07-06-2010, 07:06 PM
[attachment=3716]
AN INTELLIGENT INTRUSION DETECTION SYSTEM
Presented By:
Suchismita Dasbiswas
Lecturer, Thadomal Shahani Engineering College, Mumbai
ABSTRACT
Quickly increased complexity, openness, interconnection and interdependence have made computer systems more vulnerable and difficult to protect from malicious attacks. Network intrusion detection system plays a vital role in today's network. The attacks detection can be classified into either misuse or anomaly detection. The misuse detection can not detect unknown intrusions whereas the anomaly detection can give false positive. Combining the best feature of misuse and anomaly detection one intelligent intrusion detection system (IIDS) is proposed which is able to detect not only the known intrusions but also the unknown intrusions. For detecting the unknown intrusions the proper knowledge base is to be formed after preprocessing the packets captured from the network. The preprocessing is the combination of partitioning and feature extraction. The partitioning of packets is based on the network services and extraction of attack feature is added to the knowledge base. The preprocessed attacks can be classified by using mining classification which will be given to rule builder. Once the unknown intrusions are detected, that information can be added to misuse detector for further detection. The network intrusion detection system should be adaptable to all type of critical situations arise in network.
1. INTRODUCTION
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of intrusions, defined as attempts to compromise the confidentiality, integrity, availability, or to bypass the security mechanisms of a computer or network. Intrusions are caused by attackers accessing the systems from the Internet, authorized users of the systems who attempt to gain additional privileges for which they are not authorized, and authorized users who misuse the privileges given them. Intrusion Detection Systems (IDSs) are software or hardware products that automate this monitoring and analysis process. Intrusion detection allows organizations to protect their systems from the threats that come with increasing network connectivity and reliance on information systems. Intrusion Detection Systems (IDS) attempts to detect intrusion through analyzing observed system or network activities. Based on the type of observed activities, IDS can be classified as network-based or host-based. IDS will raise alarms when it has detected misuse or anomaly. It may also report intrusions by emailing or paging system administrator and even disconnect intrusion connection locally. Intrusion detection systems perform the following functions well
? Monitoring and analysis of system events and user behavior
? Testing the security states of system configurations
? Recognizing patterns of system events that correspond to known attacks
? Recognizing patterns of activity that statistically vary from normal activity
? Managing operating system audit and logging mechanisms and the data they generate
? Alerting appropriate staff by appropriate means when attacks are detected.
There are three fundamental functions of IDS: Monitoring, Analysis, Response, and Generating Reports. The different sources of event information can be drawn from different levels of the system, with network, host, and application monitoring system. Analysis makes sense of the events derived from the information sources, deciding when those events indicate that intrusions are occurring or have already taken place. The most common analysis approaches are misuse detection and anomaly detection. Misuse based systems can detect known attacks like virus detection systems, but they cannot detect unknown attacks [1, 2, 3]. Misuse detection usually has highest detection rate and lower false positive rate than anomaly detection. Anomaly detection can detect unknown intrusions but its computational complexity is very high. The critical technique is to build profiles of normal usage. The advantages of these two can be combined to build intelligent IDS to cope up with the new unknown attacks. Responses can be generated involving some automated intervention on the part of the system, and involving reporting IDS findings to humans, who are then expected to take action based on those reports. Semi automation is required because in a large or busy network the network-based IDSs may fail to recognize an attack launched during periods of high traffic. The proposed technique is the combination of online and offline computation where online detection can be done using misuse detector and offline analysis can be done using anomaly detection using preprocessing and classification of unknown attacks depending on their impact to form the rules for future misuse detection. Here the computational complexity can be reduced when unknown intrusions are converted to known to make the intrusion detection system more intelligent and attack resistant.
intrusions also overcome the headache of constructing new intrusion attack rules but there is the possibility of false positives as no Intelligent knowledge base is built offline.
(iii) The Next Generation Intrusion Detection Expert System (NIDES) developed by SRI [6] is a hybrid intrusion detection system. NIDES performs real time monitoring of user activity on multiple target systems connected on a network. It consists of a misuse detection component as well as an anomaly detection component. The rule base misuse component employs expert rules to define known intrusive activities. The anomaly component is based on statistical approach, and it flags activities as attacks if they are largely deviant from the expected behaviors. By combing a statistical component and an expert system component, NIDES increases the chances to detect intrusions. As no offline analysis is there to build patterns for unknown attacks which can be used to build knowledge base for future can degrade the intelligence of the IDS.
The rest of the paper is organized as follows: Section 2 describes about the review work, Section 3 discusses about the proposed IDS functionality, design and performance evaluation, and Finally Section 4 gives conclusion.
2. REVIEW WORK
(i) ADAM (Audit Data Analysis and Mining) [4] is an
online network based IDS which uses association rules
algorithm in detection. This technique has two phases: one
is training phase and another is online phase. In training
phase the attack free data is fed into the module whose
output is rule based profile or normal activities. The
training data which contains attacks are then fed to the
other module for online detection using association rule
mining. Though this technique overcomes the general
problem of rule based approach to update the rules for
new attacks but there is no offline analysis to build the
knowledge base for new attacking features and here the
attack free training data is also analyzed which just wastes
time. Also there is the possibility of false positive.
