This document describes a distributed intrusion detection system based on honeypots. It proposes using honeypots to collect invasion characteristics on the network and genetic clustering algorithms to extract data for analysis. The system combines protocol analysis and signature detection modules to improve detection performance. An evaluation using KDDCUP 99 intrusion data showed the system can better detect intrusions and improve network security compared to traditional intrusion detection systems.
Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so
investigating attackers after commitment is of utmost importance and become one of the main concerns of
network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing
data and systematically monitoring traffic of network is one of the main requirements in detection and
tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed
architecture consists of five main components: collection and indexing, database management, analysis
component, SOC communication component and the database.
The main difference between our proposed architecture and other systems is in analysis component. This
component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert
and visualization subsystem and the malware analysis subsystem. The most important differentiating
factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic
analysis of malware, collecting and analysis of network flows and anomalous behavior analysis.
With the growth of computer networking, electronic commerce and web services, security networking systems have become very important to protect infomation and networks againts malicious usage or attacks. In this report, it is designed an Intrusion Detection System using two artificial neural networks: one for Intrusion Detection and the another for Attack Classification.
Deep Learning based Threat / Intrusion detection systemAffine Analytics
The article is about a Threat/Intrusion Detection System, which could be used to detect such data leaks/breaches & take a preventive action to contain, if not stop the damage due to breach.
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
A method and a system for the detection of an intrusion in a computer network compare the network traffic of the computer network at multiple different points in the network. In an uncompromised network the network traffic monitored at these two different points in the network should be identical. A network intrusion detection system is mostly place at strategic points in a network, so that it can monitor the traffic traveling to or from different devices on that network. The existing Software Defined Network SDN proposes the separation of forward and control planes by introducing a new independent plane called network controller. Machine learning is an artificial intelligence approach that focuses on acquiring knowledge from raw data and, based at least in part on the identified flow, selectively causing the packet, or a packet descriptor associated with the packet. The performance is evaluated using the network analysis metrics such as key generation delay, key sharing delay and the hash code generation time for both SDN and the proposed machine learning SDN. Prof P. Damodharan | K. Veena | Dr N. Suguna "Optimized Intrusion Detection System using Deep Learning Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-2 , February 2019, URL: https://www.ijtsrd.com/papers/ijtsrd21447.pdf
Paper URL: https://www.ijtsrd.com/engineering/other/21447/optimized-intrusion-detection-system-using-deep-learning-algorithm/prof-p-damodharan
Cybercrime is increasing at a faster pace and sometimes causes billions of dollars of business- losses so
investigating attackers after commitment is of utmost importance and become one of the main concerns of
network managers. Network forensics as the process of Collecting, identifying, extracting and analyzing
data and systematically monitoring traffic of network is one of the main requirements in detection and
tracking of criminals. In this paper, we propose an architecture for network forensic system. Our proposed
architecture consists of five main components: collection and indexing, database management, analysis
component, SOC communication component and the database.
The main difference between our proposed architecture and other systems is in analysis component. This
component is composed of four parts: Analysis and investigation subsystem, Reporting subsystem, Alert
and visualization subsystem and the malware analysis subsystem. The most important differentiating
factors of the proposed system with existing systems are: clustering and ranking of malware, dynamic
analysis of malware, collecting and analysis of network flows and anomalous behavior analysis.
With the growth of computer networking, electronic commerce and web services, security networking systems have become very important to protect infomation and networks againts malicious usage or attacks. In this report, it is designed an Intrusion Detection System using two artificial neural networks: one for Intrusion Detection and the another for Attack Classification.
Deep Learning based Threat / Intrusion detection systemAffine Analytics
The article is about a Threat/Intrusion Detection System, which could be used to detect such data leaks/breaches & take a preventive action to contain, if not stop the damage due to breach.
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
A method and a system for the detection of an intrusion in a computer network compare the network traffic of the computer network at multiple different points in the network. In an uncompromised network the network traffic monitored at these two different points in the network should be identical. A network intrusion detection system is mostly place at strategic points in a network, so that it can monitor the traffic traveling to or from different devices on that network. The existing Software Defined Network SDN proposes the separation of forward and control planes by introducing a new independent plane called network controller. Machine learning is an artificial intelligence approach that focuses on acquiring knowledge from raw data and, based at least in part on the identified flow, selectively causing the packet, or a packet descriptor associated with the packet. The performance is evaluated using the network analysis metrics such as key generation delay, key sharing delay and the hash code generation time for both SDN and the proposed machine learning SDN. Prof P. Damodharan | K. Veena | Dr N. Suguna "Optimized Intrusion Detection System using Deep Learning Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-2 , February 2019, URL: https://www.ijtsrd.com/papers/ijtsrd21447.pdf
Paper URL: https://www.ijtsrd.com/engineering/other/21447/optimized-intrusion-detection-system-using-deep-learning-algorithm/prof-p-damodharan
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
When talk about intrusion, then it is pre- assume
that the intrusion is happened or it is stopped by the intrusion
detection system. This is all done through the process of collection
of network traffic information at certain point of networks in the
digital system. In this way the IDS perform their job to secure the
network. There are two types of Intrusion Detection: First is
Misuse based detection and second one is Anomaly based detection.
