# NIDS based on Network Flow Measurements

### Are previous data structures really hardware friendly?

Even though hash tables and collision resistant mechanisms such as linked lists are nice solutions, linked lists are not tailored for hardware.  Also, one-to-one mapping requires a considerable amount memory as the number of encountered flows could be in millions. 

A hardware friendly alternative is to use **sketches**, which additionally have some built-in collision resistance mechanisms. Instead of one-to-one mapping, one single flow is mapped to multiple counters and each counter is shared by multiple flows in the case of collisions. Sketches require less memory as the flowIDs don't have to be stored. As for the downside of using sketches, there is a possibility of overestimation.

### CM Sketch

A CM sketch is represented by a 2D array of counters with width w and depth d. The depth corresponds to the number of hash functions that is used.

<center>
<img src="images/counting/CM_sketch.png"/>
</center>

In the example above, h<sub>1</sub>, h<sub>2</sub>,...,h<sub>d</sub> are independent hash values on the FlowID *f1*. Each FlowID is mapped to *d* counters in the sketch during an update operation. When the CM sketch is queried the minimum of all the *d* counters is given as result.

In [1]:
#Load dataset
import import_ipynb
from lib.dataset import NIDSDataset

data_file = 'data/dataset_packets_v2.npy'
labels_file = 'data/dataset_labels_v1.npy'

dataset = NIDSDataset(data_file, labels_file)

#### Implementing CM Sketch

#### Exercise 21.1a

In [2]:
import array
import hashlib
""" CM Sketch parameters and functions  """    
m = 16
d = 4

#initializes an empty 2-d array
tables = []
for i in range(d):
    table = array.array("l", (0 for i in range(m))) # "l" is the typecode indicating that the type is signed long
    tables.append(table)
    
# Here, instead of using d independant hashes, the output of md5 hash is split into d hash values.
def _hash(flowid):
    """ hash computation """
    m=16
    d=4
    md5 = hashlib.md5(str(hash(flowid)).encode('utf-8'))
    for i in range(d):
        md5.update(str(i).encode('utf-8'))
        yield int(md5.hexdigest(), 16) % m # yield gives a generator object and has to be iterated to read the values.
        
def add_cms(flowid, value):
    """Add a value to hashtable by its key and update the contents if the cell is not empty"""
    # get the d indexed locations of the sketch by hashing. Uncomment 'indices =' and complete the code.
    """WRITE code here """ 
    # indices = 
    
    # Iterate through tables and indices and update the value stored in each indexed location
    # Whether the location is empty or not, just add the value to the already existing value
    for table, i in zip(tables,indices):
        """ WRITE Code here """
        

def query_cms(flowid):
    """Get a value by key"""
    # get the d indexed locations of the sketch by hashing. Uncomment 'indices =' and complete the code.
    """WRITE code here """ 
    # indices = 
    
    
    # Iterate through tables and indices and return the minimum of the values stored in the indexed locations
    """ WRITE Code """
    


#### Exercise 21.1b

In [3]:
""" Now, reading the dataset again to update the hashtable. you can Copy and """
""" paste the code from the previous Exercise. """

wordcounter=0
flowid = ""     # flow id
flowvolume = "" # flow volume
flowlist = []  # keeps a list to store flows

# loop over all datasets
for d in dataset:

    decision_is_made = 0 # decision_is_made = 1 when ethertype is not 0x0800 or packet is neither TCP nor UDP
                         # decision_is_made = 2 when the flow ID is extracted
    wordcounter = 0
    flowid = ""
    flowvolume = ""

    # loop over all words
    for word in d:
        # stop parsing if a decission is made
        if decision_is_made == 0:

            # examine if Ethertype is 0x0800 - in link layer header
            # if Ethertype is not equal to 0x0800, break loop
            """WRITE code here"""
            
            # examine if proto is tcp or udp 6/17 - in network layer header
            # if proto is not tcp or udp, break loop
            """WRITE code here"""
            
                    
            # extract Total length (flow volume) - in network layer header
            # hint: convert to hex and concatanate the bytes
            """WRITE code here"""
            
                
            # Extract flowid. flowid is (sorce address, dest address, source port, dest port)
            # hint: convert to hex and remove 0x. concatanate the addresses and ports
            
            # extract Source Address - in network layer header
            """WRITE code here"""
            

            # extract Destination Address - in network layer header
            """WRITE code here"""
            
            
            # extract source port estination port - in network layer header
            """WRITE code here"""
            

            # examine Destination port - in transport layer header
            # If the flowid is complete, break out of the loop
            """ WRITE code here """
            
            
        wordcounter += 1
        
    # Convert the flow volume to integer
    """ WRITE code here """
    
        
    if flowid not in flowlist:
        flowlist.append(flowid)

    """ Updating the table """
    # Here we are taking the actual flow volume to update
    """WRITE code here """
    # add flowid and flowvolume to the cm sketch using the function
    
            

#### Checking for anomalies

#### Exercise 21.1c

In [4]:
"""Print the flow IDs that exceeds a threshold"""
threshold = 600

# iterate through the flowlist and print those flowids having total volume greater than the threshold
""" WRITE code here """



' WRITE code here '

### Some extra info
Checking whether the threshold is exceeded can be done during the update itself and thereby the malicious flow id can be blacklisted in real-time. 

To see how the collisions cause overestimation in CM Sketch, change the value of m to 16 in 21.1a (You have to make changes in two places - in line 4, and in _hash function.), and then rerun the exercises 21.1a and 21.1b. Then Run 21.1d below to check the difference. (DO NOT run the cell 21.1c again. Keep the result there so that we can compare the results of 21.1c and 21.1d)

#### Exercise 20.4d

In [5]:
"""Print the flow IDs that exceeds a threshold"""
threshold = 600

# iterate through the flowlist and print those flowids having total volume greater than the threshold
""" WRITE code here """



' WRITE code here '

We can see that one more flowid is marked as malicious, even though it is not. This is because of overestimation and this overestimation can cause false positives.

<hr/>
<center>
Continue with the <a href="30_machine_learning.ipynb">next notebook</a> in a new browser tab.<br/><br/>
<img src="images/footer.png"/>
</center>