The evolving necessity of the Internet increases the demand on the bandwidth. Therefore, this demand opens the doors for the hackers’ community to develop new methods and techniques to gain control over networking systems. Hence, the intrusion detection systems (IDS) are insufficient to prevent/detect unauthorized access the network. Network Intrusion Detection System (NIDS) is one example that still suffers from performance degradation due the increase of the link speed in today’s networks. In This paper we proposed a novel algorithm to detect the intruders, who’s trying to gain access to the network using the packets header parameters such as;
source/destination address, source/destination port, and protocol without the need to inspect each packet content looking for signatures/patterns. However, the “Packet Header Matching” algorithm enhances the overall speed of the matching process between the incoming packet headers against the rule set. We ran the proposed algorithm to proof the proposed concept in coping with the traffic arrival speeds and the various bandwidth demands. The achieved results were of significant enhancement of the overall performance in terms of detection speed.
Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so
investigating attackers after commitment is of utmost importance and become one of the main concerns of
network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing
data and systematically monitoring traffic of network is one of the main requirements in detection and
tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed
architecture consists of five main components: collection and indexing, database management, analysis
component, SOC communication component and the database.
The main difference between our proposed architecture and other systems is in analysis component. This
component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert
and visualization subsystem and the malware analysis subsystem. The most important differentiating
factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic
analysis of malware, collecting and analysis of network flows and anomalous behavior analysis.
Network Forensics is scientifically proven technique to accumulate, perceive, identify, examine, associate, analyse and document digital evidence from multiple systems for the purpose of uncovering the fact of attacks and other problem incident as well as performing the action to recover from the attack. Many systems are proposed for designing the network forensic systems. In this paper we have prepared comparative analysis of various models based on different techniques.
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTIONIJNSA Journal
In this paper, a new learning algorithm for adaptive network intrusion detection using naive Bayesian classifier and decision tree is presented, which performs balance detections and keeps false positives at acceptable level for different types of network attacks, and eliminates redundant attributes as well as contradictory examples from training data that make the detection model complex. The proposed algorithm also addresses some difficulties of data mining such as handling continuous attribute, dealing with missing attribute values, and reducing noise in training data. Due to the large volumes of security audit data as well as the complex and dynamic properties of intrusion behaviours, several data miningbased intrusion detection techniques have been applied to network-based traffic data and host-based data in the last decades. However, there remain various issues needed to be examined towards current intrusion detection systems (IDS). We tested the performance of our proposed algorithm with existing learning algorithms by employing on the KDD99 benchmark intrusion detection dataset. The experimental results prove that the proposed algorithm achieved high detection rates (DR) and significant reduce false positives (FP) for different types of network intrusions using limited computational resources.
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...ijcsit
In order to avoid illegitimate use of any intruder, intrusion detection over the network is one of the critical
issues. An intruder may enter any network or system or server by intruding malicious packets into the
system in order to steal, sniff, manipulate or corrupt any useful and secret information, this process is
referred to as intrusion whereas when packets are transmitted by intruder over the network for any purpose
of intrusion is referred to as attack. With the expanding networking technology, millions of servers
communicate with each other and this expansion is always in progress every day. Due to this fact, more
and more intruders get attention; and so to overcome this need of smart intrusion detection model is a
primary requirement.
By analyzing the feature selection methods the identification of essential features of NSL-KDD data set is
done, then by using selected features and machine learning approach and analyzing the basic features of
networks over the data set a hybrid algorithm is made. Finally a model is produced over the algorithm
containing the rules for the network features.
A hybrid misuse intrusion detection model is made to find attacks on system to improve the intrusion
detection. Based on prior features, intrusions on the system can be detected without any previous learning.
This model contains the advantage of feature selection and machine learning techniques with misuse
detection.
Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so
investigating attackers after commitment is of utmost importance and become one of the main concerns of
network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing
data and systematically monitoring traffic of network is one of the main requirements in detection and
tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed
architecture consists of five main components: collection and indexing, database management, analysis
component, SOC communication component and the database.
The main difference between our proposed architecture and other systems is in analysis component. This
component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert
and visualization subsystem and the malware analysis subsystem. The most important differentiating
factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic
analysis of malware, collecting and analysis of network flows and anomalous behavior analysis.
Network Forensics is scientifically proven technique to accumulate, perceive, identify, examine, associate, analyse and document digital evidence from multiple systems for the purpose of uncovering the fact of attacks and other problem incident as well as performing the action to recover from the attack. Many systems are proposed for designing the network forensic systems. In this paper we have prepared comparative analysis of various models based on different techniques.
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTIONIJNSA Journal
In this paper, a new learning algorithm for adaptive network intrusion detection using naive Bayesian classifier and decision tree is presented, which performs balance detections and keeps false positives at acceptable level for different types of network attacks, and eliminates redundant attributes as well as contradictory examples from training data that make the detection model complex. The proposed algorithm also addresses some difficulties of data mining such as handling continuous attribute, dealing with missing attribute values, and reducing noise in training data. Due to the large volumes of security audit data as well as the complex and dynamic properties of intrusion behaviours, several data miningbased intrusion detection techniques have been applied to network-based traffic data and host-based data in the last decades. However, there remain various issues needed to be examined towards current intrusion detection systems (IDS). We tested the performance of our proposed algorithm with existing learning algorithms by employing on the KDD99 benchmark intrusion detection dataset. The experimental results prove that the proposed algorithm achieved high detection rates (DR) and significant reduce false positives (FP) for different types of network intrusions using limited computational resources.
INTRUSION DETECTION USING FEATURE SELECTION AND MACHINE LEARNING ALGORITHM WI...ijcsit
In order to avoid illegitimate use of any intruder, intrusion detection over the network is one of the critical
issues. An intruder may enter any network or system or server by intruding malicious packets into the
system in order to steal, sniff, manipulate or corrupt any useful and secret information, this process is
referred to as intrusion whereas when packets are transmitted by intruder over the network for any purpose
of intrusion is referred to as attack. With the expanding networking technology, millions of servers
communicate with each other and this expansion is always in progress every day. Due to this fact, more
and more intruders get attention; and so to overcome this need of smart intrusion detection model is a
primary requirement.
By analyzing the feature selection methods the identification of essential features of NSL-KDD data set is
done, then by using selected features and machine learning approach and analyzing the basic features of
networks over the data set a hybrid algorithm is made. Finally a model is produced over the algorithm
containing the rules for the network features.
A hybrid misuse intrusion detection model is made to find attacks on system to improve the intrusion
detection. Based on prior features, intrusions on the system can be detected without any previous learning.
This model contains the advantage of feature selection and machine learning techniques with misuse
detection.
An Intrusion Detection based on Data mining technique and its intended import...Editor IJMTER
Intrusion detection is a pivotal and essential requirement of today’s era. There are two
major side of Intrusion detection namely, Host based intrusion detection as well as network based
intrusion detection. In Host based intrusion detection system, it monitors the information arrive at the
particular machine or node. While in network based intrusion system, it monitor and analyze whole
traffic of network. Data mining introduce latest technology and methods to handle and categorize
types of attacks using different classification algorithm and matching the patterns of malicious
behavior. Due to the use of this data mining technology, developers extract and analyze the types of
attack in the network.
In addition to this there are two major approach of intrusion detection. First, anomaly based approach,
in which attacks are found with high false alarm rate. However, in signature based approach, false
alarm rate is low with lack of processing of novel attacks. Most of the researchers do their research
based on signature intrusion with the purpose to increase detection rate. Major advantage of this
system, IDS does not require biased assessment and able to identify massive pattern of attacks.
Moreover, capacity to handle large connection records of network. In this paper we try to discover
the features of intrusion detection based on data mining technique.
Utilizing Data Mining Approches in the Detection of Intrusion in IPv6 Network...IDES Editor
The development of Internet protocols are greatly
needed as the network security becomes one of the most
important issues. This brings the need to develop IPv4 into
IPv6 in order to proceed towards increasing the network
capacity.