The detection which uses data set of known predefined set of
attacks is called Misuse - Based IDSs and Anomaly based IDSs are
capable of detecting new attacks which are not known to previous
data set of attacks and is based on some new heuristic methods. In
our hybrid IDS for computer network security we use Min-Min
algorithm with neural network in hybrid method for improving
performance of higher level of IDS in network. Data releasing is
the problem for privacy point of view, so we first evaluate training
for error from neural network regression state, after that we can get
outer sniffer by using Min length from source, so that we
hybridized as with Min – Min in neural network in hybrid system
which we proposed in our research paper
Hybrid Intrusion Detection System using Weighted Signature Generation over An...Editor IJMTER
To provide security to network we use existing Intrusion Detection System(IDS) for
identification of known attack with low false alarm,but it is not working when unknown attacks
occurs so to identify unknown attacks we use Anomaly based IDS(ADS) with high false alarm.
HIDS is the combination of IDS and ADS with their advantages for identification of known as well
as unknown attack.IDS used signature based model to identify known attack and ADS used anomaly
based model for identification of unknown attack.HIDS used internet episode rules for identify
known as well as unknown attacks.
The growing prevalence of network attacks is a well-known problem which can impact the availability, confidentiality, and integrity of critical information for both individuals and enterprises. In this paper, we propose a real-time intrusion detection approach using a supervised machine learning technique. Our approach is simple and efficient, and can be used with many machine learning techniques. We applied different well-known machine learning techniques to evaluate the performance of our IDS approach. Our experimental results show that the Decision Tree technique can outperform the other techniques. Therefore, we further developed a real-time intrusion detection system (RT-IDS) using the Decision Tree technique to classify on-line network data as normal or attack data. We also identified 12 essential features of network data which are relevant to detecting network attacks using the information gain as our feature selection criterions. Our RT-IDS can distinguish normal network activities from main attack types (Probe and Denial of Service (DoS)) with a detection rate higher than 98% within 2 s. We also developed a new post-processing procedure to reduce the false-alarm rate as well as increase the reliability and detection accuracy of the intrusion detection system.
A NOVEL HEADER MATCHING ALGORITHM FOR INTRUSION DETECTION SYSTEMSIJNSA Journal
The evolving necessity of the Internet increases the demand on the bandwidth. Therefore, this demand opens the doors for the hackers’ community to develop new methods and techniques to gain control over networking systems. Hence, the intrusion detection systems (IDS) are insufficient to prevent/detect unauthorized access the network. Network Intrusion Detection System (NIDS) is one example that still suffers from performance degradation due the increase of the link speed in today’s networks. In This paper we proposed a novel algorithm to detect the intruders, who’s trying to gain access to the network using the packets header parameters such as;
source/destination address, source/destination port, and protocol without the need to inspect each packet content looking for signatures/patterns. However, the “Packet Header Matching” algorithm enhances the overall speed of the matching process between the incoming packet headers against the rule set. We ran the proposed algorithm to proof the proposed concept in coping with the traffic arrival speeds and the various bandwidth demands. The achieved results were of significant enhancement of the overall performance in terms of detection speed.
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Jowin John Chemban
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : September 2019
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
The objective of the proposed system is to integrate the high volume of data along with the important
considerations like monitoring a wide array of heterogeneous security. When a real time cyber attack
occurred, the Intrusion Detection System automatically store the log in distributed environment and
monitor the log with existing intrusion dictionary. At the same time the system will check and categorize the
severity of the log to high, medium, and low respectively. After the categorization, the system will
automatically take necessary action against the user-unit with respect to the severity of the log. The
advantage of the system is that it utilize anomaly detection, evaluates data and issue alert message or
reports based on abnormal behaviour.
