Snort is a network-based IDS with use the so-called misuse rules for in on-line detection; but the problem that is these rules are defined manually by a network security expert, by its role: it process and analyze network traffic of a given attack and put its specific rules or signatures because snort is a signature-based IDS, or it defines them relative to a pre-knowledge of the attack characteristic.

1. designed by tinyPPT.com
‫عليكـم‬ ‫السالم‬
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 1/10

2. designed by tinyPPT.com2018/2019
University of Ghardaia
Ministry of Higher Education and Scientific Research
PEOPLE’S DEMOCRATIC REPUBLIC OF ALGERIA
Presented by :
YOUCEF chettiba
ABDENNOUR Ben atallah
supervised by :
Dr. Oulad-Naoui Slimane
Presented for the MASTER diploma
THESIS
In: Computer Science
Specialty: Artificial Intelligence for Knowledge Extraction
A Frequent Pattern-based Extension
of Snort for Intrusion Detection
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 2/10
27/06/2019

3. designed by tinyPPT.com
I. Motivation
II. context
A
i. Frequent patterns problem
ii. System Architecture
iii. Dataset
iv. Experiment
v. Evaluation
C
D I. Conclusion
II. Future works
B
Intrusion Detection Systems
Conclusion and future works
Snort extension with frequent patterns
Introduction
2018/2019
OUTLINE
I. Definition
II. Architecture
III. Related works
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 3/10

4. designed by tinyPPT.com2018/2019
INTRODUCTION
Motivation
Malicious users and
illegal handling
2
the increasing
sensitivity of the
information in our
network
1Applied a policy
security
IDS
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 4/10

5. designed by tinyPPT.com2018/2019
INTRODUCTION
Context
Expert analyze and
categorize packet of
specific attack and
manually hand-coding
its set of snort rules .
The ability of
creating automatic
snort rules from
attacking packets
Too complex with huge
number of packets .
Lost time.
Automatically generate
rules with frequent patterns
mining techniques
Problem
Objective
Idea
Amelioratin
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 5/10

6. designed by tinyPPT.com2018/2019
INTRUSION DETECTION SYSTEM
Definition
Alert
IDS
Victim
hacker
Normal
Normal
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 6/10

7. designed by tinyPPT.com2018/2019
INTRUSION DETECTION SYSTEM
Architecture
ID engine
Knowledge
base
Response
component
sensors
Monitored system
Raw data
Events
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 7/10

8. designed by tinyPPT.com2018/2019
INTRUSION DETECTION SYSTEM
Related works
Intrusion
Detection
Data
mining
Random Forest
Jiong Zhang and al.
2008
k-means
K. Sequeira and M.
Zaki. 2002
SVM
M. F. Umer and al. 2017
Association rules
Lih-Chyau Wuu and
al. 2007
Statistical
techniques
Multivariate
Model
N. Ye, S. M. and al, 2002
Operational
model or
threshold metric
V. A. Siris and al.
2004
Mean and
standard
deviation model
C. Gates and al.
2005
Markov Process
Model or Marker
model
N. Ye et al. 2000
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 8/10

9. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Frequent patterns problem
Data base
Tid Items
1 {I1,I2,I5}
2 {I2,I4}
3 {I2,I3}
4 {I1,I2,I4}
5 {I1,I3}
6 {I2,I3}
7 {I1,I3}
8 {I1,I2,I3,I5}
9 {I1,I2,I3}
2Min_sup =
Items Sup
{I1, I2, I3} 2
{I3, I5} 1
{I1,I3} 4
{I1,I4} 1
{I2} 7
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 9/10

10. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Dataset
KDD99
DARPA98
NSL-KDD
ADFA
But
• Are not suitable to the extension
of Snort .
• Small number for the Snort
attributes .
• these data sets are outdated
•Some of these data sets suffer
from Lack of traffic
Alternative
LBNL
• full header network traffic
• represent the scanner
attack pure
• contains some
protocols as TCP, UDP,
ICMP
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 10/10

11. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
System architecture
Make Dataset ready for
Snort extension
01Preprocessing
For each item in dataset
replace it with a unique
integer
02 Coding
applied frequent patterns
mining algorithm03
Mining frequent
patterns
recuperate the original of
each item in the frequent
patterns results
04 Decoding
05Transformation From list of frequent patterns
to Snort rules
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 11/10

12. designed by tinyPPT.comA. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 12/10
SNORT EXTENSION WITH FREQUENT PATTERNS
System implementation
window
OS
Ubuntu& kali
open source OS
Netbeans
iDE for java
Open source
library
SPMF
Java
Oriente object
programming

13. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Experiment
1992.18.1.6
Snort
Victim
hacker Root # Sudo ./xerxes 1992.168.1.6 80
1992.168.1.5
alert tcp any any -> any
80 (msg: “DOS attack”;
window: 29200; sid:
10066;)
……………..
Root # sudo snort -A console -i enp0s3 -u snort -g snort -c /etc/snort/snort.conf
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 13/10

14. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Evaluation
The minimum support
value changes from 0.0 to
1.0}
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 14/10
Input Dataset for attacking
traffic
Input Dataset for normal
traffic

15. designed by tinyPPT.com2018/2019
SNORT EXTENSION WITH FREQUENT PATTERNS
Evaluation
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0 0.2 0.4 0.6 0.8 1
FIN1
Fpmax
FIN3
Minimum support
Accuracy histogram
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 15/10
accuracy

16. designed by tinyPPT.com2018/2019
CONCLUSION AND FUTURE WORKS
Conclusion
The results were acceptable based
on our experiments, but with expert
would be better .
• dataset including one protocol.
• Complicated configuration in our
system.
we had generated program for Snort
to extract knowledge with automatic
manner
A
B
C
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 16/10

17. designed by tinyPPT.com2018/2019
CONCLUSION AND FUTURE WORKS
Future works
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 17/10
Allow maintenance for
extracted knowledge
Explore a huge
data
Further improvements
to our system
Add the author
protocols
Simplify
configuration
make rules for
different attacks.

18. designed by tinyPPT.com2018/2019
CONCLUSION AND FUTURE WORKS
Future works
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 18/10
Special data set
for Snort extension
Intrusion behavior
detection system

19. designed by tinyPPT.com
Thank you for
your attention
A. Ben atallah and Y. Chettaiba A Frequent Pattern-based Extension of Snort for Intrusion Detection 19/10