Now Intruders are considered as one of the most serious
threats to the internet security. Data mining techniques have
been successfully utilized in many applications. Many
research projects have applied data mining techniques to
intrusion detection. Furthermore different types of data
mining algorithms are very much useful to intrusion detection
such as Classification, Link Analysis and Sequence Analysis.
Moreover, one of the major challenges in securing fast
networks is the online detection of suspicious anomalies in
network traffic pattern. Most of the current security solutions
failed to perform the security task in online mode because of
the time needed to capture the packets and making decision
about it.
Practically, this study provides alliterative survey for the
enhancement associated with IPv6 in terms of its security
related functions. It is worthy mentioned that this study is
concurred with the data mining approaches that have been
used to detect intrusions.
Network Forensic Investigation of HTTPS ProtocolIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
Survey on classification techniques for intrusion detectioncsandit
Intrusion detection is the most essential component
in network security. Traditional Intrusion
Detection methods are based on extensive knowledge
of signatures of known attacks. Signature-
based methods require manual encoding of attacks by
human experts. Data mining is one of the
techniques applied to Intrusion Detection that prov
ides higher automation capabilities than
signature-based methods. Data mining techniques suc
h as classification, clustering and
association rules are used in intrusion detection.
In this paper, we present an overview of
intrusion detection, KDD Cup 1999 dataset and detai
led analysis of different classification
techniques namely Support vector Machine, Decision
tree, Naïve Bayes and Neural Networks
used in intrusion detection.
Current issues - International Journal of Network Security & Its Applications...IJNSA Journal
nternational Journal of Network Security & Its Applications (IJNSA) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of the computer Network Security & its applications. The journal focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and countermeasures, and establishing new collaborations in these areas.
A SURVEY ON THE USE OF DATA CLUSTERING FOR INTRUSION DETECTION SYSTEM IN CYBE...IJNSA Journal
In the present world, it is difficult to realize any computing application working on a standalone computing device without connecting it to the network. A large amount of data is transferred over the network from one device to another. As networking is expanding, security is becoming a major concern. Therefore, it has become important to maintain a high level of security to ensure that a safe and secure connection is established among the devices. An intrusion detection system (IDS) is therefore used to differentiate between the legitimate and illegitimate activities on the system. There are different techniques are used for detecting intrusions in the intrusion detection system. This paper presents the different clustering techniques that have been implemented by different researchers in their relevant articles. This survey was carried out on 30 papers and it presents what different datasets were used by different researchers and what evaluation metrics were used to evaluate the performance of IDS. This paper also highlights the pros and cons of each clustering technique used for IDS, which can be used as a basis for future work.
Team research paper and project on network vulnerabilities with multiple attacks and defesnses:
Cybersecurity
-For this project, our class was paired with teams to attempt to find vulnerabilities in other teams networks and to successfully beach their network.
-My role in this group was to help breach other team vulnerabilities through different attacks like responder attacks, honeypots, etc.
-The main challenges of this project were trying to find the vulnerabilities successfully, as the whole team had troubles with each of our different attacks and defenses.
-We learned how to use cybersecurity tools to help find vulnerabilities in networks and how to protect against them better. For example, in the honeypot we used we deployed it to port 80, when the attacker tried to access our fake server we were notified. We also deployed palto alto firewall to create our private and secure network. For an attack, we also used password crackers like john the ripper. This project taught us how to breach networks as a team.
Comparison study of machine learning classifiers to detect anomalies IJECEIAES
In this era of Internet ensuring the confidentiality, authentication and integrity of any resource exchanged over the net is the imperative. Presence of intrusion prevention techniques like strong password, firewalls etc. are not sufficient to monitor such voluminous network traffic as they can be breached easily. Existing signature based detection techniques like antivirus only offers protection against known attacks whose signatures are stored in the database.Thus, the need for real-time detection of aberrations is observed. Existing signature based detection techniques like antivirus only offers protection against known attacks whose signatures are stored in the database. Machine learning classifiers are implemented here to learn how the values of various fields like source bytes, destination bytes etc. in a network packet decides if the packet is compromised or not . Finally the accuracy of their detection is compared to choose the best suited classifier for this purpose. The outcome thus produced may be useful to offer real time detection while exchanging sensitive information such as credit card details.
Evaluation of network intrusion detection using markov chainIJCI JOURNAL
Day today life internet threat has been increased significantly. There is a need to develop model in order to
maintain security of system. The most effective techniques are Intrusion Detection System (IDS).The
purpose of intrusion system through the security devices detect and deal with it. In this paper, a
mathematical approach is used effectively to predict and detect intrusion in the network. Here we discuss
about two algorithms ‘K-Means + Apriori’, a method which classify normal and abnormal activities in
computer network. In K-Means process, it partitions the training set into K-clusters using Euclidean
distance and introduce an outlier factor, then it build Apriori Algorithm to prune the data by removing
infrequent data in the database. Based on defined state the degree of incoming data is evaluated through
the experiment using sample DARPA2000 dataset, and achieves high detection performance in level of
attack in stages.
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
To improve network security different steps has been taken as size and importance of the network has
increases day by day. Then chances of a network attacks increases Network is mainly attacked by some
intrusions that are identified by network intrusion detection system. These intrusions are mainly present in data
packets and each packet has to scan for its detection. This paper works to develop a intrusion detection system
which utilizes the identity and signature of the intrusion for identifying different kinds of intrusions. As network
intrusion detection system need to be efficient enough that chance of false alarm generation should be less,
which means identifying as a intrusion but actually it is not an intrusion. Result obtained after analyzing this
system is quite good enough that nearly 90% of true alarms are generated. It detect intrusion for various
services like Dos, SSH, etc by neural network
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
An Intrusion Detection based on Data mining technique and its intended import...Editor IJMTER
Intrusion detection is a pivotal and essential requirement of today’s era. There are two
major side of Intrusion detection namely, Host based intrusion detection as well as network based
intrusion detection. In Host based intrusion detection system, it monitors the information arrive at the
particular machine or node. While in network based intrusion system, it monitor and analyze whole
traffic of network. Data mining introduce latest technology and methods to handle and categorize
types of attacks using different classification algorithm and matching the patterns of malicious
behavior. Due to the use of this data mining technology, developers extract and analyze the types of
attack in the network.
In addition to this there are two major approach of intrusion detection. First, anomaly based approach,
in which attacks are found with high false alarm rate. However, in signature based approach, false
alarm rate is low with lack of processing of novel attacks. Most of the researchers do their research
based on signature intrusion with the purpose to increase detection rate. Major advantage of this
system, IDS does not require biased assessment and able to identify massive pattern of attacks.
Moreover, capacity to handle large connection records of network. In this paper we try to discover
the features of intrusion detection based on data mining technique.
Utilizing Data Mining Approches in the Detection of Intrusion in IPv6 Network...IDES Editor
The development of Internet protocols are greatly
needed as the network security becomes one of the most
important issues. This brings the need to develop IPv4 into
IPv6 in order to proceed towards increasing the network
capacity.
Now Intruders are considered as one of the most serious
threats to the internet security. Data mining techniques have
been successfully utilized in many applications. Many
research projects have applied data mining techniques to
intrusion detection. Furthermore different types of data
mining algorithms are very much useful to intrusion detection
such as Classification, Link Analysis and Sequence Analysis.
Moreover, one of the major challenges in securing fast
networks is the online detection of suspicious anomalies in
network traffic pattern. Most of the current security solutions
failed to perform the security task in online mode because of
the time needed to capture the packets and making decision
about it.
Practically, this study provides alliterative survey for the
enhancement associated with IPv6 in terms of its security
related functions. It is worthy mentioned that this study is
concurred with the data mining approaches that have been
used to detect intrusions.