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
Seminar Report : Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : November 2019
Network Forensics is scientifically proven technique to accumulate, perceive, identify, examine, associate, analyse and document digital evidence from multiple systems for the purpose of uncovering the fact of attacks and other problem incident as well as performing the action to recover from the attack. Many systems are proposed for designing the network forensic systems. In this paper we have prepared comparative analysis of various models based on different techniques.
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...ijcsit
Intrusion Detection System (IDS) has been an effective way to achieve higher security in detecting malicious activities for the past couple of years. Anomaly detection is an intrusion detection system. Current anomaly detection is often associated with high false alarm rates and only moderate accuracy and detection rates because it’s unable to detect all types of attacks correctly. An experiment is carried out to evaluate the performance of the different machine learning algorithms using KDD-99 Cup and NSL-KDD datasets. Results show which approach has performed better in term of accuracy, detection rate with reasonable false alarm rate.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
When talk about intrusion, then it is pre- assume
that the intrusion is happened or it is stopped by the intrusion
detection system. This is all done through the process of collection
of network traffic information at certain point of networks in the
digital system. In this way the IDS perform their job to secure the
network. There are two types of Intrusion Detection: First is
Misuse based detection and second one is Anomaly based detection.
The detection which uses data set of known predefined set of
attacks is called Misuse - Based IDSs and Anomaly based IDSs are
capable of detecting new attacks which are not known to previous
data set of attacks and is based on some new heuristic methods. In
our hybrid IDS for computer network security we use Min-Min
algorithm with neural network in hybrid method for improving
performance of higher level of IDS in network. Data releasing is
the problem for privacy point of view, so we first evaluate training
for error from neural network regression state, after that we can get
outer sniffer by using Min length from source, so that we
hybridized as with Min – Min in neural network in hybrid system
which we proposed in our research paper
Hybrid Intrusion Detection System using Weighted Signature Generation over An...Editor IJMTER
To provide security to network we use existing Intrusion Detection System(IDS) for
identification of known attack with low false alarm,but it is not working when unknown attacks
occurs so to identify unknown attacks we use Anomaly based IDS(ADS) with high false alarm.
HIDS is the combination of IDS and ADS with their advantages for identification of known as well
as unknown attack.IDS used signature based model to identify known attack and ADS used anomaly
based model for identification of unknown attack.HIDS used internet episode rules for identify
known as well as unknown attacks.
The growing prevalence of network attacks is a well-known problem which can impact the availability, confidentiality, and integrity of critical information for both individuals and enterprises. In this paper, we propose a real-time intrusion detection approach using a supervised machine learning technique. Our approach is simple and efficient, and can be used with many machine learning techniques. We applied different well-known machine learning techniques to evaluate the performance of our IDS approach. Our experimental results show that the Decision Tree technique can outperform the other techniques. Therefore, we further developed a real-time intrusion detection system (RT-IDS) using the Decision Tree technique to classify on-line network data as normal or attack data. We also identified 12 essential features of network data which are relevant to detecting network attacks using the information gain as our feature selection criterions. Our RT-IDS can distinguish normal network activities from main attack types (Probe and Denial of Service (DoS)) with a detection rate higher than 98% within 2 s. We also developed a new post-processing procedure to reduce the false-alarm rate as well as increase the reliability and detection accuracy of the intrusion detection system.
A NOVEL HEADER MATCHING ALGORITHM FOR INTRUSION DETECTION SYSTEMSIJNSA Journal
The evolving necessity of the Internet increases the demand on the bandwidth. Therefore, this demand opens the doors for the hackers’ community to develop new methods and techniques to gain control over networking systems. Hence, the intrusion detection systems (IDS) are insufficient to prevent/detect unauthorized access the network. Network Intrusion Detection System (NIDS) is one example that still suffers from performance degradation due the increase of the link speed in today’s networks. In This paper we proposed a novel algorithm to detect the intruders, who’s trying to gain access to the network using the packets header parameters such as;
source/destination address, source/destination port, and protocol without the need to inspect each packet content looking for signatures/patterns. However, the “Packet Header Matching” algorithm enhances the overall speed of the matching process between the incoming packet headers against the rule set. We ran the proposed algorithm to proof the proposed concept in coping with the traffic arrival speeds and the various bandwidth demands. The achieved results were of significant enhancement of the overall performance in terms of detection speed.
