socket.socket(AF_INET, SOCK_STREAM)

while True:

    s.listen(1)
conn, addr = s.accept()
data = conn.recv(524)

dest.connect(192.168.1.168, 47808)
dest.sendall()

Log in or sign up for Devpost to join the conversation.

Kevin Bird started this project — Apr 08, 2018 11:18 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.