Network Forensic Investigation of HTTPS ProtocolIJMER
International Journal of Modern Engineering Research (IJMER) is Peer reviewed, online Journal. It serves as an international archival forum of scholarly research related to engineering and science education.
Survey on classification techniques for intrusion detectioncsandit
Intrusion detection is the most essential component
in network security. Traditional Intrusion
Detection methods are based on extensive knowledge
of signatures of known attacks. Signature-
based methods require manual encoding of attacks by
human experts. Data mining is one of the
techniques applied to Intrusion Detection that prov
ides higher automation capabilities than
signature-based methods. Data mining techniques suc
h as classification, clustering and
association rules are used in intrusion detection.
In this paper, we present an overview of
intrusion detection, KDD Cup 1999 dataset and detai
led analysis of different classification
techniques namely Support vector Machine, Decision
tree, Naïve Bayes and Neural Networks
used in intrusion detection.
Current issues - International Journal of Network Security & Its Applications...IJNSA Journal
nternational Journal of Network Security & Its Applications (IJNSA) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of the computer Network Security & its applications. The journal focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and countermeasures, and establishing new collaborations in these areas.
A SURVEY ON THE USE OF DATA CLUSTERING FOR INTRUSION DETECTION SYSTEM IN CYBE...IJNSA Journal
In the present world, it is difficult to realize any computing application working on a standalone computing device without connecting it to the network. A large amount of data is transferred over the network from one device to another. As networking is expanding, security is becoming a major concern. Therefore, it has become important to maintain a high level of security to ensure that a safe and secure connection is established among the devices. An intrusion detection system (IDS) is therefore used to differentiate between the legitimate and illegitimate activities on the system. There are different techniques are used for detecting intrusions in the intrusion detection system. This paper presents the different clustering techniques that have been implemented by different researchers in their relevant articles. This survey was carried out on 30 papers and it presents what different datasets were used by different researchers and what evaluation metrics were used to evaluate the performance of IDS. This paper also highlights the pros and cons of each clustering technique used for IDS, which can be used as a basis for future work.
Team research paper and project on network vulnerabilities with multiple attacks and defesnses:
Cybersecurity
-For this project, our class was paired with teams to attempt to find vulnerabilities in other teams networks and to successfully beach their network.
-My role in this group was to help breach other team vulnerabilities through different attacks like responder attacks, honeypots, etc.
-The main challenges of this project were trying to find the vulnerabilities successfully, as the whole team had troubles with each of our different attacks and defenses.
-We learned how to use cybersecurity tools to help find vulnerabilities in networks and how to protect against them better. For example, in the honeypot we used we deployed it to port 80, when the attacker tried to access our fake server we were notified. We also deployed palto alto firewall to create our private and secure network. For an attack, we also used password crackers like john the ripper. This project taught us how to breach networks as a team.
Comparison study of machine learning classifiers to detect anomalies IJECEIAES
In this era of Internet ensuring the confidentiality, authentication and integrity of any resource exchanged over the net is the imperative. Presence of intrusion prevention techniques like strong password, firewalls etc. are not sufficient to monitor such voluminous network traffic as they can be breached easily. Existing signature based detection techniques like antivirus only offers protection against known attacks whose signatures are stored in the database.Thus, the need for real-time detection of aberrations is observed. Existing signature based detection techniques like antivirus only offers protection against known attacks whose signatures are stored in the database. Machine learning classifiers are implemented here to learn how the values of various fields like source bytes, destination bytes etc. in a network packet decides if the packet is compromised or not . Finally the accuracy of their detection is compared to choose the best suited classifier for this purpose. The outcome thus produced may be useful to offer real time detection while exchanging sensitive information such as credit card details.
Evaluation of network intrusion detection using markov chainIJCI JOURNAL
Day today life internet threat has been increased significantly. There is a need to develop model in order to
maintain security of system. The most effective techniques are Intrusion Detection System (IDS).The
purpose of intrusion system through the security devices detect and deal with it. In this paper, a
mathematical approach is used effectively to predict and detect intrusion in the network. Here we discuss
about two algorithms ‘K-Means + Apriori’, a method which classify normal and abnormal activities in
computer network. In K-Means process, it partitions the training set into K-clusters using Euclidean
distance and introduce an outlier factor, then it build Apriori Algorithm to prune the data by removing
infrequent data in the database. Based on defined state the degree of incoming data is evaluated through
the experiment using sample DARPA2000 dataset, and achieves high detection performance in level of
attack in stages.
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
To improve network security different steps has been taken as size and importance of the network has
increases day by day. Then chances of a network attacks increases Network is mainly attacked by some
intrusions that are identified by network intrusion detection system. These intrusions are mainly present in data
packets and each packet has to scan for its detection. This paper works to develop a intrusion detection system
which utilizes the identity and signature of the intrusion for identifying different kinds of intrusions. As network
intrusion detection system need to be efficient enough that chance of false alarm generation should be less,
which means identifying as a intrusion but actually it is not an intrusion. Result obtained after analyzing this
system is quite good enough that nearly 90% of true alarms are generated. It detect intrusion for various
services like Dos, SSH, etc by neural network
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANIJNSA Journal
Attackers perform port scan to find reachability, liveness and running services in a system or network. Current day scanning tools provide different scanning options and capable of evading various security tools like firewall, IDS and IPS. So in order to detect and prevent attacks in the early stages, an accurate detection of scanning activity in real time is very much essential. In this paper we present a flow based protocol behaviour analysis system to detect TCP based slow and fast scan. This system provides scalable, accurate and generic solution to TCP based scanning by means of automatic behaviour analysis of the network traffic. Detection capability of proposed system is compared with SNORT and result proves the high detection rate of the system over SNORT.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
These days the security provided by the computer systems is a big issue as it always has the threats of
cyber-attacks like IP address spoofing, Denial of Service (DOS), token impersonation, etc. The security
provided by the blue team operations tends to be costly if done in large firms as a large number of systems
need to be protected against these attacks. This leads these firms to turn to less costly security
configurations like IDS Suricata and IDS Snort. The main theme of the project is to improve the services
provided by Snort which is a tool used in creating a vague defense against cyber-attacks like DDOS
attacks which are done on both physical and network layers. These attacks in turn result in loss of
extremely important data. The rules defined in this project will result in monitoring traffic, analyzing it,
and taking appropriate action to not only stop the attack but also locate its source IP address. This whole
process uses different tools other than Snort like Wireshark, Wazuh and Splunk. The product of this will
result in not only the detection of the attack but also the source IP address of the machine on which the
attack is initiated and completed. The end product of this research will result in sets of default rules for the
Snort tool which will not only be able to provide better security than its previous versions but also be able
to provide the user with the IP address of the attacker or the person conducting the attack. The system
involves the integration of Wazuh with Snort tool in order to make it more efficient than IDS Suricata
which is another intrusion detection system capable of detecting all these types of attacks as mentioned.