Seminar Presentation | Network Intrusion Detection using Supervised Machine L...Jowin John Chemban
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : September 2019
REAL-TIME INTRUSION DETECTION SYSTEM FOR BIG DATAijp2p
The objective of the proposed system is to integrate the high volume of data along with the important
considerations like monitoring a wide array of heterogeneous security. When a real time cyber attack
occurred, the Intrusion Detection System automatically store the log in distributed environment and
monitor the log with existing intrusion dictionary. At the same time the system will check and categorize the
severity of the log to high, medium, and low respectively. After the categorization, the system will
automatically take necessary action against the user-unit with respect to the severity of the log. The
advantage of the system is that it utilize anomaly detection, evaluates data and issue alert message or
reports based on abnormal behaviour.
Seminar Report | Network Intrusion Detection using Supervised Machine Learnin...Jowin John Chemban
Seminar Report : Network Intrusion Detection using Supervised Machine Learning Technique with Feature Selection
By:
Jowin John Chemban (jowinchemban@gmail.com)
HGW16CS022 (2016-2020 Batch)
S7 B.Tech Computer Science Engineering
Holy Grace Academy of Engineering, Mala
Date : November 2019
Network Forensics is scientifically proven technique to accumulate, perceive, identify, examine, associate, analyse and document digital evidence from multiple systems for the purpose of uncovering the fact of attacks and other problem incident as well as performing the action to recover from the attack. Many systems are proposed for designing the network forensic systems. In this paper we have prepared comparative analysis of various models based on different techniques.
INTRUSION DETECTION SYSTEM CLASSIFICATION USING DIFFERENT MACHINE LEARNING AL...ijcsit
Intrusion Detection System (IDS) has been an effective way to achieve higher security in detecting malicious activities for the past couple of years. Anomaly detection is an intrusion detection system. Current anomaly detection is often associated with high false alarm rates and only moderate accuracy and detection rates because it’s unable to detect all types of attacks correctly. An experiment is carried out to evaluate the performance of the different machine learning algorithms using KDD-99 Cup and NSL-KDD datasets. Results show which approach has performed better in term of accuracy, detection rate with reasonable false alarm rate.
An analysis of Network Intrusion Detection System using SNORTijsrd.com
This paper describes the analysis of signature based intrusion detection systems. Snort which is a signature based intrusion detection system are used for this purpose. We use DARPA dataset for the evaluation of Intrusion detection system.
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
To improve network security different steps has been taken as size and importance of the network has
increases day by day. Then chances of a network attacks increases Network is mainly attacked by some
intrusions that are identified by network intrusion detection system. These intrusions are mainly present in data
packets and each packet has to scan for its detection. This paper works to develop a intrusion detection system
which utilizes the identity and signature of the intrusion for identifying different kinds of intrusions. As network
intrusion detection system need to be efficient enough that chance of false alarm generation should be less,
which means identifying as a intrusion but actually it is not an intrusion. Result obtained after analyzing this
system is quite good enough that nearly 90% of true alarms are generated. It detect intrusion for various
services like Dos, SSH, etc by neural network
NON-INTRUSIVE REMOTE MONITORING OF SERVICES IN A DATA CENTREcscpconf
Non-intrusive remote monitoring of data centre services should be such that it does not require
(or minimal) modification of legacy code and standard practices. Also, allowing third party
agent to sit on every server in a data centre is a risk from security perspective. Hence, use of
standard such as SNMPv3 is advocated in this kind of environment. There are many tools (open
source or commercial) available which uses SNMP; but we observe that most of the tools do not
have an essential feature for auto-discovery of network. In this paper we present an algorithm
for remote monitoring of services in a data centre. The algorithm has two stages: 1) auto
discovery of network topology and 2) data collection from remote machine. Further, we
compare SNMP with WBEM and identify some other options for remote monitoring of services
and their advantages and disadvantages.
Seminar Report - Network Intrusion Prevention by Configuring ACLs on the Rout...Disha Bedi
Base Paper presented by - Muhammad Naveed, Shams un Nihar and Mohammad Inayatullah Babar At 2010 6th International Conference on Emerging Technologies (ICET)
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
Want to move your career forward? Looking to build your leadership skills while helping others learn, grow, and improve their skills? Seeking someone who can guide you in achieving these goals?
You can accomplish this through a mentoring partnership. Learn more about the PMISSC Mentoring Program, where you’ll discover the incredible benefits of becoming a mentor or mentee. This program is designed to foster professional growth, enhance skills, and build a strong network within the project management community. Whether you're looking to share your expertise or seeking guidance to advance your career, the PMI Mentoring Program offers valuable opportunities for personal and professional development.
Watch this to learn:
* Overview of the PMISSC Mentoring Program: Mission, vision, and objectives.
* Benefits for Volunteer Mentors: Professional development, networking, personal satisfaction, and recognition.
