Snort is a network-based IDS with use the so-called misuse rules for in on-line
detection; but the problem that is these rules are defined manually by a network
security expert, by its role: it process and analyze network traffic of a given attack
and put its specific rules or signatures because snort is a signature-based IDS, or it
defines them relative to a pre-knowledge of the attack characteristic.
A Frequent Pattern-based Extension of Snort for Intrusion Detection
1. designed by tinyPPT.com
عليكـم السالم
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 1/10
2. designed by tinyPPT.com2018/2019
University of Ghardaia
Ministry of Higher Education and Scientific Research
PEOPLE’S DEMOCRATIC REPUBLIC OF ALGERIA
Presented by :
YOUCEF chettiba
ABDENNOUR Ben atallah
supervised by :
Dr. Oulad-Naoui Slimane
Presented for the MASTER diploma
THESIS
In: Computer Science
Specialty: Artificial Intelligence for Knowledge Extraction
A Frequent Pattern-based Extension
of Snort for Intrusion Detection
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 2/10
27/06/2019
3. designed by tinyPPT.com
I. Motivation
II. context
A
i. Frequent patterns problem
ii. System Architecture
iii. Dataset
iv. Experiment
v. Evaluation
C
D I. Conclusion
II. Future works
B
Intrusion Detection Systems
Conclusion and future works
Snort extension with frequent patterns
Introduction
2018/2019
OUTLINE
I. Definition
II. Architecture
III. Related works
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 3/10
4. designed by tinyPPT.com2018/2019
INTRODUCTION
Motivation
Malicious users and
illegal handling
2
the increasing
sensitivity of the
information in our
network
1Applied a policy
security
IDS
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 4/10
5. designed by tinyPPT.com2018/2019
INTRODUCTION
Context
Expert analyze and
categorize packet of
specific attack and
manually hand-coding
its set of snort rules .
The ability of
creating automatic
snort rules from
attacking packets
Too complex with huge
number of packets .
Lost time.
Automatically generate
rules with frequent patterns
mining techniques
Problem
Objective
Idea
Amelioratin
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 5/10
6. designed by tinyPPT.com2018/2019
INTRUSION DETECTION SYSTEM
Definition
Alert
IDS
Victim
hacker
Normal
Normal
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 6/10
7. designed by tinyPPT.com2018/2019
INTRUSION DETECTION SYSTEM
Architecture
ID engine
Knowledge
base
Response
component
sensors
Monitored system
Raw data
Events
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 7/10
8. designed by tinyPPT.com2018/2019
INTRUSION DETECTION SYSTEM
Related works
Intrusion
Detection
Data
mining
Random Forest
Jiong Zhang and al.
2008
k-means
K. Sequeira and M.
Zaki. 2002
SVM
M. F. Umer and al. 2017
Association rules
Lih-Chyau Wuu and
al. 2007
Statistical
techniques
Multivariate
Model
N. Ye, S. M. and al, 2002
Operational
model or
threshold metric
V. A. Siris and al.
2004
Mean and
standard
deviation model
C. Gates and al.
2005
Markov Process
Model or Marker
model
N. Ye et al. 2000
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 8/10
9. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Frequent patterns problem
Data base
Tid Items
1 {I1,I2,I5}
2 {I2,I4}
3 {I2,I3}
4 {I1,I2,I4}
5 {I1,I3}
6 {I2,I3}
7 {I1,I3}
8 {I1,I2,I3,I5}
9 {I1,I2,I3}
2Min_sup =
Items Sup
{I1, I2, I3} 2
{I3, I5} 1
{I1,I3} 4
{I1,I4} 1
{I2} 7
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 9/10
10. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Dataset
KDD99
DARPA98
NSL-KDD
ADFA
But
• Are not suitable to the extension
of Snort .
• Small number for the Snort
attributes .