Splunk is another tool used in this project which increases the firewall efficiency to pass the no. of bits to
be scanned and the no. of bits scanned successfully. Wazuh is used in this system as it is the best choice for
traffic monitoring and incident response than any other of its alternatives in the market. Since this system
is used in firms which are known to handle big amounts of data and for this purpose, we use Splunk tool as
it is very efficient in handling big amounts of data. Wireshark is used in this system in order to give the IDS
automation in its capability to capture and report the malicious packets found during the network scan. All
of this gives the IDS a capability of a low budget automated threat detection system. This paper gives
complete guidelines for authors submitting papers for the AIRCC Journals.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A novel signature based traffic classification engine to reduce false alarms ...IJCNCJournal
Pattern matching plays a significant role in ascertaining network attacks and the foremost prerequisite for a trusted intrusion detection system (IDS) is accurate pattern matching. During the pattern matching process packets are scanned against a pre-defined rule sets. After getting scanned, the packets are marked as alert or benign by the detection system. Sometimes the detection system generates false alarms i.e., good traffic being identified as bad traffic. The ratio of generating the false positives varies from the performance of the detection engines used to scan incoming packets. Intrusion detection systems use to deploy algorithmic procedures to reduce false positives though producing a good number of false alarms. As the necessities, we have been working on the optimization of the algorithms and procedures so that false positives can be reduced to a great extent. As an effort we have proposed a signature-based traffic classification technique that can categorize the incoming packets based on the traffic characteristics and behaviour which would eventually reduce the rate of false alarms
COPYRIGHTThis thesis is copyright materials protected under the .docxvoversbyobersby
COPYRIGHT
This thesis is copyright materials protected under the Berne Convection, the copyright Act 1999 and other international and national enactments in that behalf, on intellectual property. It may not be reproduced by any means in full or in part except for short extracts in fair dealing so for research or private study, critical scholarly review or discourse with acknowledgment, with written permission of the Dean School of Graduate Studies on behalf of both the author and XXX XXX University.ABSTRACT
With Fast growing internet world the risk of intrusion has also increased, as a result Intrusion Detection System (IDS) is the admired key research field. IDS are used to identify any suspicious activity or patterns in the network or machine, which endeavors the security features or compromise the machine. IDS majorly use all the features of the data. It is a keen observation that all the features are not of equal relevance for the detection of attacks. Moreover every feature does not contribute in enhancing the system performance significantly. The main aim of the work done is to develop an efficient denial of service network intrusion classification model. The specific objectives included: to analyse existing literature in intrusion detection systems; what are the techniques used to model IDS, types of network attacks, performance of various machine learning tools, how are network intrusion detection systems assessed; to find out top network traffic attributes that can be used to model denial of service intrusion detection; to develop a machine learning model for detection of denial of service network intrusion.Methods: The research design was experimental and data was collected by simulation using NSL-KDD dataset. By implementing Correlation Feature Selection (CFS) mechanism using three search algorithms, a smallest set of features is selected with all the features that are selected very frequently. Findings: The smallest subset of features chosen is the most nominal among all the feature subset found. Further, the performances using Artificial neural networks(ANN), decision trees, Support Vector Machines (SVM) and K-Nearest Neighbour (KNN) classifiers is compared for 7 subsets found by filter model and 41 attributes. Results: The outcome indicates a remarkable improvement in the performance metrics used for comparison of the two classifiers. The results show that using 17/18 selected features improves DOS types classification accuracies as compared to using the 41 features in the NSL-KDD dataset. It was further observed that using an ensemble of three classifiers with decision fusion performs better as compared to using a single classifier for DOS type’s classification. Among machine learning tools experimented, ANN achieved best classification accuracies followed by SVM and DT. KNN registered the lowest classification accuracies. Application: The proposed work with such an improved detection rate and lesser classification time and lar.
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...IJNSA Journal
Through continuous observation and modelling of normal behavior in networks, Anomaly-based Network Intrusion Detection System (A-NIDS) offers a way to find possible threats via deviation from the normal model. The analysis of network traffic based on time series model has the advantage of exploiting the relationship between packages within network traffic and observing trends of behaviors over a period of time. It will generate new sequences with good features that support anomaly detection in network traffic and provide the ability to detect new attacks. Besides, an anomaly detection technique, which focuses on the normal data and aims to build a description of it, will be an effective technique for anomaly detection in imbalanced data. In this paper, we propose a combination model of Long Short Term Memory (LSTM) architecture for processing time series and a data description Support Vector Data Description (SVDD) for anomaly detection in A-NIDS to obtain the advantages of them. This model helps parameters in LSTM and SVDD are jointly trained with joint optimization method. Our experimental results with KDD99 dataset show that the proposed combined model obtains high performance in intrusion detection, especially DoS and Probe attacks with 98.0% and 99.8%, respectively.
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...IJNSA Journal
Through continuous observation and modelling of normal behavior in networks, Anomaly-based Network Intrusion Detection System (A-NIDS) offers a way to find possible threats via deviation from the normal model. The analysis of network traffic based on time series model has the advantage of exploiting the relationship between packages within network traffic and observing trends of behaviors over a period of
time. It will generate new sequences with good features that support anomaly detection in network traffic and provide the ability to detect new attacks. Besides, an anomaly detection technique, which focuses on the normal data and aims to build a description of it, will be an effective technique for anomaly detection in imbalanced data. In this paper, we propose a combination model of Long Short Term Memory (LSTM)
architecture for processing time series and a data description Support Vector Data Description (SVDD) for anomaly detection in A-NIDS to obtain the advantages of them. This model helps parameters in LSTM and SVDD are jointly trained with joint optimization method. Our experimental results with KDD99 dataset show that the proposed combined model obtains high performance in intrusion detection, especially DoS and Probe attacks with 98.0% and 99.8%, respectively.
ATTACK DETECTION AVAILING FEATURE DISCRETION USING RANDOM FOREST CLASSIFIERCSEIJJournal
The widespread use of the Internet has an adverse effect of being vulnerable to cyber attacks. Defensive
mechanisms like firewalls and IDSs have evolved with a lot of research contributions happening in these
areas. Machine learning techniques have been successfully used in these defense mechanisms especially
IDSs. Although they are effective to some extent in identifying new patterns and variants of existing
malicious patterns, many attacks are still left as undetected. The objective is to develop an algorithm for
detecting malicious domains based on passive traffic measurements. In this paper, an anomaly-based
intrusion detection system based on an ensemble based machine learning classifier called Random Forest
with gradient boosting is deployed. NSL-KDD cup dataset is used for analysis and out of 41 features, 32
features were identified as significant using feature discretion. Our observations confirm the conjecture
that both the feature selection and stochastic based genetic operators improves the accuracy and the
effectiveness. The training time is shown to be reduced tremendously by 98.59% and accuracy improved to
98.75%.
Attack Detection Availing Feature Discretion using Random Forest ClassifierCSEIJJournal
The widespread use of the Internet has an adverse effect of being vulnerable to cyber attacks. Defensive
mechanisms like firewalls and IDSs have evolved with a lot of research contributions happening in these
areas. Machine learning techniques have been successfully used in these defense mechanisms especially
IDSs. Although they are effective to some extent in identifying new patterns and variants of existing
malicious patterns, many attacks are still left as undetected. The objective is to develop an algorithm for
detecting malicious domains based on passive traffic measurements. In this paper, an anomaly-based
intrusion detection system based on an ensemble based machine learning classifier called Random Forest
with gradient boosting is deployed. NSL-KDD cup dataset is used for analysis and out of 41 features, 32
features were identified as significant using feature discretion.
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
EFFICACY OF ATTACK DETECTION CAPABILITY OF IDPS BASED ON ITS DEPLOYMENT IN WI...IJNSA Journal
Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defence against a variety of attacks that can compromise the security and proper functioning of an enterprise information system. Along with the widespread evolution of new emerging services, the quantity and impact of attacks have continuously increased, attackers continuously find vulnerabilities at various levels, from the network itself to operating system and applications, exploit them to crack system and services. Network defence and network monitoring has become an essential component of computer security to predict and prevent attacks. Unlike traditional Intrusion Detection System (IDS), Intrusion Detection and Prevention System (IDPS) have additional features to secure computer networks.
In this paper, we present a detailed study of how deployment of an IDPS plays a key role in its performance and the ability to detect and prevent known as well as unknown attacks. We categorize IDPS based on deployment as Network-based, host-based, and Perimeter-based and Hybrid. A detailed comparison is shown in this paper and finally we justify our proposed solution, which deploys agents at host-level to give better performance in terms of reduced rate of false positives and accurate detection and prevention.
Outstanding to the promotion of the Internet and local networks, interruption occasions to computer
systems are emerging. Intrusion detection systems are becoming progressively vital in retaining
appropriate network safety. IDS is a software or hardware device that deals with attacks by gathering
information from a numerous system and network sources, then evaluating signs of security complexities.
