JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 11, ISSUE 2, FEBRUARY 2012 28

Implementation and Enhancing the design of Signature-based Intrusion Detection Model Muna M. T. Jawhar and Monica Mehrotra

Abstract—Intrusion detection is an interesting approach that could be used to improve the security of network systems. Intrusion detection system detects suspected patterns of network traffic on the remaining open parts by monitoring user activities. In this paper we evolve a signature based intrusion detection system based on Neural Networks for recognizing attacks types in the network traffic packet. We use Hamming network to detect attacks in this model. The experimental results demonstrate that the designed models are promising in terms of accuracy and computational time of real word intrusion detection systems. Training and testing data we obtain from the real network traffic by using packet sniffer. Index Terms— Intrusion Detection system, Network security, Neural Network .

——————————  ——————————

1 INTRODUCTION

I

ncessant distribution of application of information technologies to all spheres of human activity constantly puts new requirements to a level of security of information system. The number of attacks and criminals attacking computer networks is increasing [11]. So network security has become a very important issue. Intrusion detection has become research focus for network security. The intrusion detection technology uses the trace information which are left by the intruder such as the failure records of attempt to log to find the illegal intrusion from the outsider or insider effectively. The intrusion detection system is the computer system which can realize the intrusion detection technology [5]. Intrusion detection systems (IDS) can be classified as network based and host-based according to the information source of the detection [10]. Network-based IDS monitors the network traffic and looks for network-based attacks, while host-based IDS is installed on host and monitors the host audit trail [2][4]. Intrusion detection systems can be roughly classified as anomaly detection and misuse detection. Anomaly detection is based on the normal behavior of a subject (e.g., a user or a system), any action that significantly deviates from the normal behavior is considered intrusive [1]. Misuse detection is based on the characteristics of known attacks or system vulnerabilities, which are also called signatures. Any action that matches the signature is considered intrusive. Misuse-base detection detects attacks based on signatures (known attacks signatures), at which the traffic pattern ————————————————

Muna M. T. Jawhar , Department of Computer Science, Jamia Millia Islamia,Newdelhi, India. Monica Mehrotra , Department of Computer Science, Jamia Millia Islamia,Newdelhi, India.

compared with these signatures, if a match is found, then it is reported as an attack, otherwise it is not. So misuse detection cannot detect novel attacks. On the other hand, anomaly-based detection depends on monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of misuse that falls out of normal system behavior. Thus, it is able to detect not only known intrusion but also unknown intrusion. In addition, this approach can detect the intrusion that is achieved by the abuse of legitimate users or masqueraders without breaking security policy [6][7]. However, the major problem of existing models is recognition of attacks in real time before the damage happens. In this paper, we propose a new method for a real time network intrusion detection system based on Neural Networks by using NDIS hooking program which works as internet packet sniffer. The paper is organized as follows section 2 describes the main component of the system model, the architecture of the hamming network and its experimental results, section 3 discusses the enhanced design of traditional hamming network and presents experimental results, and the conclusion is in section 4.

2 THE SYSTEM MODEL ARCHITECTURE The model of signature-based intrusion detection model design to detect known attack types, this model has three stages, as shown in the following Figure (1).

© 2012 JCSE www.journalcse.co.uk

29

C. Neural Network classification stage The architecture of Neural Network used in this model is Hamming network and MAXNET.

2.1 Hamming net and MAXNET

Fig. (1) : The architecture of the model

The components of the model are :

This network has two layers, in the first layer calculate the hamming distance between the input vector and the exemplar (which contain the signature of attacks). In MAXNET as the second layer of the network will strengthen the largest value and will eliminate the others. In other words, only one neuron will be the winner corresponding to the exemplar index that matches the input. This distance is equal to the number of elements in the input pattern which are different in value from the corresponding nodes in the exemplar pattern [8].

