/sdc-nids

Network Intrusion Detection System for the purpose of anomaly detection in network data based on the SDC11073 protocol

Primary LanguagePythonMIT LicenseMIT

Network Intrusion Detection System

With regard to the latest developments in the ISO/IEEE 11073 service-oriented device connectivity (SDC) its important to not leave possible security and safety risks of this new communication protocol out of consideration. Therefore the basic idea of this project (carried out during the author's bachelor thesis) was to improve the security as well as the safety of sdc connected medical devices with ML based anomaly detection. The concept is illustrated in the following chart: Concept So the safety and security system is itemized in two anomaly detectors: one network intrusion detection system (content of this repository) and one log/sensor anomaly detector. While the nids runs directly on the switch that interconnects different medical devices, the log anomaly detector runs in the backend.

Dependencies

The necessary dependencies are listed in requirements.txt: use pip install -r requirements.txt to install all suitable versions. Additionally wireshark or rather tshark has to be installed and added to the system path.

Underlying papers and informations

Usage steps

offline and online NIDS

  • run NIDS_offline.py to train and execute the model on a dataset
  • run NIDS_online.py to train the model on a trainingset and execute it on live captured data
  • Kitsune.py specifies the training and execution structure of the model which is defined in KitNET

Tuning hyperparameter

  • hyperparaTune.py is based on the library hyperopt which uses Bayesian optimization

Adjusting features

  • FeatureExtractor.py: uses scapy or tshark under the hood to extract meta data like srcIP, dstIP, etc. from the packets
  • netStat.py: uses the extracted meta data to calculate statistical features
  • AfterImage.py: is used to calculate basic statistical features

Synthetical data generation (data_sdc11073)

  • fictEnvironments.py initializes different clients and a provider (specified in mdib_OPtable.xml) as well as the communication between them
  • run dataGen.py to capture the data transmitted between clients and providers
  • the saved file can be labeld in dataLabeling.py to evaluate the model later

Results/Evaluation

Root Mean Square Error and Threshold

Denial of Service Attack DoSRmse Portscan Attack PortscanRMSE

Metrics, runtime and required resources

Metrics Denial of Service Attack Portscan Attack
TPR 0.9952 0.9990
FPR 0.0019 0.0004
F-Score 0.9966 0.9975
  • runtime (on CPU): 469 Pakets/s
  • resources: 152 MB

For limitations and further improvements, see TODO.txt