Enterprise networked systems are unsurprisingly unprotected to the growing threats posed by hackers as
well as malicious users inside to a network. IDS technology is one of the significant tools used now-a-days,
to counter such threat. In this research we have proposed framework by using advance feature selection
and dimensionality reduction technique we can reduce IDS data then applying Fuzzy ARTMAP classifier
we can find intrusions so that we get accurate results within less time. Feature selection, as an active
research area in decreasing dimensionality, eliminating unrelated data, developing learning correctness,
and improving result unambiguousness.
FORTIFICATION OF HYBRID INTRUSION DETECTION SYSTEM USING VARIANTS OF NEURAL ...IJNSA Journal
Intrusion Detection Systems (IDS) form a key part of system defence, where it identifies abnormal
activities happening in a computer system. In recent years different soft computing based techniques have
been proposed for the development of IDS. On the other hand, intrusion detection is not yet a perfect
technology. This has provided an opportunity for data mining to make quite a lot of important
contributions in the field of intrusion detection. In this paper we have proposed a new hybrid technique
by utilizing data mining techniques such as fuzzy C means clustering, Fuzzy neural network / Neurofuzzy and radial basis function(RBF) SVM for fortification of the intrusion detection system. The
proposed technique has five major steps in which, first step is to perform the relevance analysis, and then
input data is clustered using Fuzzy C-means clustering. After that, neuro-fuzzy is trained, such that each
of the data point is trained with the corresponding neuro-fuzzy classifier associated with the cluster.
Subsequently, a vector for SVM classification is formed and in the last step, classification using RBF-
SVM is performed to detect intrusion has happened or not. Data set used is the KDD cup 1999 dataset
and we have used precision, recall, F-measure and accuracy as the evaluation metrics parameters. Our
technique could achieve better accuracy for all types of intrusions. The results of proposed technique are
compared with the other existing techniques. These comparisons proved the effectiveness of our
technique.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Design and Analysis of Algorithms-DP,Backtracking,Graphs,B&B
A NOVEL HEADER MATCHING ALGORITHM FOR INTRUSION DETECTION SYSTEMS
1. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
DOI : 10.5121/ijnsa.2011.3406 59
A NOVEL HEADER MATCHING ALGORITHM FOR
INTRUSION DETECTION SYSTEMS
Mohammad A. Alia1
, Adnan A. Hnaif1
, Hayam K. Al-Anie1
, Khulood Abu
Maria1,
Ahmed M. Manasrah2
, M. Imran Sarwar3
1
Faculty of Science and Information Technology – Al Zaytoonah University of
Jordan, P.O.Box: 130 Amman (11733) Jordan
dr.m.alia, dr.adnan_hnaif, drhayam, khulood@alzaytoonah.edu.jo
2
Al Yarmouk University , Irbed( 21163) – Jordan
ahmad.a@yu.edu.jo
3
National Advanced IPv6 - Universiti Sains Malaysia, 11800 Penang, Malaysia
Imran@nav6.org
ABSTRACT
The evolving necessity of the Internet increases the demand on the bandwidth.
Therefore, this demand opens the doors for the hackers’ community to develop new
methods and techniques to gain control over networking systems. Hence, the intrusion
detection systems (IDS) are insufficient to prevent/detect unauthorized access the
network. Network Intrusion Detection System (NIDS) is one example that still suffers
from performance degradation due the increase of the link speed in today’s networks.
In This paper we proposed a novel algorithm to detect the intruders, who’s trying to
gain access to the network using the packets header parameters such as;
source/destination address, source/destination port, and protocol without the need to
inspect each packet content looking for signatures/patterns. However, the “Packet
Header Matching” algorithm enhances the overall speed of the matching process
between the incoming packet headers against the rule set. We ran the proposed
algorithm to proof the proposed concept in coping with the traffic arrival speeds and
the various bandwidth demands. The achieved results were of significant
enhancement of the overall performance in terms of detection speed.
KEYWORDS
Intrusion Detection System (IDS), Network Intrusion Detection System (NIDS), SNORT, Packet
Detection and Packet Header Matching (PHM)
1. INTRODUCTION
Due to the increasing demand on the internet, the traditional boundary
security systems (i.e. firewalls) that concerns swapping information between
the internet and the intranet are no more efficient in providing a robust and
secured network environments [1]. Hence, the firewalls only provide the first
level of defense for the network that achieved by blocking unauthorized
access to the network. Therefore, the need for better security systems to cover
the loophole behind is also demanding. Examples of these demanding
systems are: Intrusion Detection system (IDS) and Network Intrusion
Detection system (NIDS).
The Intrusion Detection System (IDS) is a system that detects the intrusions in
it is early stages while they are trying to steal information and/or
reporting/hiding their existence to the network administrator [2]. Furthermore,
2. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
60
IDS is also can be defined as a process of determining the status and the stage
of the attack (attempt to attack or the attack is taking place) [3].
However, IDS use two techniques to achieve it is main functionality in
detecting and identifying intruders: Misuse detection IDS and anomaly
detection IDS. The misuse detection IDS is the simplest type of detection, as it
looks for a specific signature/pattern in the data part of the network traffic.
This signature is known as a rule. These kinds of anomaly detection systems
are widely used to monitor and identify special types of events in the network.
This involves generating alerts when there are some changes to the normal
system behavior under normal traffic circumstances [4]. Therefore, the
misuses based detection IDS has an advantage in it is simplicity of adding
known attacks to the defined rule set where on the other hand, Its
disadvantage is its inability to recognize unknown attacks. In this work we
will consider the performance factor of the misused detection based IDS.
On the other hand, the anomaly based IDS is for detecting intrusions and
misuses by monitoring the system activities and classifying these activities as
either normal or anomalous. In general, this classification is based on specific
rules, rather than patterns or signatures, as well to detect any type of
undefined misuse to the normal system operation [5]. However, in order to
analyze the system activity from the underlying traffic, the IDS system must
be able to learn how to recognize the normal system activity from the
abnormal system activities that can be accomplished with the use of artificial
intelligence and neural networks techniques. Even though, these kinds of IDS
still require processing all types of traffic for a better detection process which
is not considered as a feasible solution due to some hardware limitations such
as the bus speed and the TCP/IP overhead. Therefore, some researchers have
been conducted to speed up the detection process such as [6] who classifies
each packet into two fields: Header and Payload (content). The Header
contains the main information of the packet such as source/destination
address, source/destination port, and protocol. Also they defined a rule sets
that is used to determine which packets are allowed to pass to the network.
However, this technique was taken from snort IDS [7] and the researchers
used this technique as a design only, the researchers applied this technique on
different tools, but they employ different intrusion detection algorithms.
2. RELATED WORKS
Snort NIDS [7] depends on the pattern matching based on the defined rule set
against the captured packet to identify or recognize the intruder. Since, the
number of the rules can grow over time, snort divides its rule sets into two
dimensional linked lists as portrayed in Figure 1.
Figure 1. Structure of snort rule sets [8]
3. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
61
The first link list is the Rule Tree Nodes (RTNs) that hold the main
information from each rule such as: source/destination address,
source/destination port and protocols type (TCP, ICMP, UDP). The second
link list is the Option Tree Nodes (OTNs) that hold other information not
exists in the RTNs such as: TCP flags, ICMP codes and types, packet payload
size and a major bottleneck for efficiency and packet contents. These two data
structures are chained together, having the RTNs are the main nodes (chain
header) starting from left to right and the OTN's as the leave node for the
RTNs (chain Leave). This design increased the efficiency for the intrusion
detection process as it requires checking only one RTN for multi OTN.