• these data sets are outdated
•Some of these data sets suffer
from Lack of traffic
Alternative
LBNL
• full header network traffic
• represent the scanner
attack pure
• contains some
protocols as TCP, UDP,
ICMP
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 10/10
11. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
System architecture
Make Dataset ready for
Snort extension
01Preprocessing
For each item in dataset
replace it with a unique
integer
02 Coding
applied frequent patterns
mining algorithm03
Mining frequent
patterns
recuperate the original of
each item in the frequent
patterns results
04 Decoding
05Transformation From list of frequent patterns
to Snort rules
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 11/10
12. designed by tinyPPT.comA. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 12/10
SNORT EXTENSION WITH FREQUENT PATTERNS
System implementation
window
OS
Ubuntu& kali
open source OS
Netbeans
iDE for java
Open source
library
SPMF
Java
Oriente object
programming
13. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Experiment
1992.18.1.6
Snort
Victim
hacker Root # Sudo ./xerxes 1992.168.1.6 80
1992.168.1.5
alert tcp any any -> any
80 (msg: “DOS attack”;
window: 29200; sid:
10066;)
……………..
Root # sudo snort -A console -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 13/10
14. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Evaluation
The minimum support
value changes from 0.0 to
1.0}
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 14/10
Input Dataset for attacking
traffic
Input Dataset for normal
traffic
15. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Evaluation
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0 0.2 0.4 0.6 0.8 1
FIN1
Fpmax
FIN3
Minimum support
Accuracy histogram
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 15/10
accuracy
16. designed by tinyPPT.com2018/2019
CONCLUSION AND FUTURE WORKS
Conclusion
The results were acceptable based
on our experiments, but with expert
would be better .
• dataset including one protocol.
• Complicated configuration in our
system.
we had generated program for Snort
to extract knowledge with automatic
manner
A
B
C
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 16/10
17. designed by tinyPPT.com2018/2019
CONCLUSION AND FUTURE WORKS
Future works
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 17/10
Allow maintenance for
extracted knowledge
Explore a huge
data
Further improvements
to our system
Add the author
protocols
Simplify
configuration
make rules for
different attacks.
18. designed by tinyPPT.com2018/2019
CONCLUSION AND FUTURE WORKS
Future works
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 18/10
Special data set
for Snort extension
Intrusion behavior
detection system
19. designed by tinyPPT.com
Thank you for
your attention
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 19/10
Editor's Notes
بسم الله الرحمان الرحيم
و الصلاة والسلام على اشرف المرسلين
السلام و عليكم
Good morning everyone
My name is chettiba youcef and my partner is ben attalah abdenour
Tnx to member jury for accept our modest work :
Prof D.Z as presedent
Doctor S.O.N as supervisor
Doctor S.B as Examiner
Doctor C.A.K as Examiner
----------------------------
Tnk you all to be here for our presentation which is Frequnt Pattern based Ex of snort For ID
At university of ghardaia ……….. depertemnt of computer science
1. the use of the Internet and the network has become indispensable for anyone,
e-commerce, bank accounts are among the most sensitive things in Internet content .
For protecting them from Malicious users we must apply a security policy.
3. An intrusion detection system (IDS) is one of the tools used for this purpose.
Snort is a network intrusion detection system. which uses a knowledge base made by expert manually, based on network traffic. Unfortunately difficult with the huge data size, our work is to done automatically with FPM technique.
An Intrusion Detection System is a software, hardware that can detect malicious traffic on System .
As we can see in fig IDS make alert when detect malicius trafiic., As we see in this figure show us the rule of snort.
The famous Architecture of IDS which consist following component
engine ….sensors ….monitored system …..Response component
Based on our study, we can distinguish two approaches for Intrusion Detection: statistical and data mining techniques, several techniques used in both of them. those based on data mining have proved effective.
Frequent pattern mining problem: is to find all frequent itemsets that satisfies the minimum support in the database.
assuming that the minimum support equal 2 will take only the itemsets Which is marked with blue.
We have some famouse data set for NID but …. LBNL bcs
TECHNOLOGIES USED
In this experiment we put our System with Snort together to prove the detection of DOS attack.
Snort detect this type using rules generated by our system
we created a program to make evaluate our system. we followed a specific protocol. in each time change parameters and recuperate results
Using 3 alg’s ….. with accuracy
In this work, we are ………..
And we have seen ………. Which get acceptable results
Given some problems with the dataset
1.Our work in the future represents further improvements to our System , Simplify configuration, make our system able to handle the the author.
2. And we think to explore huge data, To make rules for different attacks.
3. Also, allow our system the maintenance ability to the extracted knowledge,
The an attack can be seen as successive events therefore
1.will develop a system able to detect intrusion behavior. Using sequential patterns mining
2. At last, we think of creating a special data set only for Snort extension.