A. Data Provider The model is using data from Network Driver Interface Specification (NDIS) hooking program which work as packet sniffer. NDIS hooking sniffer controls, captures, and extracts appropriate features from the packet traveling in internet [9]. The features extracted from the packet headers of protocol IP,TCP and UDP which are used in this model are: source IP address, destination IP address, source port, destination port, SYN,ACK,FIN,RES flags, and protocol type. We used the simulation of some type of attacks to be classified in this model as listed in the table (1)[3].

2.2 Hamming net architecture The architecture of the hamming network is shown in figure (2).

TABLE 1 LIST OF ATTACKS NAMES, SIGNATURE AND THEIR PROTOCOLS

Fig. (2) : The architecture of the Hamming network

The input vector has 83 node after converting it to binary bipolar, and the output layer contains 8 nodes to be classified to one of the eight classes of attack types. The architecture consists of 83 input nodes in the lower net, with each input node connected to the 8 output nodes, these output nodes are connected to a upper net (i.e. MAXNET) which calculates the best exemplar match to the input vector. The output node represent the number of exemplar vectors stored in the net. For a given set of exemplar vectors, the hamming net, finds the exemplar vector that is closest to the input vector. B.

Preprocessor

The Preprocessor component gets traffic feature from data provider then converts to binary bipolar form in order to feed the neural net sensors in Neural Network based analyzer component. Therefore the following operation are applied to the feature. Normalization In normalization, each numerical value in the data set is normalized in form 1 and -1. All the features which have integer value or continuous convert to binary bipolar.

2.3 Hamming net Experiments Two experiments were done using Hamming and MAXNET networks. The first experiment used 798 records of input data set which contain normal records with attack records similar as exemplar records and the result is shown in table (2).

30

TABLE (2)

TABLE (4 )

THE RESULT OF HAMMING AND MAXNET EXPERIMENT1

LIST OF EXEMPLARS USED IN ENHANCEMENT HAMMING ETWORK

As see from above table the detection rate of the hamming net for all attack types was 100% with no false negative.The second experiment used 5208 records of input data set contains normal records with attack records, and the result as shown in table (3).

Where (xx) no matter what the value is, because in comparison operation it will become zeros.

TABLE (3) THE RESULT OF HAMMING AND MAXNET EXPERIMENT2

3.1 The Enhance Algorithm First of all, we don’t need to convert the input vector to bipolar binary because it will convert automatically in the algorithm. The following are the steps of the algorithm: Step 1: specify the exemplar Step 2: calculate the HD between the input vector and exemplar. Step 3: compare HD with threshold (zero) for all nodes, if there are no any HD equal to zero, it means the packet is normal and the network stopped.

The detection rate for each type of the attack is shown above. The detection rate of Hamming network is 88.70% and false positive is 33.19%. As we see from above, in the first experiment the detection rate for all type of attacks is 100% with false negative 0. But in the second experiment, when the input data is increasing, the detection rate is decreasing as illustrated from the above tables.

Step 4: compute the net Step 5: calculate the output of hamming net as: y = f(net) Step 6: the node which have the zero value is the winner node.

3 HAMMING NETWORK ENHANCEMENT

3.2 Experimental Results

We make some changes in traditional hamming network for better performance of detection of attacks. The changes are:

We used the same data sets which we used in the first experiments. Two experiments has done using enhance Hamming network. The first experiment used 798 records of input data set which contain normal records with attack records and the result as shown in table (5).

1.

The number of exemplars are the probability of all attack signatures. 2. Use mask in exemplars for comparison between the input vector and exemplars. 3. Using threshold value for stopping the algorithm. The exemplars which we have used in the enhanced network are shown in table (4).

31

TABLE (5)

old one.