With regards to the rule set creation, some researchers work focuses in
employing the Artificial Intelligence (AI) and the Genetic Algorithm (GA)
techniques in automating the rule set generation in order to enhance the
overall detection performance of the IDS or the NIDS. For example, [9]
utilize the GA to automatically create a rule set from the captured network
traffic. These rules are stored in the rule data base that takes the following
form:
{ } { }actThenconditionIF
Where, the condition refers to the matching case between the current network
traffic flow and the current rule from the defined rule set (e.g.
source/destination address, source/destination ports, protocol, etc...), while,
act refers to the predefined set of actions controlled by the security policies
within the organization (e.g. reporting an alert, stopping the connection,
etc...). However, the rule set will grow exponentially as well as considering all
the new rules as intrusion thus, increasing the false positive ratio.
From the other point of view, few work have been done concerning the
structure of the network traffic (packets) to maximize the matching
performance during the process of intrusion detection [10], they developed a
new rule matching process for the intrusion detection systems that splits the
packets header into chunks of buffers. Also, they categorized the intrusion
rule set based on the packet content, into two categories: header rule set
without content, and header rule set with content. The former category known
as the Early Filtering (EF) rule set. The EF starts matching the packet header
chunks one at the time (packet without content) against it is rule set. If the
chunk matches with one of the EF rules, the packet will be discarded. On the
other hand, if the packet is with content, the EF will match its chunks against
its rule set, if it matches with one of the EF rules, the packet will be discarded,
and otherwise, the packet content will be further inspected by another module.
Even though the above technique, shows an interesting results towards the
efficiency of the intrusion detection, but at the same time it requires more
processing time for the searching and matching process with the rule set in
real time.
Therefore, some of the research work focuses on the searching and matching
algorithms to enhance the overall detection speed in real time as well as
increasing the detection accuracy. These searching algorithms basically look
for special packets within a fixed time interval. However, the special packets
are set of sent/received packets from a specific IP address, specific port
number, or a specific subject that might exist in the payload itself [11].
However, this gives a complete flexibility to the user to search through the
4. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
62
range of packets that have been transmitted through the network. Therefore,
[11] developed a network traffic analysis tool that mainly search for special
packets within a fixed time interval as well as combining the searching results
to a visualization function to interpret the result. They also design a Pre-
processing function to convert the numeric and continuous data into a discrete
format that can be used by different algorithms and visualization techniques.
However, the above model impose a challenge on the system to cope with the
packet arrival speeds in order to process all the captured traffic headers and
payloads in a fast, reliable and efficient way as the whole process requires a
full packet inspection.
Therefore, other researcher’s focuses on enhancing the filtering process
looking to speed up the matching and detection process such as [12], who
propose a classification process that consists of two sequential procedures: the
first procedure is to classify the incoming packets into one of the three groups:
{Accept group, Drop group, Forward group}, where the second procedure is
the action that should be taken as a filtering process to the packets grouped by
the first classification procedure as follows:
Receive packets();
Classify_packets(;)
result = filter (i);
action (result);
The authors stated that, all incoming packets at a very high speed arrival (e.g.
DoS attacks) are received by the Receive packets ( ) function and stored in the
receiving buffer for continuous processing. Therefore, they suggest executing
the processing loop in shorter time by applying code optimization techniques
to speed up the processing rate.
From the above example, the function filter consists of only logical and
arithmetic operations. Thus, it is easy to optimize this function with various
code optimization techniques. The Function Action ( ) hosts a packet to an
upper layer and send a packet to another ports and so on. This means that it is
impossible to apply the optimization techniques to this part. Thus, to make the
loop optimization, they divided the loop into two loops:
For (i = 0; I < n_packets; i ++)
{
result[ i ] = filter (i);
}
For (i = 0; I < n_packets; i ++)
{
action (result [i]);
}
The first loop processes multiple consecutive packets together utilizing a
software pipelined procedure. This pipelining procedure is considered a
highly sophisticated aggressive instruction scheduling technique for loops that
occupy the whole CPU time and thus waste it is processing time for other
functions to be executed.
5. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
63
3. PHM DESIGN
The current packets header detection engines use any exact string matching
algorithms to detect the intrusions. These string matching algorithms deal
with decimal, hexadecimal, and characters values. The PHM algorithm deals
with binary values, because in the proposed methodology, the headers rule set
is converted into 8 weights. On the other hand, PHM algorithm saves
memory, because only 12-bits are reserved from the total memory size.
The rule sets are classified into two sections: headers rule set, and payloads
rule set. Headers rule set contains the main information of the packet such as:
source/destination address, source/destination port, and protocol. Payloads
rule set contains the real data of the packet. Each rule represents one different
type of the intruders. To commensurate the headers rule set with the proposed
design and methodology, the headers rule set is converted into binary as
depicted by Figure 2.
Figure 2. Design of the header rule sets
The aim of the PHM algorithm is to enhance the speed of the detection engine
for packets header of any NIDS. The PHM algorithm consists of the following
steps:
1- Converting headers rule sets into weight, as the energy function is
required.
2- Matching process.
3- Learning process that can be used to increase the performance of PHM
algorithm.
3.1. Converting The Rule Set Into Weight
In order to evaluate the matching process between two values, we will apply
the energy Function [13] that requires the conversion of the rule set into
weights. Therefore, we divided each header rule set into 3-bit at the time, then
we converted each 3-bit ( 823
= possibilities) into a symmetric matrix of
weight. However, to avoid memory exhaustion, this matrix of weights
requires only 24 bits of memory ( 2483 =x ).
On the other hand, the proposed algorithm uses a neural network with a multi-
connect architecture [14] to learn the header rule sets that is described as an
associative memory and a single-layer neural network. The neural network
with the multi-connect architecture will learn the set of pattern pairs
(associations) and store the patterns set in the memory. These memory values
6. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
64
will be activated during the retrieval process with the key pattern that contains
a portion of the information related to a particular stored pattern set. The
learning process creates eight learning weights for all possibilities of the
patterns matrices (of the size 3*3) as portrayed in Figure 3.
Figure 3. NN with multi-connect architecture [14]
As shown in Figure 3, each path represents one learning weight
(m, 80 <≤∀ m ), thus, a matrix of these paths by the size of the net path
value∑=
7
0i
im is constructed. The learning process will be a one-time only
process.
For instance, suppose that we have the header rule in a binary format as follows:
)8,0[],1,0[][],[ ∈∈∀ iiRiR
1 1 0 1 1 1 0 0 1 0 1 0 …
To convert the header rule sets into a matrix of weight we will apply the
Hopfield nets [15] into the rule set. The Hopfield nets requires the units to
binary threshold units, i.e. the units only take on two different values for their
states and the value is determined by whether or not the units' input exceeds
their threshold. Hopfield nets can either have units that take on values of 1 or
-1, or units that take on values of 1 or 0. We choose 1 or -1 value because we
will be applying the “energy function” [13] on the result in a later stage. The
energy function should results in – 3 values to indicate stability. However, the
conversion process is discussed as follows:
A. Convert each 0 into -1 as follow:
=
≠
=−
0][],[
0][,1
][
iRiR
iR
iR
1 1 -1 1 1 1 -1 -1 1
-
1
1
-
1
…
B. From the first three bits (from the left) assemble column vector ( ) jir ,
matrix and multiply it by ji
T
r ,)( recursively to produce the matrix jiS ,)( , as
follows:
7. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
65
( ) ( )
,31,31
,)()()(
3
,,,,,
≤≤≤≤
=×= ∑=
ji
rrrrS
ji
ijjiji
T
jiji
For instance,
( )
[ ]111)(
,
1
1
1
,
,
−=
−
=
ji
T
ji
r
r
Therefore,
and so on.
The connections in a Hopfield net typically have the following restrictions:
• No unit has a connection with itself },...2,1{,0)( , niS ii ∈∀= .
