Stratosphere Project: Free Software Machine Learning to protect NGOs

Sebastián García PhD.

sebastian.garcia@agents.fel.cvut.cz

@eldracote

Live Slides        bit.ly/fsfe2016

NGOs are at risk

• Highly political targets.

• Attacked by powerful actors

• No resources.

• Not their goal.

• Strong concerns about their privacy.

• Concerns about Trust.

Problems for NGOs Security

Stratosphere Project

https://stratosphereips.org/

Free

Software

Machine

Learning

Behavioral

IPS

Protecting

NGOs

• To put state-of-the-art machine learning techniques in the hands of the civil society.

• To offer this detection service to NGOs for free.

• We focus on what the computers are doing, not the attacks they receive.

Stratosphere Project

Stratosphere Principles

Less is More

Disassociate

Verify

Analyze the behavior of groups of flows.

Representation of behavior from detection.

With real and labeled datasets.

About Behaviors

• Your behavior is usually the same when connecting with the same service.

• Group flows going to a specific service by ignoring the source port. We call it a connection.

• The connection, composed of several flows, now shows a behavior in time.

The Behavior of a Connection

10.0.2.111-217.23.10.139-80-tcp     55*V0v00v*E*v*v*v*v*E*v

1 flow -> 4 features -> 1 letter + 1 symbol

Behaviors or Malware

• Malware mostly generate the same behaviors.

• Changing the behavior is costly for the attacker.

• These behaviors do not expire quickly.

• Malware Open Data

  • https://stratosphereips.org/category/dataset.html

From the letters create a Markov Chains behavioral model

Machine Learning Detection

• Train Markov Models with known Malware Behaviors.

• For detection: Compare the unknown traffic of a network to each trained Markov Model.

Types of Stratosphere

• Stratosphere Testing Framework

• Stand alone Detector

  • Stratosphere Linux IPS

  • Stratosphere Windows IPS

• Cloud service for NGOs (in our University)

Stratosphere Data Analysis

• Cloud-based Detection service for NGOs.

• Add new algorithms continually.

• Update the models.

• Verify the detections if necessary.

• NGOs can send the Flows or only the letters! Privacy matters.

Organizations working with us

• People In Need. CZ. Helping 22 countries. Human-rights, war, etc.

• CZ.NIC. Manager of .cz and Turris Project. 2,000 Internet Networks.

• ICT help for policy makers in 20 African Countries

• CTU University. With more than 7,000 hosts.

Thanks!

Sebastian Garcia

sebastian.garcia@agents.fel.cvut.cz

@stratosphereips

https://stratosphereips.org

• In our datasets

  • 96% TPR. Our own botnet traffic connections that are detected.

• Real Traffic

  • ~0.0002% FPR (30 FP in 132,000 connections/5min)

• Novel Success cases: Linux Botnet, DDoS, etc.

• Errors? For sure.

Results