* Advantages for Mentees: Career advancement, skill development, networking, and confidence building.
* Program Structure and Expectations: Mentor-mentee matching process, program phases, and time commitment.
* Success Stories and Testimonials: Inspiring examples from past participants.
* How to Get Involved: Steps to participate and resources available for support throughout the program.
Learn how you can make a difference in the project management community and take the next step in your professional journey.
About Hector Del Castillo
Hector is VP of Professional Development at the PMI Silver Spring Chapter, and CEO of Bold PM. He's a mid-market growth product executive and changemaker. He works with mid-market product-driven software executives to solve their biggest growth problems. He scales product growth, optimizes ops and builds loyal customers. He has reduced customer churn 33%, and boosted sales 47% for clients. He makes a significant impact by building and launching world-changing AI-powered products. If you're looking for an engaging and inspiring speaker to spark creativity and innovation within your organization, set up an appointment to discuss your specific needs and identify a suitable topic to inspire your audience at your next corporate conference, symposium, executive summit, or planning retreat.
About PMI Silver Spring Chapter
We are a branch of the Project Management Institute. We offer a platform for project management professionals in Silver Spring, MD, and the DC/Baltimore metro area. Monthly meetings facilitate networking, knowledge sharing, and professional development. For event details, visit pmissc.org.
This comprehensive program covers essential aspects of performance marketing, growth strategies, and tactics, such as search engine optimization (SEO), pay-per-click (PPC) advertising, content marketing, social media marketing, and more
1. Design and Implementation of Distributed Intrusion Detection System based on
Honeypot
Yun Yang
School of Electrical and Information Engineering
Shaanxi University of Science & Technology
Xi’an, China
yangyunll@163.com
Jia Mi
School of Electrical and Information Engineering
Shaanxi University of Science & Technology
Xi’an, China
lockdog_jia@yahoo.com.cn
Abstract—For the shortcoming of traditional intrusion
detection system (IDS) in complex and unknown attack
detection. A distributed intrusion detection system based on
honeypot was proposed. We make use of honeypot to collect
the invasion characteristics on the network, and use the
method of unsupervised clustering (UC) and genetic clustering
to extract the data for analysis. In addition, in order to
improve the detection performance of the IDS, it combined
protocol analysis with signature detection modules.
Experiments result show that this system can better detect
intrusion and improve the overall safety performance of large-
scale networks.
Keywords-intrusion detectoin; honeypot; UC; genetic
algorithms
I. INTRODUCTION
In recent years, with its rapid development, network has
extended to every social corner, people have been led into
the era of information technology. In the process of its
growing application, network has gradually expanded from a
small business to large-scale commercial areas, business
management, education, research and government agencies.
Everyone enjoys the convenience brought by the Internet,
but at the same time has to face with the challenges of
information security, especially endless network attacks.
How to better defense these attacks, safeguard our network
has become an important subject of information technology.
II. DESIGN AND IMPLEMENTATION OF THE SYSTEM
An IDS system mainly refers to the invasion behavior
found in the network. According to the method of detection,
IDS system is divided into two categories: protocol anomaly
detection and signature detection (misuse detection) [1].
Anomaly detection based on protocol can verify the
unknown attacks effectively, but can not detect attack
violating an agreement. Misuse detection system matched
attack action by stored attack signature in intrusion rule
databases, the method spent less time and achieves a high
detection rate. However, signature detection system is
unable to discern new type of attacks or a large number of
complicated attacks.
A. System Architecture
In this work, in order to overcome the deficiencies of
traditional IDS system, we used the method of distributed
signature collection, distributed processing, distributed
response, and two detection modules (protocol analysis and
signature detection). The system architecture is shown in
figure1, it includes the sensors, protocol analysis module,
signature detection module, and intrusion alarm module.
Figure 1. Structure of distributed instrusion detection system.
1) Sensor module: Sensors distributed in different
networks of computer systems, its main task is collecting
the raw data on the network according to the predefined
rules, and organizing into the audit data that is submitted to
the protocol analysis module for analysis.The sensor located
at the bottom of the whole system, in the large-scale
network environment, they are independent among the
various sensors, and each detector only receives packets for
the scope of their network.
2) Protocol analysis module: Protocol analysis
technique has great advantages at present, any data which
violates RFC can be considered a protocol anomaly through
its technique checking. Such technique has a greatest feature
where it can detect unknown buffer overflow vulnerabilities
and denial of service attacks effectively. According to the
corresponding protocol (TCP, UDP, ICMP) configure into a
V6-260
978-1-4244-6349-7/10/$26.00 c
2010 IEEE
2. protocol tree, and decompose the packet which the sensors
submitted , then call the tree structure for the fast match. If
there is an exception, then call the intrusion alarm module.
