ANALYSING AND MONITORING OF NETWORK IDS USING INTRUSION DETECTION

Transcription

1 International Journal of Computer Engineering & Technology (IJCET) Volume 8, Issue 3, May-June 2017, pp , Article ID: IJCET_08_03_003 Available online at Journal Impact Factor (2016): (Calculated by GISI) ISSN Print: and ISSN Online: IAEME Publication ANALYSING AND MONITORING OF NETWORK IDS USING INTRUSION DETECTION Sajani J M.E (C.S.E) Student, Sriram Engineering College, Chennai, Tamil Nadu, India Dr. S. Manikandan Professor and Head of Department, Department of Computer Science and Engineering, Sriram Engineering College, Chennai, Tamil Nadu, India ABSTRACT A Network intrusions detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. The NIDS does this by reading all the incoming packets and trying to find suspicious patterns. If for example, a large number of TCP connection requests to a very large number of different ports are observed, one could assume that there is someone committing a port scan at some of the computer(s) in the network.it also (mostly) tries to detect incoming shell codes in the same matter that an ordinary intrusion detection system does. A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outing or local traffic as well.some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all. Often, network intrusion detection system work with other system as well. They can for example update some firewalls blacklist with the IP addresses of computer used by (suspected) crackers. Key words: Intrusion Detection, NIDS, Network Traffic, Service Attack. Cite this Article: Sajani J and Dr. S. Manikandan, Analysing and Monitoring of Network IDS Using Intrusion Detection. International Journal of Computer Engineering & Technology, 8(3), 2017, pp INTRODUCTION A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. The NIDS does this by reading all the incoming packets and trying to find suspicious patterns. If, for example, a large number of 20 editor@iaeme.com

2 Analysing and Monitoring of Network IDS Using Intrusion Detection TCP connection requests to a very large number of different ports are observed, one could assume that there is someone committing a "port scan" at some of the computer(s) in the network. It also (mostly) tries to detect incoming shell codes in the same manner that an ordinary intrusion detection systems does. A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all. Often, network intrusion detection systems work with other systems as well. They can for example update some firewalls' blacklist with the IP addresses of computers used by (suspected) crackers. To recognize possible attacks systems are examined for any abnormal behavior. The system is designed to detect failure services and intruders. We are using Java so that it can be operable in any operating system. We will be using Winpcap to capture the packets on the network. The main aim of the system is to detect all types of malicious computer usages. The intruder detection and the reporting failure help administrator teams to keep the computer system safe. As we are dealing with only the Network Packets we are using NIDS.A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. The NIDS does this by reading all the incoming packets and trying to find suspicious patterns. If, for example, a large number of TCP connection requests to a very large number of different ports are observed, one could assume that there is someone conducting a port scan of some or all of the computer(s) in the network. It also (mostly) tries to detect incoming shell codes in the same manner that an ordinary intrusion detection systems does. A NIDS is not limited to inspecting incoming network traffic only. Often valuable information about an ongoing intrusion can be learned from outgoing or local traffic as well. Some attacks might even be staged from the inside of the monitored network or network segment, and are therefore not regarded as incoming traffic at all. Often, network intrusion detection systems work with other systems as well. They can for example update some firewalls' blacklist with the IP addresses of computers used by (suspected) crackers. Certain DISA documentation, such as the Network STIG, uses the term NID to distinguish an internal IDS instance from its outward-facing counterpart. In a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall s simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host. 2. PRESENT SYSTEM The main aim of the intruders is to exploit the system and destroy the functionality of the client. For that the intruder will intrude the Virus program into a particular network or any machine. So we have too many sofwares to detect the virus and make the system function well. But these softwares are used to detect the virus or any web bots. But now intruders some times they will destroy using Signatures. The deployment of sophisticated firewalls or authentication systems is no longer enough for building a secure information system. Most of intrusion detection systems nowadays rely on handcrafted signatures just like anti-viruses which have to be updated continuously in order to be effective against new attacks. There is a need now to focus on the detection of unknown intrusions instead of relying on this signature 21 editor@iaeme.com