(ii) The Hybrid Intrusion Detection System [5] is
proposed and implemented. This technique has also two
phases like ADAM but it does not need attack free data to
detect novel intrusion using outlier detection. This
technique is the combination of misuse detection and
anomaly detection. Misuse detection is used to detect the
known intrusions whereas the anomaly detection is done
using Random Forest algorithm which is the improvement
over association rule mining. But both techniques are used
in online. This technique is able to detect unknown
3. PROPOSED TECHNIQUE 3.1 Functions of IIDS
Functions of the proposed technique is shown in Figure 1.
Mining (Classific -ation)
Analyzed Features
Feature Extraction
Partitioning
Anomaly Sensor
Pattern Builder
Classified Attacks
Differentiated Packets
Extracted Features
Knowledge
Base
Off line
Attacked Packets
New Attack Patterns
Figure 1. Functions of IIDS
3.1.1 Misuse Detection
The proposed technique is based on two phase of detection. The online phas e of detection is done using misuse detector. This is normal rule based approach where the rules for different network services are constructed which help to detect network intrusion. It works only for known attacks. If the attacks are not known that is directly fed to anomaly sensor which sensed the attacked packets which is then sent for anomaly detection. The local response (alarm) will be generated.
3.1.2 Anomaly Detection
The another phase of proposed technique is offline phase of detection. First function is to partition all types of network services (ex., ftp, http, telnet etc.) according to their packet formats and then the attacking features of the packets are extracted. The new extracted attacking features are stored in knowledge base to upgrade the knowledge of available attacks in network. The proximities of the attacks are classified using mining classification algorithm. For all these classified attacks the patterns are built which 3.2 Architecture
The proposed intrusion detection system is designed as shown in Figure 2 using two components: one is IDS host and another is the IDS server. IDS host components are network misuse detector and anomaly sensor. The misuse detector can detect known intrusion using well known snort based technique. The unknown attacks a re sensed using anomaly sensor. These sensed unknown attacked packets are sent to IDS server for further analysis. The detected known intrusions will generate alarm to all the hosts on the network. IDS hosts are responsible for local response
The IDS server components are anomaly detector, feature extractor, knowledge base and mining classifier. The feature extractor is used to extract attacking features from packets which can be upgraded to the knowledgebase.
canbe then used for misuse detection for future attacks
Depending on the attacking features the packets are classified according to their proximities. The patterns are built for those attacking features. IDS server is responsible for global response.
3.3 Performance Measures
The performance of the proposed IIDS can be evaluated using two parameters: detection rate and false positive rate. The detection rate will be higher than the existing technique as both online and offline phases are there and depending on the extracted features the efficient knowledge base is constructed to make the system more adaptable to available network attacks. The false positive rate also will be low as the knowledge up gradation is the continuation process.
Incident Reports and Alerts
Network Flow
Sensed data
Results
LR: Local Response GR: Global Response
4. CONCLUSION
The intelligent intrusion detection system is proposed to build an adaptive mechanism of detection by using feature extraction and classification mining. This system has significant advantage over the norma l intrusion detection system for known attacks. The computational complexity is reduced as the offline analysis of unknown attacks is proposed. There is a less possibility of having false positive. This proposed system can be implemented using distributed systems where single point of failure can be easily removed.
REFERENCES
Recognition and Accountability. 1st ACM Conference on Computer And Communications Security, Dept. of Computer Science, University of California, Davis, November 1993.
[09] Javed Aslam, Sergey Bratus, David Kotz, Ron Peterson, Brett Tofel, Da niela Rus, "The Kerf Toolkit for Intrusion Analysis"IEEE Security & Privacy, pp-42- 52,2004
[1] Elvis Tombini, Herve Debar, Ludovic Me, and Mireille Ducasse, " A Serial combination of Anomaly and Misuse
IDSes Applied to HTTP Traffic", 20thAnnual Computer
Security Applications Conference,Tucson, AZ, USA,
December 2004.
[2] J. Zhang and M. Zulkernine, " Network Intrusion Detection Using Random Forests", Proc. of the Third Annual Conference on Privacy, Security and Trust, pp. 53-61, St.Andrews, New Brunswick, Canada, October 2005.
[3] Wenke Lee and Salvatore J. Stolfo, "A Framework for Constructing Features and Models for Intrusion Detection Systems", ACM Transactions on Information and System Security (TISSEC), Volume 3, Issue 4, November 2000.
[4] Daniel Barbarra, Julia Couto, Sushil Jajodia, Leonard
Popyack, and Ningning Wu, " ADAM : Detecting
Intrusions by Data Mining", Proceedings of the 2001 IEEE Workshop on Information Assurance and Security T1A3
1100 United States Military Academy, West Point, NY, June 2001.
[5] Jiong Zhang and Mohammad Zulkernine , "A Hybrid Network Intrusion Detection technique Using Random Forests" , Proceedings of the First International Conefernce on Availability, Reliability and Security
(ARES'06), Canada, 2006.
[6] Bogdan E. Popescu, and Jerome H. Friedman, Ensemble learning for prediction, Doctoral Thesis, Stanford University, January 2004.
[7] A. Hess, M. Schoeller, G. Schaefer, M. Zitterbart, and A.Wolisz. A dynamic and flexible Access Control and Resource Monitoring Mechanism for Active Nodes. In Short Paper Proc. of OpenArch 2002, pages 11-16, New
York, USA, June 2002.
[8] Calvin Ko, Deborah A. Frincke, Terrence Goan Jr, L. Todd Heberlein, Karl Levitt, Biswanath Mukherjee and Christopher Wee. Analysis of An Algorithm for Distributed