Otherwise, classify the packets and anomaly detection
module used to continue data analysis. The module can be
easily extended, if we discover a new protocol type, the
protocol units can be manually increased or modified.
3) Signature detection modules: Its work is the process
of downloading and evaluating the data classified by
protocol analysis module. We make use of misuse detection
technology to ensure detection accuracy and real-time. In
order to enhance the matching speed, an efficient algorithm
for string matching (Boyer-Moore) is used [2]. Furthermore,
taking into account the system open characters, invasion
rules can be added dynamically by the honeypot to enhance
the performance of pattern matching method.
4) Honeypot: Honeypot is distributed in the network
designed deliberately to confuse the invaders and lure
intruders to attack [3] [4]. Honeypot can collect intrusion
information and grasp the current new attack methods
timely. The system uses the distributed honeypot
architecture to ensure data control and capture in large-scale
networks.
5) Intrusion alarm module: Alert message can be sent to
terminal display to us and classified statistics in terms of
warning log. Besides, as system has a large quantity of
statistical data, we compress the data through statistics
compression technology.
B. Implementation of Key Technologies:
1) sensor technology: Sensor module located in the
bottom of IDS system, it is a foundation of the whole
system. In the system, according to a predefined strategy,
sensor is responsible for monitoring the network and IP
recombination. As we know that Ethernet data transmit by
the broadcast. Generally, a program only receives Mac
address packets which belong to them. To capture all
packets, the network interface is set to promiscuous mode
[5]. We using winpcap to capture data which is an open
source library for packet capture and network analysis for
the Win32 platforms, it can receive and send the packets
independently from the host protocols. Data capture code is
as follows:
// Create multi-thread to handle capture packets
LPDWORD IThread=NULL;
m_ThreadHandle=CreateThread(NULL,0,MyCaptureThrea
d,this,0, IThread);
// Capture packets in this thread
DWORD WINAPI MyCaptureThread(LPVOID
lpParameter)
{
CSnifferDlg* pthis=(CSnifferDlg*)lpParameter;
int res; // Use global variables
struct pcap_pkthdr *header;
const u_char *pkt_data; // Pointer to const
while((res=pcap_next_ex(pthis- adhandle , header ,
pkt_data ))=0)
{
// Dealing with capture packets
pthis-SavePacket(header,pkt_data); //Save data
pthis-UpdateList();//Informed view list of updates
}
}
2) Protocol analysis technology: Protocol analysis
technique parses the captured packets. In accordance with
TCP/IP model, all TCP, UDP, ICMP packets transmiss by
IP packet format in the network [6]. In Ethernet, packets
with protocol signs can be matched with the protocol tree,
its work principle is as follows: from the Ethernet frame
access to the Ethernet header (14 bytes), which is consist of
destination MAC address (6 bytes), source MAC Address (6
bytes) and the frame type (2 bytes). The frame type
contained some protocol type, such as ARP,
IP.Corresponding to the protocol number are 0x0806 and
0x0800. IP header include as follows: source IP address,
destination IP addresses, flags, and IP protocol type. We can
identify a protocol type by the identification number, such
as TCP (6), UDP (17) or ICMP (1), and the specific
application-layer protocol type can also be recognized by
the port number, such as SSH corresponding port number is
22, Mysql port number is 3306. For all protocols, the system
uses these methods to identify, if the packets conducted are
abnormal, the system will call the alarm module. What’s
more, to make the protocol analysis module work better, the
protocol structure needs to be defined. We defined the ARP
protocol as follows:
typedef struct arp
{
unsigned short arp_hdr; //format of hardware address
unsigned short arp_proto; //format of protocol address
unsigned char arp_lha; //length of hardware address
unsigned char arp_lpa; //length of protocol address
unsigned short arp_opt; // operation code(ARP or RARP)
unsigned char arp_ha[6]; //sender’s hardware address
unsigned long arp_pa; //sender’s protocol address
unsigned char arp_tha[6]; //target’s hardware address
unsigned long arp_tpa; //target’s protocol address
}ARP;
3) Honeypot System: In this work, Honeyd has been
deployed in the network, it is the low-interaction honeypot
system. In order to make the honeypot have more attractive
to attackers, a lot of deceptive techniques need to be used.
