The document presents a framework for an autonomic intrusion detection system aimed at identifying and preventing intrusions in computer networks through online and adaptive anomaly detection. It elaborates on the limitations of traditional signature-based intrusion detection systems and highlights the need for anomaly detection to combat new and unforeseen attacks. The framework utilizes the affinity propagation algorithm to automatically learn and adapt to normal behavior while identifying anomalies.

1. IJSRD - International Journal for Scientific Research & Development| Vol. 2, Issue 09, 2014 | ISSN (online): 2321-0613
All rights reserved by www.ijsrd.com 471
Autonomic Anomaly Detection System in Computer Networks
Professor Rahul. P. More1, Aniket V. Bagal2, Sangram P. Bajare3
, Abhilash S. Gaikawd4
Sameer S. Joshi5
1,2,3,4,5
Computer Engineering
1,2,3,4,5
DCOER, Pune, India
Abstract— This paper describes how you can protect your
system from Intrusion, which is the method of Intrusion
Prevention and Intrusion Detection .The underlying premise
of our Intrusion detection system is to describe attack as
instance of ontology and its first need is to detect attack. In
this paper, we propose a novel framework of autonomic
intrusion detection that fulfills online and adaptive intrusion
detection over unlabeled HTTP traffic streams in computer
networks. The framework holds potential for self-governing:
self-labeling, self-updating and self-adapting. Our structure
employs the Affinity Propagation (AP) algorithm to learn a
subject’s behaviors through dynamical clustering of the
streaming data. It automatically labels the data and adapts to
normal behavior changes while identifies anomalies.
Key words: Intrusion Prevention and Intrusion Detection,
ontology, Autonomic intrusion detection, Affinity
Propagation
I. INTRODUCTION
An Intrusion Detection System is Used to detect all types of
malicious network traffic and computer usage that can’t be
detected by a conventional firewall. This includes network
attacks against vulnerable services , data driven attacks
on applications , host based attacks such as privilege
escalation , unauthorized logins and access to sensitive
files and malware such as viruses , Trojan horses and
worms . While Signature-based Detection can only
recognize known attacks, anomaly detection holds great
potential for detecting unforeseen intrusion attempts. As
new attacks appear very frequently and signature-based
detection methods may be over-whelmed by
polymorphic attack , using anomaly detection sensors to
discover zero-day attacks has become a necessity rather than
an option.
A. Types of Intrusion Detection System
1) Current IDS fall into three Categories:
 Network Based Intrusion Detection System
(NIDS’s): Identifies intrusions by examining
network traffic and monitors multiple hosts.
Network Intrusion Detection System gain access to
network traffic by connecting to a hub, network
switch configured for port mirroring or network
tap.
Example: SNORT
Once a NIDS detects an attack, the following
action may be taken:
 Send email notification
 Send an SNMP trap to a network
management system
 Send a page (to a pager)
 Block a TCP connection
 Kill a TCP connection
 Run a user defined script
 Host-Based Intrusion Detection System (HIDS’s):
Consists of an agent on a host which identifies
intrusions by analyzing system calls, application
logs, file-system modification (binaries, password
files, and capability / acl databases) and other host
activities and state. In most cases, a HIDS
component is made up of two parts: a centralized
manager and server agent. The manager is used to
administer and store policies, download policies to
agents and store information received by agents.
The agent is installed onto each server and
registered with the manager. Agents use policies to
detect and respond to specific events and attacks.
 Hybrid Intrusion Detection System: combines one
or more approaches. Host agent data is combined
with network information to form a comprehensive
view of the network. Example: Prelude.
II. SIGNATURE BASED DETECTION
In misuse detection, attacks follow well-defined patterns
that exploit system weakness and application software.
Since these attacks follow well-defined patterns and
signatures, they are usually encoded in advance and
thereafter used to match against the client conduct. It
suggests that abuse discovery requires specific knowledge of
given intrusive behavior. In a signature based detection a
predetermined attack patterns in the form of signatures and
these signatures are further used to determine the system
assaults. They typically analyze the system activity with
predefined signatures and each time database is updated. An
example of Signature Based Intrusion Detection System is
SNORT.