THE RESULT OF ENHANCE HAMMING NET EXPERIMENT 1

REFERENCES [1]

As we see from above table the detection rate of the hamming net for all attack types was 100%, the detection rate of network is 100%, and false negative is 0%. The second experiment used 5208 records of input data set containing normal records with attack records, and the result is shown in table (6). TABLE (6) THE RESULT OF ENHANCE HAMMING NET EXPERIMENT 2

The detection rate for each type of attack is 100% as shown above table. The classification rate of enhancement Hamming network is 100%, and the false negative is 0%. As we see form the two experiments above, the detection rate for all type of attack is 100% with false negative 0. It means the new enhancement algorithm works better that the traditional hamming algorithm, it give the same detection rate (100%) for all data sets whatever the size of the data and values. Also it faster than the first one.

4. Conclusion We have designed a model using traditional hamming and MAXNET network and the second model used MLP network. We used two data sets, the first data set contain 798 records and the second data set contain 5208 records. The exemplar of hamming network is taken from the first data set after converting to binary bipolar. As we see from the experiments of hamming network, when we used the first data set the detection rate for all type of attacks is 100% with false negative is 0%. But when we used the second data set the detection rate of most type of attacks is decreasing and the false negative is increasing.We make some enhancement to the traditional hamming network, after testing the new network, we see it works better than the traditional network, the detection rate for all attacks type in all data sets which is used is 100% and the false negative is 0%. It is also faster than the

Amandeep Kaur Sohal, "A Taxonomy-Based Approach to Intrusion Detection System" M.Sc. thesis, the Graduate School, University of Nevada, Reno, 2007. [2] Aykut Oksuz, "Unsupervised Intrusion Detection System", M. Sc. Thesis, Technical University of Denmark, Denmark, 2007. [3] Cisco system; http://tools.cisco.com/mysdn/intelligencehome.x [4] Hiren Shah, Jeffrey Undercoffer, and Anupam Joshi, "fuzzy Clustering for Intrusion Detection", IEEE International Conference on Fuzzy Systems, 2003. [5] Jingwen Tian and Meijuan Gao, " Network Intrusion Detection Method Based on High Speed and Precise Genetic Algorithm Neural Network", 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing, IEEE, 2009. [6] Khattab M. Ali, Venus W, and Mamoun Suleiman Al Rababaa, "The Affect of Fuzzification on Neural Networks Intrusion Detection System", IEEE, 2009. [7] Muna M. T. Jawhar and Monica M., "Intrusion Detection System: A design perspective", the proceeding of international conference for data management, IMT, Gaziabad, India, 2009. [8] Muna M.T. Jawhar and Monica Mehrotra, " Real Time Intrusion Detection System based on Neural Network", proceeding of third International Conference On Data Management, Ghaziabad, India, 11-12 March 2010. [9] Muna M. T. Jawhar and Monica M., "System Design for Packet Sniffer using NDIS Hooking", International Journal of Computer Science and Communication, Vol.1, No. 1, pp. 169-171, 2010. [10] Phani B., " Applications of Machine Learning to Anomaly Based Intrusion Detection", Supercomputer Education and Research Center, Indian Institute of Science, Bangalore, 2006. [11] Vladimir Golovko, Pavel Kachurka, and Leanid Vaitsekhovich, "Neural Network Ensembles for Intrusion Detection", IEEE International Workshop on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, Dortmund, Germany, 2007.

Transactions Template

In this paper we evolve a signature based intrusion detection system based on Neural ... Training and testing data we obtain from the real network traffic by using ...

237KB Sizes 0 Downloads 328 Views

Recommend Documents

Transactions Template
Published results show that these strategies effectively improve both the data rate and .... ed estimates to the decoder for error correction. Unlike the Viterbi decoding .... Error Probability for Data Services in a Terrestrial DAB Single Fre-.

Transactions Template
INTERNATIONAL JOURNAL OF ELECTRICAL, ELECTRONICS AND COMPUTER SYSTEMS (IJEECS),. Volume 1, Issue 2, April 2011. .... system integrates both graphical and textual password scheme and has high level security. .... and the list of grid cells of these th

Transactions Template - IJEECS
INTERNATIONAL JOURNAL OF ELECTRICAL, ELECTRONICS AND COMPUTER SYSTEMS (IJEECS),. Volume ... ployed to validate the present theory for various .... Journal of Radio and Space Physics, vol. 35, pp. 293-. 296, 2006.(Journal).