3 Sajani J and Dr. S. Manikandan based approach. This has led to another approach to intrusion detection which consists of detecting 3. PROPOSED SYSTEM The IDS which we are going to do is the Signature Based IDS. Here we will design a system which detects the signatures. Usually the signatures are embedded in the Packet and are sent to the client system to destroy the machines. Now we have to find out these signatures using the snort rules. Information about these signatures is used to create Snort rule, Snort's detection system is based on rules. These rules in turn are based on intruder signatures, Snort rules can be used to check various parts of a data packet For the comparison of content we are using Boyer-Moore Algorithm we will capture the packets using winpcap and Jpcap softwares. We will be using James Server to activate the SMTP and POP3 protocols. We generate a report for all the protocols which are running. We will generate a log files, anomalies on the network. 4. MODULES 4.1. Data Collection In Connection-oriented communication, a data stream is a sequence of digitally encoded coherent signals (packets of data or data packets) used to transmit or receive information that is in the process of being transmitted. Streaming big data is an analytic computing platform that is focused on speed. This is because these applications require a continuous stream of often unstructured data to be processed. Therefore, data is continuously analyzed and transformed in memory before it is stored on a disk. Big data is an all-encompassing term for any collection of data sets so large and complex that it becomes difficult to process using traditional data processing applications. Data streams values may be numbers, such as real numbers or integers, for example representing a person's height in centimeters, but may also be nominal data (i.e., not consisting of numerical values), for example representing a person's ethnicity. More generally, values may be of any of the kinds described as a level of measurement. For each variable, the values will normally all be of the same kind. However, there may also be "missing values", which need to be indicated in some way Pre Processing In this module we are going to receive the network packet and extract attributes using the WinPcap and JPCap. In information technology, a packet is a formatted unit of data carried by a packet mode computer network. Computer communications links that do not support packets, such as traditional point-to-point telecommunications links, simply transmit data as a series of bytes, characters, or bits alone. When data is formatted into packets, the bit rate of the communication medium can better be shared among users than if the network were circuit switched. By using packet switched networking it is also harder to guarantee a lowest possible bitrate. A packet consists of two kinds of data: control information and user data (also known as payload). The control information provides data the network needs to deliver the user data, for example: source and destination addresses, error detection codes like checksums, and sequencing information. Typically, control information is found in packet headers and trailers, with user data in between. Different communications protocols use different conventions for distinguishing between the elements and for formatting the data. In Binary Synchronous Transmission, the packet is 22 editor@iaeme.com

4 Analysing and Monitoring of Network IDS Using Intrusion Detection formatted in 8-bit bytes, and special characters are used to delimit the different elements. Other protocols, like Ethernet, establish the start of the header and data elements by their location relative to the start of the packet. Some protocols format the information at a bit level instead of a byte level. A good analogy is to consider a packet to be like a letter: the header is like the envelope, and the data area is whatever the person puts inside the envelope. A difference, however, is that some networks can break a larger packet into smaller packets when necessary (note that these smaller data elements are still formatted as packets) Feature Extraction The system captures IP packets crossing a target network and constructs traffic flows by checking the headers of IP packets It is flow-level traffic classification. A flow consists of successive. IP packets with the same 5-tuple: source IP, source port, destination IP, destination port, and transport layer protocol. It uses heuristic way to determine the correlated flows and model them. If the flows observed in a certain period of time share the same destination IP, destination port, and transport layer protocol, they are determined as correlated flows and form a network flow. For the classification purpose, a set of flow statistical features are extracted and discredited to represent network flows. 5. CLASSIFICATION 5.1. Data mining using binary classifier (c45 Algorithm) Binary classifiers are generated for each class of event using relevant features for the class and classification algorithm.binary classifiers are derived from the training sample by considering all classes other than the current class as other, e.g., Cnormal will consider two classes: normal and other. The purpose of this phase is to select different features for different classes by applying the information gain or gain ratio in order to identify relevant features for each binary classifier. Moreover, applying the information gain or gain ratio will return all the features that contain more information for separating the current class from all other classes. The output of this ensemble of binary classifiers will be decided using arbitration function based on the confidence level of the output of individual binary classifiers. C4.5 builds decision trees from a set of training data in the same way as ID3, using the concept of information entropy. At each node of the tree, C4.5 chooses one attribute of the data that most effectively splits its set of samples into subsets enriched in one class or the other. Its criterion is the normalized information gain (difference in entropy) that results from choosing an attribute for splitting the data. The attribute with the highest normalized information gain is chosen to make the decision. The C4.5 algorithm then recourse on the smaller sub lists Efficiency Calculation Weka tool The effect of combining different classifiers can be explained with the theory of bias-variance decomposition. Bias refers to an error due to a learning algorithm while variance refers to an error due to the learned model. This is why the idea emerged of combining both in order to profit from the advantages of both algorithms and obtain an overall error reduction. The concept of bagging (voting for classification, averaging for regression-type problems with continuous dependent variables of interest) applies to the area of predictive data mining, to combine the predicted classifications (prediction) from multiple models, or from the same type of model for different learning data. It is also used to address the inherent instability of results when applying complex models to relatively small data sets. Suppose your data mining task is to build a model for predictive classification, and the dataset from which to train the model (learning data set, which contains observed classifications) is relatively small editor@iaeme.com