Information deceptive technology can be divided as follows:
a) Tips deceive: Some applications or services will
leak some sensitive information, we can modify these tips to
deceive the attacker.
b) Port deception: As we know that each program has
its port for communication in the network, for example,
Telnet server use TCP 23 port, PC Anywhere use TCP
5631-5632. Honeyd can be configured to run arbitrary port
so that it appears to be running certain services.
c) Operating system(OS) deception: At present, there
are some security scanning tools like: Nmap. These tools
use TCP/ IP protocol stack for remote OS identification [7].
It uses the technology of different OS making the different
[Volume 6] 2010 2nd International Conference on Computer Engineering and Technology V6-261
3. handle to TCP/IP protocol. However, these can be applied in
turn, we can use the Honeyd to intercept the probe packets,
and send packets to respond such requirements, so that we
can deceive opponents successfully.
4) Instrution signature exstraction: Intrusion database is
one of the important components in the misuse detection
module, it also affects the overall system performance. Each
rule should have the source IP address, target IP address,
protocol type, source port, destination port, trigger the rule
action, attack signature. In this work, the system has already
contained a custom rule-base intrusion, and in order to
ensure that the latest attack features can be detected in time,
the system uses multiple honeypot placed in the different
network to collect the invasion characteristics, and UC and
genetic algorithms are used for mining invasion feature
from the honeypot’s audit records.
The clustering analysis method used an idea that the
normal behavior is greater than the abnormal to divide
datasets into various classes. The method based on
unsupervised clustering dividing datasets into different
groups. In the environment of the group, various objects
have a higher similarity. On the contrary, among the groups
there will be a lower one. The distance between two objects
is determined by using the Euclidean Distance equation (1):
2
1
1
2
1
1
2
1
1
1
2
2
1
)
,
( j
i
j
i
j
i
n
k
jk
ik
j
i x
x
x
x
x
x
x
x
x
x
d −
−
−
=
+
+
+
=
⎟
⎠
⎞
⎜
⎝
⎛
−
= ∑ L (1)
a) kj
ik
ij d
d
d +
≤ , for any three objects i,j,k(triangle
inequality)
b) 0
ij
d , for any objects i,j, j
i X
X ≠ ;
c) 0
=
ij
d , for any objects i,j, j
i X
X = ;
d) ji
ij d
d = , for any objects i,j;
Initial clustering use the following method:
Step1: Make choice of an arbitrary object, and use it as a
cluster center to construct a new class.
Step2: Continue to read a new object, and use Euclidean
Distance formula to calculate the minimum distance. If it
does not exceed the threshold, it will be placed in minimum
distance class and form a new cluster center. Otherwise, a
new class will be constructed with ones and repeat step 2.
Step3: Sort by the number of objects that the class
contains, filter out noise and isolate points.
In the genetic algorithm, the choice of the fitness function
is very important for us. In order to achieve a better result,
we should try to reduce the distance within clusters while
increasing the distance between clusters. Fitness function is
as follows:
∑
∑
⊂
≠
−
−
=
b
i d
a
b
i
b
i
b
i
q
a
q
a
f 2
2
(2)
Where
n
a
d b
i d
a
i
b
∑
⊂
= (3)
In equation (2),(3), i
a
indicated the center of cluster in
the initial stages, b
q show i
a ’s subordinate cluster b
d . If
the bigger
f , the better clustering.
⎪
⎩
⎪
⎨
⎧
≥
−
−
=
avg
avg
avg
c
f
f
k
f
f
f
f
f
f
k
p
'
,
'
,
'
2
max
max
1
(4)
⎪
⎩
⎪
⎨
⎧
≥
−
−
=
avg
avg
avg
m
f
f
k
f
f
f
f
f
f
k
p
,
,
4
max
max
3
(5)
In equation (4), (5), [ ] )
4
,
3
,
2
,
1
(
1
,
0 =
∈ i
ki ,
max
f indicated the largest fitness of a group, avg
f indicated
the average fitness, '
f indicated crossing one of the largest
fitness. According to the above operation, the algorithm
terminated in the case that evolutional generation is less
than the default value.
III. EXPERIMENTAL ANALYSIS
The system use VC++ 6.0 sp6 and the last Platform SDK
to design. At the same time, KDDCUP 99 intrusion dataset is
used for evaluation [8], we extract the 9500 records (500
records of abnormal behavior, 9000 records of normal
behavior). In the experiments, tests use the different
thresholds.
When the threshold is 40, the detection rate of Probing
and U2R is higher and mission rate is relatively lower. When
the threshold is lower, the normal recording is far away from
the normal clusters, which led to a higher mission rate. When
the threshold is 50, the result is lower. The simulation results
are given in table1.