Transactions Template
using sensors, 3G cell phone network and social media to be applied to the design of small ..... Systems, Computer Networks acting on the following themes:.

Transactions Template
http://sites.google.com/site/journaloftelecommunications/. Model for remote data ... analysis of these sensors can be acquired and transmitted remotely through the 3G network, directly to an operations room, or also be made available on the .... (pre

Transactions Template
overcome this problem is to have a good management and control of signal traffic lights. For this ... programmable logic controller and wireless sensors for a real time implementation. ... interested in managing urban traffic areas and road net-.

Transactions Template
tion of Internet Banking, as it reduces the customer‖s re- quirements to just a .... Taiwan launched a trial on over 5000 Visa payWave stores, in mid-2008.

Transactions Template
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 2, ISSUE 1, JULY 2010. 32 ... Arjan Singh is with the Baba Banda Singh Bahadur College of Engi- neering ... ranking of the V-N collocations based on their relative.

Transactions Template
dresses to the honeypot template (bind 10.3.0.2 Linux & bind 10.3.0.3 Linux). .... service, email platform, etc. the impact would be high and the image of the ...

Transactions Template
sit fleet by way of internet-enabled mobile devices. WAP- ... transit region is sent to the user mobile phone. From the ... converting the plate number into text file, and finally (4) running the .... If number at the free box is uncompleted or wrong

Transactions Template
puters are in the data processing classrooms and its use continues being ... Habib M. Fardoun is with the Institute of Computer Science Research. Institute of Albacete and .... which we can specify and use educational activities to allow work ...

Transactions Template
an Intranet and Internet, servers and workstations for operations, ... tion of new business models, and changes in the bounda- .... optical fibre or radio.

Transactions Template
JOURNAL OF COMPUTER SCIENCE AND ENGINEERING, VOLUME 4, ISSUE 1, NOVEMBER ... audio and video data separately, this research presents a.

Transactions Template
Abstract— The Semantic Web presents new opportunities for enabling modeling, sharing and reasoning with knowledge available on the web. These are made possible through the formal representation of the knowledge domain with ontologies. Ontology is a

Transactions Template
fined by the distance to the nearest training pattern. ... set cs(yj) j=1…m , cs(yj) ϵ { 0 1 ….9} which defines .... B.E. degree in 2007 from Rajasthan University.

Transactions Template - arXiv
registered with respect to the centre of the fingerprint image. The dimensionality of .... tions are then normalized into the domain from 0 to , and the certain values ...

Transactions Template
and integrating multiple telecommunication services into single device. The typical sierpinski gasket antenna has been introduced by [3]. Recently various ...

Transactions Template
by analyzing both audio and visual data. ... As tools and systems for producing and disseminating action data improve significantly, the amount of human action.

Transactions Template
We focused on intersections as a traffic scene to be covered by the system. At some blind ...... C. Sugimoto received the B.S. degree in Engineering, and the M.S..

Transactions Template
models and propose QoS in WSNs considering the packet to be small in size so that it can travel faster through the network by avoiding collision. In this way we ...

Transactions Template - IJEECS
ISSN: 2221-7258(Print) ISSN: 2221-7266 (Online) www.ijeecs.org. Modified ..... vanced Information Networking and Applications Workshops. (AINAW 07), vol. 2.

Transactions Template
present, there are no proper measures for software main- tainability[1]. ..... AT&T Bell Labs at Columbus, Ohio, USA and has also worked as a consultant in the ...

Transactions Template
The MANETs are also suitable when network setup is difficult, costly and required to be done quickly ... hop fashion without any centralized administration [1]. Significant examples of ..... Aircraft Ad-hoc networks, Network Security & VLSI Design.

Transactions Template - IJEECS
client server model doesn't support the slicing over the object oriented programs on ... slicing, Slice, Distributed System, Finite State Machine, Java Programming.