• Connections are symmetric, and thus, jiS ,)(
= ji
T
S ,)(
C. Zero diagonal:
Since there is no unit has a connection with itself, then
−−
−
−
=
=∀=
011
101
110
,0)( , jiS ji
As a result, the three bits located above the diagonal ijs ji
>∀,
)( , represents
the weight for the first three bits (1 -1 -1) from the rule set. and Since we
represent each 0 value with -1, a backward substitution (0 instead of -1) will
result in decimal value equal to 4 (1 0 0). Therefore, we can replace the 3 bits
with 4.
D. If the following 3 bits i.e. (1 1 1) weight is calculated previously, the
same weight value will be assigned to them, otherwise, the weight calculation
process (as in B) will be performed again. There is no need to save another
matrix, because it is already exist in the memory, because only 8 matrices of
3x3 need to be saved into memory.
There are some cases where conflict between two dimensional arrays ( ) jir ,
weight calculation may occur (i.e. [ ]000 and[ ]111 ). These two
different arrays will have the same results when they are multiplied by
their ( ) ji
T
r , . Figure 4 depicts the same results matrices for values in identical
colored boxes.
( )
−−
−
−
=×=
111
111
111
)()( ,,, ji
T
jiji rrS
8. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
66
Figure 4. The same results matrices for values in identical colored boxes
Consequently, 24 bit of memory can be minimized to only 12 bit as depicted in Figure 5.
Figure 5. Storing process
As shown in Figure 5, it can be noted that each two same results matrices
have difference in their summation index. Thus, the problem of inconsistency
is solved.
Table 1 depicts the header rule set after the conversion into weight, where
each row represents one header rule from the original header rule set. For
efficient processing, and especially dealing with intrusions, the calculated
weights will be rearranging in a descending order having an index of each
group in the first column.
Table 1. Weight of the headers rule set
Group # W1 W2 W3 W4 W5 W6 W7 W8
7
7 7 6 4 2 1 0 7
7 6 5 1 5 3 7 2
7 6 4 6 3 5 4 0
7 0 7 3 4 5 6 2
6
6 4 5 3 6 7 5 1
6 3 6 2 7 3 5 1
5 5 7 3 5 2 5 3 1
4
4 7 1 6 3 5 4 2
4 5 3 2 6 7 4 3
3
3 7 4 3 2 1 5 4
3 4 2 1 7 4 2 5
2 2 6 3 4 1 0 4 3
1
1 6 4 7 2 5 4 3
1 1 2 3 4 4 4 4
0
0 5 3 2 5 4 3 7
0 2 5 7 3 6 1 3
Where W is: weight for each 3-bit
9. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
67
3.2. Matching Phase
Most of the previous work exists in the literature, uses an exact string
matching algorithms such as Boyer-Moore and Horspool algorithm [16] to
find a specific pattern in a given text. Therefore, in this paper we applied a
different algorithm called PHM algorithm to match the header rule set with
the incoming packet header. This algorithm works as follows:
a- For every incoming packet header, convert each 0 into -1.
b- From left to right, take the first three bits.
c- Apply “Lyapunov function” or “Energy function” [13]:
EF=LF = - ( ∑∑= =
n
i
n
j
ijji wxx
1 1
) = -3
Where,
n: the number of elements in the each matrix ( ) jir , (which is equal to 3),
wij: is the calculated weight from the 3-bit in ( ) jir , .
For instance, suppose the incoming packet header as follows:
1 0 0 1 0 1 1 0 1 0 0 …
From step a, convert each 0 into -1.
1 -1 -1 1
-
1
1 1 -1 1 -1 -1 …
From step b, the first three incoming bits are kept in ( ) jir ,
to be multiplied by it is ( ) ji
T
r , to
construct the( ) jiS ,
matrix as follows:
( ) ( )
,31,31
,)()()(
3
,,,,,
≤≤≤≤
=×= ∑=
ji
rrrrS
ji
ijjiji
T
jiji
The matching process starts by applying the “energy function” on the
calculated weights from the incoming packet header. The matching process
will start the matching with each weight group from the rule set weight matrix
(starting from group-7 to group-1). If there is a match (energy function returns
-3) the algorithm identifies the matching group from the header rule set to
search within. Otherwise, the energy function will be applied to the next
group (i.e. group-6) and so on.
The matching process continues the matching process until group-1, if there
are no matches yet; the matching process will assume that there is a matching
with the group-0 (zero). This matching considered a trigger to evaluate the
second three bits from the incoming packet header by applying the energy
function on them in group-0.
I = 1 2 3
J = 1 2 3
1 -1 -1
10. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
68
For instance, with Group-7 the weight matrix will be:
and the incoming packet header is ,
Therefore, EF= 1, and since EF , that there is no rule from the rule set
matches with the header. As a result, the matching will proceed to group-6,
and so on until group-4 where the weight matrix is:
And the incoming packet header is , therefore, EF = -3, which
indicates a match with the rule set under group-4, and the search in others
group should not continues. In this case, the second three bits from incoming
packet header will be matched with the second weight from group-4, until all
the incoming packet header matches to one rule from group-4, otherwise, until
any mismatch; which indicate no possibilities to find the incoming packet
header within the rule set.
3.3. The Learning Process
Since all incoming packet header matched with group-4, therefore, the three
bits [ ]111 −− is always matching with group- 4. Thus, a matching link
list can be created that contains the matched bits and the group number to
where the bits are matched as depicted in Figure 6.
Three Bits Group
1 -1 -1 4
Figure 6. Matching Link List
This is a very important step towards speeding up the searching and matching
process. Therefore, in the next matching process, the algorithm will first
check the current 3 bits in the link list (no need to apply the energy function),
because the algorithm learned the system in advance for the expected three
bits with its corresponding group, otherwise, the energy function will be
applied until a matched group found the result will be added to the link list.
This process continuous until the 8 possibilities is included in the link list.
4. PERFORMANCE ANALYSIS OF THE PROPOSED ALGORITHM
We compared the performance of the proposed PHM algorithm against the
well known SNORT Algorithm. Table 2 shows the performance for both
approaches. Both algorithms were coded in C++ on a computer with 1.6 GHz
Intel® M Pentium processor and 1 GB RAM.
11. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
69
Table 2. Performance evaluation between PHM and SNORT algorithms
4.1. Evaluation Process
Based on the hardware and software architecture, we read 450 to 10000 packets from the file. The
header rule sets had a size of 50 KB. In order to evaluate the effectiveness of PHM algorithm, a
comparison is made with SNORT which uses Boyer-Moore algorithm. The comparison results
can be viewed in Figure 7.
Figure 7. Overall time comparison between PHM and SNORT algorithms
From Figure 7, it can be seen that the performance of PHM algorithm and Boyer-Moore algorithm
are very close for the first 1200 packets. After this point, it seems that the PHM algorithm has
learnt all the header rule sets. However, it is clear that the PHM algorithm is faster after 1200
packets as compared to Boyer-Moore algorithm. This is a very encouraging enhancement. The
achieved improvement was between 10% - 58%.
# of packets PHM SNORT
450 0.28 0.60
500 0.28 0.67
550 0.37 0.73
600 0.38 0.85
650 0.42 0.84
700 0.58 0.91
900 0.82 1.23
1200 1.14 1.64
2500 2.33 3.22
3000 3.40 3.80
4500 4.71 5.93
5500 5.83 7.20
8000 7.82 10.47
10000 10.78 13.08
12. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
70
5. CONCLUSION
In this work we have presented a novel algorithm to speed up the detection engine for packets
header. We divided the work into three phases, namely: classification of rule sets, matching
process, and the learning process. As the result, the proposed Packet Header Matching (PHM)
algorithm is more efficient than SNORT algorithm. It requires a much lower cost of execution
time and performs at a high level of detection compared to the exiting SNORT algorithm.
ACKNOWLEDGMENT
The researchers would like to thank Al- Zaytoonah University of Jordan
for supporting this study.
