Introduction
Networking is the circulatory system of every digital organization, and understanding how data flows through networks is fundamental to identifying and preventing attacks. For AI security engineers, networking knowledge is doubly important: you need to understand how traditional network attacks work and how to apply ML models to network traffic analysis.
This section covers the essential networking concepts that every security professional must master, from the TCP/IP stack to modern security appliances, with a focus on the attack surfaces at each layer.
TCP/IP Stack Attack Surfaces
The TCP/IP model organizes network communication into four layers, each presenting distinct security challenges. Attackers can target vulnerabilities at any layer, and effective defense requires understanding the threats at each level.
At the Network Access layer, attacks include ARP spoofing, MAC flooding, and VLAN hopping. These attacks exploit the trust inherent in local network protocols. At the Internet layer, IP spoofing, ICMP attacks, and routing manipulation allow attackers to redirect or intercept traffic.
- Network Access Layer: ARP spoofing, MAC flooding, rogue DHCP servers, and physical network taps. Defense relies on port security, 802.1X authentication, and network segmentation.
- Internet Layer: IP spoofing, ICMP floods, BGP hijacking, and route injection. Defense relies on ingress filtering, anti-spoofing rules, and RPKI for route validation.
- Transport Layer: SYN floods, TCP session hijacking, and port scanning. Defense relies on SYN cookies, stateful firewalls, and connection rate limiting.
- Application Layer: SQL injection, XSS, API abuse, and protocol exploitation. Defense relies on WAFs, input validation, and application-level authentication.
AI Application: ML-based network intrusion detection systems analyze traffic features extracted from multiple TCP/IP layers. Understanding which features to extract from packet headers, payload data, and flow statistics is essential for building effective models. We cover this in detail in Chapter 8.
DNS, HTTP, and TLS
Three protocols deserve special attention due to their ubiquity and the severity of attacks that target them. DNS, HTTP, and TLS form the backbone of modern internet communication, and vulnerabilities in any of them can have cascading consequences.
DNS (Domain Name System) translates human-readable domain names to IP addresses. DNS attacks include cache poisoning (redirecting traffic to malicious servers), DNS tunneling (exfiltrating data through DNS queries), and domain hijacking. DNS is often called "the phonebook of the internet," and compromising it is equivalent to redirecting all phone calls.
HTTP/HTTPS carries the vast majority of web traffic. Attacks target web applications through injection flaws, cross-site scripting (XSS), cross-site request forgery (CSRF), and API vulnerabilities. TLS (Transport Layer Security) encrypts data in transit but is vulnerable to downgrade attacks, certificate spoofing, and implementation flaws like the Heartbleed bug.
- DNS Security: DNSSEC for integrity, DNS-over-HTTPS (DoH) for privacy, monitoring for DNS tunneling
- HTTP Security: HTTPS everywhere, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS)
- TLS Security: TLS 1.3 minimum, certificate pinning, automated certificate management with ACME
Firewalls, IDS, and IPS
Network security devices form the traditional defensive perimeter, filtering and monitoring traffic to detect and prevent malicious activity. Understanding their capabilities and limitations is essential for knowing where AI can augment or replace their functionality.
Firewalls filter traffic based on rules applied to source/destination addresses, ports, and protocols. Next-generation firewalls (NGFWs) add application-level inspection, SSL decryption, and integration with threat intelligence feeds. However, rule-based filtering struggles with encrypted traffic and zero-day attacks.
Intrusion Detection Systems (IDS) monitor network traffic for known attack signatures or anomalous behavior and generate alerts. Intrusion Prevention Systems (IPS) go further by actively blocking detected threats. Both are increasingly incorporating ML models to improve detection rates and reduce false positives.
The Evolution: Traditional IDS/IPS relies on signature databases that must be constantly updated. AI-powered alternatives learn normal traffic patterns and detect deviations, enabling them to identify novel attacks without prior signatures. Chapter 8 covers building ML-based IDS from scratch.
Why the Perimeter Is Dead
The traditional security model assumed a clear boundary between "inside" (trusted) and "outside" (untrusted) the network. Cloud computing, remote work, BYOD policies, and SaaS applications have dissolved this perimeter. Data and users now exist everywhere, making perimeter-based security insufficient.
Modern architectures require security controls that travel with the data and the identity, rather than being anchored to a network boundary. This shift is the foundation of Zero Trust architecture, which we explore in detail in Chapter 12.
- Cloud Migration: Workloads span multiple cloud providers and on-premises infrastructure
- Remote Workforce: Employees access corporate resources from personal devices on untrusted networks
- API Economy: Business-critical data flows through third-party APIs and microservices
- AI/ML Pipelines: Training data, model artifacts, and inference endpoints may span multiple environments