Skip to content

Describing the methods and useful tips to develop Machine Learning Codes and run experiment in the military

License

Notifications You must be signed in to change notification settings

nonconvexopt/Machine_Learning_research_in_Military

Repository files navigation

Machine_Learning_research_in_Military

  • Describing the methods and useful tips to develop Machine Learning Codes and run experiment inside the Military base of Repulic of Korea Army.

Problem 1: Compute Server Access

  • Referring the security regulations in the military, some of the commercial function and software usage for communications is prohibited. Also, the web access logs are recorded for each personnel and strictly inspected. Special treatments are required for setting up computational equipments and experimental environment.
  • We test several frameworks like Jupyter Notebook(For single user server), JupyterHub(For multiple user server) and Docker(Virtualization, Development Environment Management) to fit the security requirements and enable Machine Learning project environments.

Preparation

  • Personal/Public Server or Desktop linked to WAN.
  • Internet PC in military base.
    • Commercial Web Browser.(Google Chrome, etc).

Prerequisites

  • Linux series OS usage.
  • Basic Network knowledge.
  • Understanding of port forwarding functions of secure shell command(ssh) in Linux shell.(-R, -L, -D arguments)

Examples

  • Example Setting 1
    • Access to Personal Server with public IP(A) with machine inside military base(B).
  • Example Setting 2
    • Access to compute server with no public IP(A) connected to Personal (Gateway Server|NAT|Router) with Public IP(B) by machine inside military base(C).
    • Access to compute server with no public IP(A) connected to (Gateway Server|NAT|Router) with Public IP(B) by machine inside military base(C).


*'Personal' implies you have root privilege on the machine and can modify file permissions, port options, services, etc. The point is that ssh outbounds with default port(22) from military base is prohibited and we need significant cares to handle this issue when we cannot change the service port of ssh at destination machine. I noticed that this is not true.

Solutions

  • Cloud-based access/Cloud Computing(Google Cloud Platform, Amazon Web Service, Azure, IBM Cloud, Alibaba cloud, Web-based IDEs, etc)
  • HTTP/HTTPS based access

Securing data transfer

  • I recognized that my communication and my data are being proctored (Without the notification to me 😠)

Solutions

  • VPN
  • SSH tunneling & Packet encryption
  • Tor

Steps (without Tor)

  • Prepare a Vitual Machine with a network (from Cloud or On-Prem)
  • Make a secured connection to the server with secured authorization. (It is recommended to use the method at least strong as ed25519)
  • Make a proxy to the server (ex. dynamic forwarding with SOCKS5)

Steps (with Tor)

  • Prepare a Vitual Machine with a network (from Cloud or On-Prem)
  • Make a secured connection to the server with secured authorization. (It is recommended to use the method at least strong as ed25519)
  • Torify the outbound traffic of the server
# On linux
sudo apt update
sudo apt upgrade
sudo apt install tor

. torsocks on

Config of Tor

sudo vim /etc/tor/torrc

Parts to change in etc/tor/torrc
Example : https://github.com/torproject/tor/blob/main/src/config/torrc.sample.in

# Service Port
SOCKSPort 9050
# Control Port
ControlPort 9051
# Enable uthentication
CookieAuthentication 1

# Setting password

All other local services will be prevented to be accessed unless you register specific HiddenService.

# (Optional) HiddenService - ex. for jupyter
HiddenServicePort 80 127.0.0.1:80

Accessing control port

# Access control port
> Telnet 127.0.0.1 9050
Connected to 127.0.0.1.
Escape character is '^]'.
> AUTHENTICATE "<Your-Tor-Password>"
250 OK
# renew identity
> SIGNAL NEWNYM
250 OK
> SIGNAL CLEARDNSCACHE
250 OK
> quit
Connection closed by foreign host.
  • Make a port forwarding connection to the port of Tor service at the server
    ** Important: Do not sign in any account or reveal your identity in the Tor network. Your IP address and location maybe specified by the account usage.

Preventing Spyapps

Known cases

  • RCS (Remote Control System) Galileo from Hacking Team, Italy: Android and Desktop. Can be installed without the permission of the device user. (Guess it needs physical access like connecting USB device)

Solutions

  • Run vaccin apps
  • Fatory reset your device occasionally
  • Try not to root your phone
  • (Android) Use adb (Android SDK) to force removal of your system apps without rooting. (Need PC)
    • Activate USB debugging by touching Build Number multiple times at Settings > Device Info
    • Connect your phone to PC and allow data transfers
    • Run adb at PC
> adb devices

> shell pm uninstall --user 0 <Valid Package Name>
Success

> shell pm uninstall --user 0 <Invalid Package Name>
Failure (<error message>)

You can disable package instead of uninstalling them. I witnessed some suspicious blotwares which are having strong permissions about my device and not easily stopped running in normal user mode.

Preventing BlueBorne Attack (especially weak for Android devices)

Solutions

  • I can't find a better way than turning off Bluetooth when I am not using. It is vulnerable if I use my device at specific place at specific time regularly.
  • In general android OS, even if you turn bluetooth off by clicking the button in the menu bar, bluetooth service might be keep learning background and expose vulnerability.
  • Go to the developer settings and checkout the running service section to check whether your bluetooth service is running.
  • It is known that recent(2018+) BlueTooth applications are updated to prevent such attacks.

Wireless device security

Solutions

  • I can't find a better way than using wired devices. (better with C-type to fit the security regulations)

Spoofing / Session Hijacking

  • It seems safe with (tcp/http(s)) proxy server.

SIM card or Phone copy

  • I am not sure Phone copy is possible for 4+G devices. They are known to be safe even if their IMEI number is exposed. (We normally register it to Telecommuniation Service Provider) SIM copy maybe possible.

Real surveilance rather than cyberattacks / Bad internet connections.

Solutions

  • Try Starlink. Looks awesome in military if you are in isolated island, top of the mountain or somewhere odd. Dutchpay your fee with your squad members.

(Optional) Bypassing forced Mobile security application installation. (Testing)

Solutions

  • Install mobile OS emulator app to the phone.
  • Install Military Mobile Security app (국방모바일보안) inside the virtual environment.

Reference

About

Describing the methods and useful tips to develop Machine Learning Codes and run experiment in the military

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published