After months of research, an Aberdeen High School Science and Mathematics Academy senior received the opportunity to present his capstone project, titled “Using machine learning to create a host-based intrusion detection system,” to U.S. Army Materiel Systems Analysis Activity employees May 22.
Noah Zbozny, 18, credits his mentor John Burghardt, an operations research analyst with AMSAA, for helping him select a topic that would give him real-world experience in the career field he wants to pursue: cybersecurity. Burghardt met with Zbonzy about once a week over the course of the school year to develop the project.
“Really the entire project was a very interesting and new experience,” Zbozny said. “I didn’t know much about cybersecurity and machine learning when I started off.”
The capstone research project is part of the curriculum for all seniors who attend the Science and Mathematics Academy, or SMA, a rigorous four-year magnet program for academically talented students. This year, 25 out of 42 seniors were mentored by APG personnel.
“They take courses like cryptology, linear algebra, microcontrollers, some really interesting stuff that isn’t offered in a typical high school,” Burghardt said.
Zbozny said the purpose of his research project was to provide system administrators with a new method to protect networks. To achieve this, he developed an intrusion detection system, or IDS, capable of predicting if network activity is malicious, and alerting the network administrator accordingly.
To collect data for this project, he used a secure shell, or SSH, honeypot. A SSH is a network protocol that allows an individual to make a secure connection over an unsecured network.
“[SSH] protects your data while you’re on open Wi-Fi,” he explained.
A honeypot is a machine that is set up to look vulnerable, while in reality it is “trapping” information about connections and potential intrusions, Zbozny said. Data collected during this study included password, user name, duration, timestamp, input and a source port, which is an endpoint of communication between two network processes or devices.
To find patterns in his data, Zbozny used machine learning, a method of pattern recognition for very large dimensional data, similar to artificial intelligence.
“When you’ve got 50 plus variables, humans can’t identify patterns reasonably within those,” he said. “Machine learning allows computers to more accurately predict the outcome based on the data that it has.”
Zbozny said the honeypot used for the project was run on an anonymous server. It received over 3,000 malicious log-in attempts by outside users in about 10 days of collection.
“Those were legitimate hacking attempts,” he said.
To collect more information from benign data, he asked a group of SMA students to “hack-in” to the SSH honeypot.
“The ones by the SMA students were controlled in the sense that the SMA students were not genuinely trying to download malware or harm the server, they were merely acting as a malicious user would,” he said. “Many of the SMA students were in the test data set, but not all of them.”
Zbozny’s findings revealed that input is the most important attribute, because it was the most consistently different between the malicious and benign users.
“No benign users were downloading files from the internet or changing their privileges, so it was deemed by the algorithm to be the most important for deciding if a user was malicious or benign,” he said.
He also found that while most of the benign users were connecting from the default SSH port, many of the malicious users connected through different ports.
“When you connect to a machine via SSH, your source port is randomly assigned to you, based on a specific range of source ports,” he said. “What we found is that many of the malicious users from the internet were tunneling in from a different port outside of that range, to attempt to mask that they were connecting from a SSH. So they specifically set their port to be different from what that range would be.”
In a test of 175 unique connections, the IDS was 84 percent accurate, Zbozny said.
“It is actually higher than we expected,” he said. “The research and industry attempts at this are typically in the 80 percent range, so we didn’t really actually expect to get that high.”
Zbozny said he was pleased with the results and it is a good starting point for further research and development.
“While it’s not accurate enough to be mainstreamed, it helps research in the field,” he said.
Burghardt said he was impressed with Zbozny’s presentation.
“I just thought he did a phenomenal job,” he said. I was really proud of him, he was very prepared. All of the work that he did over the school year, it really came through in his response to questions and how he handled himself.”
AMSAA Materiel Performance Analysis Division Chief Scott Schoeb, congratulated Zbozny after the presentation.
“He has a bright future,” he said. “This is on the cutting edge of innovation, and it is where we need to go to protect our nation.”
SMA Program Specialist Sarah Voskuhl called Zbozny’s research project “impressive.”
“Noah has been a fabulous student,” she said. “He is hard-working, kind and funny. I couldn’t be more proud of him and his research project.”
In addition to presenting to AMSAA employees, Zbozny was one out of five students selected to speak at the annual Senior Capstone Gallery Walk May 23 at AHS. During the awards presentation immediately after the gallery walk, he received the Robert L. Johnson Award for Perseverance & Problem Solving.
“I know several of the previous students who have received the award, and I am very grateful that my teachers felt that I deserved to be one of them,” he said.
Looking to the future
Zbozny has been accepted into the University of Maryland Honors College Advanced Cybersecurity Experience for Students program. He was awarded the Banneker/Key Scholarship, a University of Maryland scholarship offered to only a select group of applicants who have demonstrated academic accomplishment and leadership in high school.
“He worked really hard and it showed out there,” she said. “Everything that he worked for culminates in these capstone events.”