5 Sajani J and Dr. S. Manikandan It could repeatedly sub-sample (with replacement) from the dataset, and apply, for example, a tree classifier to the successive samples. In practice, very different trees will often be grown for the different samples, illustrating the instability of models often evident with small datasets. One method of deriving a single prediction (for new observations) is to use all trees found in the different samples, and to apply some simple voting: The final classification is the one most often predicted by the different trees. Note that some weighted combination of predictions (weighted vote, weighted average) is also possible, and commonly used. 6. METHODS 6.1. System Design A data set (or dataset) is a collection of data, usually presented in tabular form. Each column represents a particular variable. Each row corresponds to a given member of the data set in question. It lists values for each of the variables, such as height and weight of an object or values of random numbers. Each value is known as a datum. The data set may comprise data for one or more members, corresponding to the number of rows. The values may be numbers, such as real numbers or integers, for example representing a person's height in centimeters, but may also be nominal data (i.e., not consisting of numerical values), for example representing a person's ethnicity. More generally, values may be of any of the kinds described as a level of measurement. For each variable, the values will normally all be of the DATA MINING USING BINARY CLASSIFIER (C4 ALGORITHM) Binary classifiers are generated for each class of event using relevant features for the class and classification algorithm.binary classifiers are derived from the training sample by considering all classes other than the current class as other, e.g., Cnormal will consider two classes: normal and other. The purpose of this phase is to select different features for different classes by applying the information gain or gain ratio in order to identify relevant features for each binary classifier. Moreover, applying the information gain or gain ratio will return all the features that contain more information for separating the current class from all other classes. The output of this ensemble of binary classifiers will be decided using arbitration function based on the confidence level of the output of individual binary classifiers 6.2. Multi Boosting The effect of combining different classifiers can be explained with the theory of bias-variance decomposition. Bias refers to an error due to a learning algorithm while variance refers to an error due to the learned model. The total expected error of a classifier is the sum of the bias and the variance. In order to reduce bias and variation, some ensemble approaches have been introduced: Adaptive Boosting (AdaBoost),Bootstrap Aggregating (Bagging),Wagging and Multiboosting. This is why the idea emerged of combining both in order to profit from the advantages of both algorithms and obtain an overall error reduction 6.3. Testing Software Testing Software testing is a critical element of software quality assurances and represents the ultimate review of specifications, design and coding. Software testing process is the means by which people, methods, measurements, tools and equipments are integrated to test a software product. Software testing ensures that the system works accurately and efficiently 24 editor@iaeme.com

6 Analysing and Monitoring of Network IDS Using Intrusion Detection before the live action commences. The quality and effectiveness of software testing and primarily determined by the quality of the test processed used. Testing has its own cycle and the candidate system is subject to a variety of tests. Testing Strategies The following are the strategic issues that must be addressed if a successful software testing strategy is to be implemented to test the developed application Specify product requirements in a quantifiable manner long before testing commences. State testing objectives explicitly. Understand the needs users and develop a profile for each category of users. Build robust software that incorporates certain techniques to enable it to test itself. Use effective formal technical reviews as a filter prior to testing. Conduct formal technical reviews to access the last strategy and test case themselves. Develop a continuous improvement approach for the testing process. Unit Testing Unit testing, also known as Module Testing, focuses verification efforts on the module. The module is tested separately and this is carried out at the programming stage itself. Unit Test comprises of the set of tests performed by an individual programmer before integration of the unit into the system. Unit test focuses on the smallest unit of software design- the software component or module. Unit test is white box oriented and the step can be conducted in parallel for multiple components. Functional Testing Functional test cases involve exercising the code with normal input values for which the expected results are known, as well as the boundary values. Integration Testing It is a systematic technique for constructing the program structure while at the same time conducting tests to uncover errors associated with in the interface. It takes the unit tested modules and builds a program structure. All the modules are combined and tested as a whole. Integration of all the components to form the entire system and a overall testing is executed. Validation Testing Validation test succeeds when the software functions in a manner that can be reasonably expected by the client. Software validation is achieved through a series of black box testing which confirms to the requirements. Black box testing is conducted at the software interface. The test is designed to uncover interface errors, is also used to demonstrate that software functions are operational, input is properly accepted, output are produced and that the integrity of external information is maintained. System Testing Tests to find the discrepancies between the system and its original objective, current specifications and system documentation Structure Testing It is concerned with exercising the internal logic of a program and traversing particular execution paths editor@iaeme.com