TABLE I. SIMULATION RESULTS OF DIFFERENT THRESHOLDS
Threshold
Intrusion Type
DOS Probing U2R R2L
Detected Missed Detected Missed Detected Missed Detected Missed
10 71.21% 4.31% 74.24% 2.52% 71.31% 3.22% 62.22% 7.11%
V6-262 2010 2nd International Conference on Computer Engineering and Technology [Volume 6]
4. 30 69.12% 6.62% 88.32% 3.12% 87.51% 2.76% 68.66% 5.43%
40 74.88% 3.12% 86.56% 1.43% 88.25% 2.61% 87.38% 4.61%
50 65.44% 4.79% 81.44% 2.61% 79.54% 3.76% 61.12% 5.45%
IV. CONCLUSION
The abnormal activity detected timely and effectively in
the network is the research emphasis of IDS system at
present. In this paper, we presented an IDS system based on
honeypot. We use the honeypot to set network trap for the
attacker's attention. In addition, using honeypot to collect
more record of intruders, existing rules databases are
updated in time. In order to effectively analyze datasets from
ones, the system uses the UC and genetic algorithms to
improve detection results. The paper used a distributed
system architecture to expand the detection range,
effectively solving the problem of current centralized NIDS
in large-scale detection, it also improved the overall safety
performance of large-scale networks.
ACKNOWLEDGMENT
This project was supported by the Graduate Innovation
Fund of Shaanxi University of Science and Technology.
This work was supported by a grant from Scientific
Research Foundation of Shaanxi University of Science and
Technology (BJ10-01).
REFERENCES
[1] Ozgur Depren, Murat Topallar, Emin Anarim, “An intelligent
intrusion detection system (IDS) for anomaly and misuse detection in
computer networks,” Expert Systems with Applications, vol. 29,
Issue 4, pp. 713-722, November 2005.
[2] Shmuel T. Klein, Miri Kopel Ben-Nissan, “Accelerating Boyer–
Moore searches on binary texts,” Theoretical Computer Science, vol.
410, Issue 37, pp. 3563-3571, September 2009.
[3] Anton Chuvakin, “Honeynets: High Value Security Data”: Analysis
of real attacks launched at a honeypot, Network Security, vol. 2003,
Issue 8, pp. 11-15, August 2003.
[4] Babak Khosravifa, JamalBentaha, “An experience improving
intrusion detection systems false alarm ratio by using Honeypot,”
22nd International Conference on Advanced Information Networking
and Applications, 2008.
[5] Mohan Krishnamurthy, Eric S. Seagren, “Network Analysis,
Troubleshooting, and Packet Sniffing,” How to Cheat at Securing
Linux, pp. 203-247, 2008.
[6] Sándor Molnár, Balázs Sonkoly, Tuan Anh Trinh, “A comprehensive
TCP fairness analysis in high speed networks,” Computer
Communications, vol. 32, Issues 13-14, pp. 1460-1484, August 2009.
[7] Angela Orebaugh, Becky Pinkard, “Nmap OS Fingerprinting,” Nmap
in the Enterprise, pp. 161-183, 2008.
[8] Chi-Ho Tsang, Sam Kwong, Hanli Wang, “Genetic-fuzzy rule
mining approach and evaluation of feature selection techniques for
anomaly intrusion detection,” Pattern Recognition, vol. 40, Issue 9,
pp. 2373-2391, September 2007.
[9] Cheng Xiang, Png Chin Yong, Lim Swee Meng, “Design of
multiple-level hybrid classifier for intrusion detection system using
Bayesian clustering and decision trees,” Pattern Recognition Letters,
vol. 29, Issue 7, pp. 918-924, 2008.
[10] Chia-Mei Chen, Ya-Lin Chen, Hsiao-Chung Lin, “An efficient
network intrusion detection,” Computer Communications, vol. 33,
Issue 4, pp. 477-484, March 2010.
[11] Benjamin Morin, Ludovic Mé, Hervé Debar, Mireille Ducassé, “A
logic-based model to support alert correlation in intrusion detection,”
Information Fusion, vol. 10, Issue 4, pp. 285-299, October 2009.
[12] Xiaojun Tong, Zhu Wang, Haining Yu, “A research using hybrid
RBF/Elman neural networks for intrusion detection system secure
model,” Computer Physics Communications, vol. 180, Issue 10, pp.
1795-1801, October 2009.
[Volume 6] 2010 2nd International Conference on Computer Engineering and Technology V6-263