A worm is any malicious code that has the
capability to replicate and spread on its own. It works on the
scan, compromise and replicate principle. First it scans the
network to find hosts having vulnerabilities and then
exploits these vulnerabilities to compromise the target and
finally replicates itself on the target. Viruses, on other hand
can’t spread on their own. They attach to some other
programs and depend on these programs to spread in the
network. Every worm has a unique bit string which can be
used to identify the worm (i.e. all instances of the worm in
the network have the same bit string representation).
This Technique is not very effective because of the
following reasons.
A) Speed with which worm spreads: Worm can spread
at enormous speeds. Example. Sapphire / Slammer
worm infected more than 75,000 vulnerable hosts
in less than 10 minutes. Hence any technique which

2. Autonomic Anomaly Detection System in Computer Networks
(IJSRD/Vol. 2/Issue 09/2014/105)
All rights reserved by www.ijsrd.com 472
involves manual extraction of worms will fail to
match the speed at which worms spread. By the
time signature of the worm is identified, millions of
hosts would have been infected.
B) Zero day Worms: The above technique will fail
against zero day worms. Zero day worms are those
worms that exploit the vulnerabilities that have not
been declared yet or the worms that start spreading
as soon as (on the same day) some vulnerability is
made public.
III. ANOMALY BASED DETECTION
An Anomaly-Based Intrusion Detection System is a
system for detecting computer intrusions and misuse by
monitoring system activity and classifying it as either
normal or anomalous. The classification is based on
heuristics or rules, rather than patterns alternately mark, and
will catch any kind of abuse that differs significantly from
normal system operation. Earlier, IDS’s relied on some hand
coded rules designed by security experts and network
administrators. However, given the requirements and the
complexities of the today’s network environments, we need
a systematic and automated IDS development process rather
that the pure knowledge based and engineering approaches
which rely only on intuition and experience. This
encouraged us to study some Data Mining based
frameworks for Intrusion detection. These frameworks use
data mining algorithms to compute activity patterns for
system audit data and extract predictive features from the
patterns. Machine learning algorithms are then applied to the
audit records that are processed according to the feature
definitions to generate intrusion detection rules.
The most common way people approach network
intrusion detection is to detect statistical anomalies. The idea
behind this approach is to measure a “Baseline” of such stats
as CPU utilization, disc activity, user logins, file activity,
and so forth. Then, the system can trigger when there is
deviation from the baseline.
The benefit of this approach is that it can detect the
anomalies without having to understand the underlying
cause behind the anomalies. While most existing anomaly
detection methods classify events as either normal or
anomalous, as a mechanism for autonomic detection, we
define the third status of events as suspicious which is
between normal and anomalous.
Fig 1: Steps in IDS
IV. NEED FOR IDS
Internet Information Services (IIS) web servers – which host
web pages and serve them to users are highly popular
among business organizations, with over 6 million such
servers installed worldwide. Unfortunately, IIS web servers
are also popular among hackers and malicious fame-seekers
– as a prime target for attacks. As a result, every so often,
new exploits emerge which endanger your IIS web server’s
integrity and stability. Many administrators have a hard time
keeping up with the various security patches released for IIS
to cope with each new exploit, making it easy for malicious
users to find a vulnerable web server on the internet.
V. BENEFITS OF AUTONOMIC IDS
In today’s corporate market, the majority of businesses
consider the internet as a major tool for communication with
their customers, business partners and the corporate
community. this mentality is here to stay ; as a result
business need to consider the risk associated with using the
Internet as communication tool , and the methods available
to them to mitigate these risks . Many businesses are already
aware of the types of risks that they are facing, and have
implemented measures such as firewalls, Virus detection
software, access control mechanisms etc.
Determined hacker is just that “determined” and they
will find a way of penetrating your system, sometimes for
malicious intent but mostly because they can and it is a test
of skills. While the above mentioned tools are preventive
measures, an IDS is more of an analysis tool , that will give
you the following information:
 Instance of attack
 Method of attack
 Source of attack
 Signature of attack

3. Autonomic Anomaly Detection System in Computer Networks
(IJSRD/Vol. 2/Issue 09/2014/105)
All rights reserved by www.ijsrd.com 473
VI. LIMITATIONS OF IDS
Network Intrusion Detection systems are unreliable enough
that they should be considered only as secondary systems
designed to backup the primary security system.