7 Sajani J and Dr. S. Manikandan Output Testing Output of test cases compared with the expected results created during design of test cases. Asking the user about the format required by them tests the output generated or displayed by the system under consideration. Here, the output format is considered into two was, one is on screen and another one is printed format. The output on the screen is found to be correct as the format was designed in the system design phase according to user needs. The output comes out as the specified requirements as the user s hard copy. User Acceptance Testing Final Stage, before handling over to the customer which is usually carried out by the customer where the test cases are executed with actual data. The system under consideration is tested for user acceptance and constantly keeping touch with the prospective system user at the time of developing and making changes whenever required. It involves planning and execution of various types of test in order to demonstrate that the implemented software system satisfies the requirements stated in the requirement document Two set of acceptance test to be run: Those developed by quality assurance group. Those developed by customer System Implementation C4.5 ALGORITHM C4.5 is an algorithm used to generate a decision tree. C4.5 is an extension of Quinlan's earlier ID3 algorithm. The decision trees generated by C4.5 can be used for classification, and for this reason, C4.5 is often referred to as a statistical classifier. Algorithm C4.5 builds decision trees from a set of training data in the same way as ID3, using the concept of information entropy. The training data is a set S = s 1,s 2,... of already classified samples. Each sample s i = x 1,x 2,... is a vector where x 1,x 2,... represent attributes or features of the sample. The training data is augmented with a vector C = c 1,c 2,... where c 1,c 2,... represent the class to which each sample belongs. At each node of the tree, C4.5 chooses one attribute of the data that most effectively splits its set of samples into subsets enriched in one class or the other. Its criterion is the normalized information gain (difference in entropy) that results from choosing an attribute for splitting the data. The attribute with the highest normalized information gain is chosen to make the decision. The C4.5 algorithm then recurses on the smaller sublists. This algorithm has a few base cases. All the samples in the list belong to the same class. When this happens, it simply creates a leaf node for the decision tree saying to choose that class. None of the features provide any information gain. In this case, C4.5 creates a decision node higher up the tree using the expected value of the class. Instance of previously-unseen class encountered. Again, C4.5 creates a decision node higher up the tree using the expected value. In pseudocode the algorithm is Check for base cases 26 editor@iaeme.com

8 Analysing and Monitoring of Network IDS Using Intrusion Detection For each attribute a Find the normalized information gain from splitting on a Let a_best be the attribute with the highest normalized information gain Create a decision node that splits on a_best Recurse on the sublists obtained by splitting on a_best, and add those nodes as children of node J48 is an open source java implementation of the C4.5 algorithm in the wekadata mining tool. 7. CONCLUSION In this paper, we propose a new data-mining based approach by combining multiboosting and an ensemble ofin the first developing world computers are really a great boon to humanity computers solve many complicated problems easily. The project entitled A NEW DATA MINING BASED APPROACH FOR NETWORK INTRUSION DETECTION is very much use full to the user to optimizing the facing problems surrounding This approach consists of three major functions: generation of accurate binary classifiers by applying different features for different types of attacks, a new ensemble approach of the binary classifiers for removing bias, applying multi boosting for reducing both bias and variance.. The software serves as tool in facilitating tedious task of manager easier and compact. The software is to reduce the strain, which the concern having travels has to take. 8. FUTURE ENHACEMENT This Project model performs well and we even obtain % detection rate using the gain ratio criterion as well as high detection rates. This project is detects the network packets only. In future this is extended to process online and offline contents also. If we modified some other functionality it will become all the futures in firewall software. REFERENCES [1] P. Nowak, B. Sakowicz, A. Napieralski. "System wykrywania włamań i powiadamiania o awariach serwisów internetowych", Mikroelektronika Informatyka, Łódź 2005, pp , ISBN [2] P. Nowak, "System wykrywania włamań i informowania o awariach serwisów internetowych", Master Thesis, Technical University of Lodz, July [3] R. G. Byrnes D. J. Barrett, R. E. Silverman, "Linux. Bezpieczeństwo. Receptury.", O'Reilly, [4] B. Caswell, J. Hewlett, "Snort users manual", [5] E. Amoroso. Sieci: Wykrywanie intruzów. Wydawnictwo RM, [6] B. Foote, "Integrating Java with C++", JavaWorld.com, 1996 [7] M. Wójtowski, B. Sakowicz, P. Mazur, "Kompleksowy system o wysokiej dostępności",mikroelektronika i Informatyka, Łódź 2005, pp , ISBN [8] Manjunath Kotari, Sunil Manohar Dasharathi, Dr. Niranjan N.Chiplunkar, Implementation of Customized Network Monitoring Tool and Security Framework Monitoring System, Volume 5, Issue 9, September (2014), pp , International Journal of Computer Engineering & Technology (IJCET) 27 editor@iaeme.com