REFERENCES
[1] Wu Yang, Bin-Xing Fang, Bo Liu, and Hong-Li Zhang, ( 2004) “Intrusion detection system
for high-speed network”, Computer Communications, Vol 27, No. 13, pp 1288-1294.
[2] Li W., (2004) “Using Genetic Algorithm for Network Intrusion Detection”, In Proceedings of
the United States Department of Energy Cyber Security Group, Training Conference.
[3] S. Antonatos, K. G. Anagnostakis, E. P. Markatos, M. Polychronakis, (2004) “Performance
Analysis of Content Matching Intrusion Detection Systems”, In Proceedings of the International
Symposium on Applications and the Internet (SAINT2004).
[4] Zhou Chunyue, L.Y., (2006) “A Pattern Matching Based Network Intrusion Detection
System”, IEEE, 9th International Conference on Control, Automation, Robotics and Vision,
2006, 5-8 Dec, ICARCV '06, Singapore.
[5] Lu Huijuan, Chen Jianguo and Wei Wei, (2008) “Two Stratum Bayesian Network Based
Anomaly Detection Model for Intrusion Detection System”, International Symposium on
Electronic Commerce and Security, pp.482-487.
[6] Lambert Schaelicke, T. Slabach, B. moore, and C. freeland, (2003) “Characterizing the
Performance of Network Intrusion Detection Sensors”, in proceeding of recent advanced in
intrusion detection, RAID, 03.
[7] Snort – The Open Source Network Intrusion. Detection System, Available
at:http://www.snort.org.
[8] C. J. Coit, S. Staniford and J. Mchlerney, (2001) “Towards Faster String Matching for
Intrusion Detection or Exceeding the Speed of Snort”, IEEE, DARPA Information Survivability
Conference & Exposition II, DISCEX '01. Vol.1, Anaheim, CA , USA, pp.367-373.
[9] Chris Sinclair, Lyn Pierce, Sara Matzner,(1999) “An Application of Machine Learning to
Network Intrusion Detection”, IEEE, Proceedings of the 15th Annual Computer Security
Applications Conference, Phoenix, AZ , USA, pp 371-377.
[10] I. Charitakis, K. Anagnostakis, E. Markatos, (2003) “An Active Traffic Splitter Architecture
for Intrusion Detection”, In proceedings of the ACM Symposium on Modeling Analysis and
Simulation of Computer Telecommunications Systems.
[11] F. Sun and H. Tzeng, (2006) “A Software Tool for Network traffic Analysis ”, IEEE,
Proceedings of the Seventh ACIS International Conference on Software Engineering, Artificial
Intelligence, Networking, and Parallel/Distributed Computing (SNPD’06), Las Vegas, NV, pp
190-196.
13. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
71
[12] Yamashita, Y. and Tsuru, M., (2007) “Code Optimization for Packet Filters”, IEEE
Computer Society, Proceeding of the 2007 International Symposium applications and the Internet
Workshops, (SAINTW’07) 0-7695-2757-4/07, Hiroshima, pp.86-86.
[13] Hiskens I.A. and Davy R.J., (1996) “Lyapunov Function Analysis of Power System with
Dynamic Loads”, IEEE, Conference on Daoision end Control, Koba, Japan, pp. 3870-3875.
[14] E. Kaream,( 2004) “Alternative Hopfield Neural Network With Multi-Connect
Architecture”, Journal of College of Education, Computer Department, Al-mustansiryah
university, Baghdad, Iraq.
[15] Hsinchun Chen, Yin Zhang, and Andrea L. Houston (1998) “Semantic Indexing and
Searching Using a Hopfeild Net”, Journal of Information Science, Vol. 24, No., pp 3-18.
[16] Christian Charras and Thierry Lecroq, “Exact String Matching Algorithms”, Laboratoire
d'Informatique de Rouen Université de Rouen, France, Available at: http://www-igm.univ-
mlv.fr/~lecroq/string/.
AUTHORS
Dr. Mohammad Alia is an Assistance professor at the
computer information systems department, Faculty of science
Computer and information technology, Al Zaytoonah
University of Jordan. He received the B.Sc. degree in Science
from the Alzaytoonah University, Jordan, in 1999. He
obtained his Ph.D. degree in Computer Science from
University Science of Malaysia, in 2008. During 2000 until
2004, he worked at Al-Zaytoonah University of Jordan as an
instructor of Computer sciences and Information Technology.
Then, he worked as a lecturer at Al-Quds University in Saudi Arabia from
2004 - 2005. Currently he is working as a Chair of Computer Information
Systems dept. at Al Zaytoonah University of Jordan. His research interests are
in the field of Cryptography, and Network security.
Dr. Adnan Hnaif is an Assistance professor at the computer
information systems department, Faculty of Science
Computer and information technology, Al Zaytoonah
University of Jordan. Dr. Hnaif received his PhD degree in
Computer Science from University Sains Malaysia - National
Advanced IPv6 Centre and Excellence (NAV6) in 2010. He
received his MSc degree of Computer Science from
department of Computer Science- Alneelain University in
2003, and obtained his Bachelor degree of Computer Science
from the department of Computer Science, Mu’tah University in 1999/2000.
His researches focus on the network security and parallel processing.
14. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
72
Dr. Hayam Al-Anie is an Assistance professor at the
computer information systems department, Faculty of Science
Computer and Information Technology, Al Zaytoonah
University of Jordan. She received the B.Sc. degree in
Computer Science from the University of Technology, Iraq,
in 1988. She obtained her Ph.D. degree in Computer Science
from University of Technology, Iraq in 2004. During 1988
until 1996, she worked at University of Baghdad, College of
Administration and Economic, as programmer assistance.
Then she worked as an instructor of Computer Science and
Information Technology at University of Baghdad, College of Administration
and Economic from 1996-2004. Currently she is working as an Assistance
professor at Al Zaytoonah University of Jordan. Her research interests are in
the field of Cryptography, and Software Engineering.
Dr. Khulood Abu Maria is an Assistance professor at the
computer information systems department, Faculty of science
Computer and information technology, Al Zaytoonah
University of Jordan. She received the B.Sc. degree in
Science from Mut’ah University, Jordan, in 1992. She
obtained her Ph.D. degree in Computer Information System
from Arab Academy for Banking and Financial Sciences,
Jordan, in 2008. During 1992 until 2006, she worked at Petra
Engineering Industries Co. as analyst, programmer, Network
Administrator, Quality Assurance and IT manager. Then, she worked as a
part-time instructor at AL-ISRA Private University, Jordan from 2008 - 2009.
Currently she is working as an instructor at Al Zaytoonah University of
Jordan. Her research interest is in the fields of AI, Agent-Based Application,
Information System, Software Engineering, E-applications, m-commerce,
Security, and Network.
Dr. Ahmed obtained his Bachelor of Computer Science from
Mu'tah University, al Karak, Jordan in 2002. He obtained his
Master of Computer Science and doctorate from Universiti
Sains Malaysia in 2005 and 2009 respectively, he was the
Deputy Director (Research and Innovation) and the Head of
iNetmon project at the National Advanced IPv6 Centre of
Excellence (NAV6) in Universiti Sains Malaysia. He started
his career as a web developer at Telaterra LLC from 2003
until 2004. Between 2005 until 2008, Dr. Ahmed worked as
senior research officer in NRG, Universiti Sains Malaysia. Upon his
graduation, he worked as a senior Vice President in iNetmon Sdn. Bhd. from
2005-2008. Currently he is working as an Assistance professor at Al Yarmouk
University. His research interests are in the field of network monitoring.
15. International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011
73
Mr. Muhammad Imran Sarwar is currently Ph. D fellow
and researcher in National Advance IPv6 Centre (NAv6),
Universiti Sains Malaysia. He received his M.Sc degree from
School of Computer Sciences, Universiti Sains Malaysia in
2009. His research interest are in IPv6 multicast networks,
wireless mesh networks, WiMAX networks, network security,
location-based services etc.