Primary system such as firewalls, encryption and
authentication are rock solid. Bugs or misconfiguration.
Often lead to problems in these systems, but the
underlying concepts are “provably” accurate. Intrusion
detection system suffer from the two problems whereby
normal traffic causes many false positives (cry wolf) , and
careful hackers can evade or disable the intrusion detection
system. Indeed, there are many proofs that show how
network intrusion detection systems will never be accurate.
This doesn’t mean intrusion detection systems are
invalid. Hacking is so pervasive on today’s networks that
people are regularly astounded when they first install such
systems (both inside and outside firewall). Good intrusion
detection system can dramatically improve the security of a
site. It just needs to be remembered that intrusion detection
system are backup.
VII. CONCLUSION
The current generations of IDS (HIDS and NIDS) are quite
effective already as they continue to improve they will
become the backbone of more flexible security systems we
expect to see in the not-too-distant future. Online and
adaptive anomaly intrusion detection is difficult task
because no a priori knowledge (e.g. data distribution as well
as labeled information) can be provided to the learning
methods. The frameworks holds potential for self-
governing: self- labeling, self-adapting, self-updating.
REFERENCE
[1] Snort. Snort, 2014. <http://www.snort.org/> (retrieved
February 2014).
[2] Science direct paper on- Autonomic intrusion detection:
Adaptively detecting anomalies over unlabeled audit data
streams in computer networks (2014).
[3] Shobha Venkataraman, David Brumley, SubhabrataSen,
Oliver Spatscheck,
Automatically inferring the evolution of malicious activity
on the internet, in:NDSS, 2013
[4] IBM, Autonomic Computing, 2014.
http://www.ibm.com/autonomic (retrieved February 2014).
[5] Daniel Arp, Michael Spreitzenbarth, MalteHubner,
Hugo Gascon, KonradRieck,
Drebin: efficient and explainable detection of android
malware in your pocket, in: NDSS, 2014.
[6] Wei Wang, Xiaohong Guan, Xiangliang Zhang, Liwei
Yang, Profiling program behavior for anomaly intrusion
detection based on the transition and frequency property of
computer audit data, Compute. Secur. 25 (7) (2006) 539–
550.
[7] Xuetao Wei, Lorenzo Gomez, IulianNeamtiu,
MichalisFaloutsos, Profiledroid:
Multi-layer profiling of android applications, in:
MOBICOM, 2012, pp. 137–148.
[8] Gabriela F. Cretu, AngelosStavrou, Michael E. Locasto,
Salvatore J. Stolfo,
Angelos D. Keromytis, Casting out demons: sanitizing
training data for anomaly sensors, in: IEEE S&P, 2008, pp.
81–95.
[9] Carrie Gates, Carol Taylor, Challenging the anomaly
detection paradigm: a provocative discussion, in: NSPW,
2006, pp. 21–29.
[10] Terran Lane, Carla E. Brodley, Approaches to online
learning and concept drift for user identification in computer
security, in: KDD, 1998, pp. 259–263.
[11] KDD-Data, Kdd cup 1999 Data, 1999.
http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html
(retrieved February 2014).
[12] Irina Rish, Mark Brodie, Sheng Ma, Natalia Odintsova,
AlinaBeygelzimer,GenadyGrabarnik, Karina Hernandez,
Adaptive diagnosis in distributed systems, IEEE Trans.
Neural Networks 16 (5) (2005) 1088–1109.
[13] Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji,
Thomas A. Longstaff, A sense of self for unix processes, in:
IEEE S&P, 1996, pp. 120–128.
[14] Brendan J. Frey, Delbert Dueck, Clustering by passing
messages between data points, Science 315 (5814) (2007)
972–976.
[15] Xiangliang Zhang, Cyril Furtlehner, MichèleSebag,
Data streaming with affinity propagation, in: ECML/PKDD,
2008.
[16] Wenke Lee, Salvatore J. Stolfo, Kui W. Mok, A data
mining framework for building intrusion detection models,
in: IEEE S&P, 1999, pp. 120–132.