HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort

Similar documents
Intrusion Detection. Comp Sci 3600 Security. Introduction. Analysis. Host-based. Network-based. Distributed or hybrid. ID data standards.

Anomaly Detection in Communication Networks

Snort TM diagrams for developers

CSE 565 Computer Security Fall 2018

Intrusion Detection Using Data Mining Technique (Classification)

IJSER. Virtualization Intrusion Detection System in Cloud Environment Ku.Rupali D. Wankhade. Department of Computer Science and Technology

2. INTRUDER DETECTION SYSTEMS

IDS: Signature Detection

Audit Logging and Monitoring Procedure Document Number: OIL-IS-PRO-ALM

Intrusion Detection and Prevention

intelop Stealth IPS false Positive

Overview Intrusion Detection Systems and Practices

ANOMALY DETECTION IN COMMUNICTION NETWORKS

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Intrusion Detection Systems

Intrusion Detection System

Introduction to IA Class Notes. 2 Copyright 2018 M. E. Kabay. All rights reserved. 4 Copyright 2018 M. E. Kabay. All rights reserved.

CND Exam Blueprint v2.0

CS Review. Prof. Clarkson Spring 2017

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

CSE 565 Computer Security Fall 2018

Review on Data Mining Techniques for Intrusion Detection System

Intrusion Detection. Overview. Intrusion vs. Extrusion Detection. Concepts. Raj Jain. Washington University in St. Louis

Intrusion Detection System with FGA and MLP Algorithm

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

IC32E - Pre-Instructional Survey

Chapter 9. Firewalls

INFORMATION ASSURANCE DIRECTORATE

Developing the Sensor Capability in Cyber Security

What is a firewall? Firewall and IDS/IPS. Firewall design. Ingress vs. Egress firewall. The security index

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

Introduction and Statement of the Problem

Intrusion Detection Systems Overview

Mobile Agent Based Adaptive Intrusion Detection and Prevention Systems

Detecting and Preventing Network Address Spoofing

CS Review. Prof. Clarkson Spring 2016

Firewalls, Tunnels, and Network Intrusion Detection

Intrusion Detection - Snort

Raj Jain. Washington University in St. Louis

Efficient Method for Intrusion Detection in Multitenanat Data Center; A Review

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

Firewall and IDS/IPS. What is a firewall?

Current Trends in Network Intrusion Detection Techniques

Computer Network Vulnerabilities

Unlocking the Power of the Cloud

Computer Security: Principles and Practice

CIH

Securing CS-MARS C H A P T E R

Carbon Black PCI Compliance Mapping Checklist

A Survey And Comparative Analysis Of Data

ARAKIS An Early Warning and Attack Identification System

Network Security: Firewall, VPN, IDS/IPS, SIEM

Intrusion Detection - Snort

Intrusion Detection System using AI and Machine Learning Algorithm

Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

International Journal of Scientific & Engineering Research, Volume 4, Issue 7, July-2013 ISSN

LOGmanager and PCI Data Security Standard v3.2 compliance

Training for the cyber professionals of tomorrow

CE Advanced Network Security

Vulnerability Assessment. Detection. Aspects of Assessment. 1. Asset Identification. 1. Asset Identification. How Much Danger Am I In?

Flow-based Anomaly Intrusion Detection System Using Neural Network

CS419 Spring Computer Security. Vinod Ganapathy Lecture 13. Chapter 6: Intrusion Detection

Paloalto Networks PCNSA EXAM

NetDetector The Most Advanced Network Security and Forensics Analysis System

Basic Concepts in Intrusion Detection

Implementation of Signature-based Detection System using Snort in Windows

Intrusion Detection Systems (IDS)

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Network Performance Analysis System. White Paper

Detecting and Blocking Encrypted Anonymous Traffic using Deep Packet Inspection

CIT 480: Securing Computer Systems. Putting It All Together

COMPUTER NETWORK SECURITY

ProCurve Network Immunity

Intrusion Detection System based on Support Vector Machine and BN-KDD Data Set

How AlienVault ICS SIEM Supports Compliance with CFATS

Cloud Security (WS 2015/16)

Network Intrusion Analysis (Hands on)

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Network Security. Chapter 0. Attacks and Attack Detection

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Intrusion Detection. October 19, 2018

Intrusion Detection Systems (IDS)

A Network Intrusion Detection System Architecture Based on Snort and. Computational Intelligence

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE


Chapter 4. Network Security. Part I

Detecting & Eliminating Rogue Access Point in IEEE WLAN

Double Guard: Detecting intrusions in Multitier web applications with Security

Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT

Pass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS

Chapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)

CS 356 Operating System Security. Fall 2013

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

An Anomaly-Based Intrusion Detection System for the Smart Grid Based on CART Decision Tree

Transcription:

HSNORT: A Hybrid Intrusion Detection System using Artificial Intelligence with Snort Divya Asst. Prof. in CSE Department Haryana Institute of Technology, India Surender Lakra Asst. Prof. in CSE Department Haryana Institute of Technology, India Abstract: In this paper, we discussed a methodology of applying artificial intelligence into intrusion detection using snort system. Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. Hybrid Snort system is proposed for network security. A brief overview of Intrusion Detection System (IDS), snort, artificial intelligence and related detection techniques are discussed. The purpose of this paper is to describe some new ideas in intrusion detection system. (v) (vi) (vii) (viii) Preventing problem-behaviors by increasing the perceived risk of discovery Forensic analysis Presenting traces of intrusions, allowing improved diagnosis, recovery and corrective measures after an attack Documenting the existing threat from inside and outside a system, permitting security management to realistically assess risk and adapt its security strategy in response. Keywords: IDS, Snort, Neural Network, Data mining. 1. Introduction It Look for attack signatures, which are specific patterns that usually indicate malicious or suspicious intent. An intrusion detection system (IDS) is a system that is designed to capture intrusion attempts so that measures can be taken to limit damage and prevent future attacks. This is typically accomplished by sending alerts anytime the IDS detect an attack. IDSs can be broken down by where they gather their data and how they check for attacks. Intrusion Detection System (IDS) is an authorized way of identifying illegitimate users, attacks and vulnerabilities that could affect the proper functioning of computer systems. IDSs detect some set of intrusions and execute some predetermined actions when an intrusion is detected. The main benefits: (i) (ii) (iii) (iv) Detecting attacks and other security violations Recognize damage and affected systems It doesn't compensate for bad security Acting as quality control for security design and implementation Characteristics of Intrusion Detection Systems: In order to satisfy its functions, the ideal intrusion detection system should have the following characteristics: Timeliness: It should detect intrusions either while they are happening or shortly afterwards. High probability of detection: It should recognize all or most intrusions. Low false-alarm rate: It should have a low number of false intrusion alarms. Specificity: In identifying attacks, it should give sufficient characterization data to support an effective response. Scalability: It should be applicable to large (infinite) networks. Low a priori information: It should require a minimum of a priori information about potential attackers and their methods. 2. Basic types 2.1 Host based The host operating system or the application logs in the audit information. These audit information includes events like the use of identification and authentication mechanisms, file opens and program 466

executions, admin activities etc. This audit is then analyzed to detect trails of intrusion. Host-based IDS monitors network traffic of a particular host and some system events on the host itself. One may be installed on each host or simply on some chosen critical ones within a network. 2.2 Network based This IDS looks for attack signatures in network traffic via a promiscuous interface. A filter is usually applied to determine which traffic will be discarded or passed on to an attack recognition module. This helps to filter out known un-malicious traffic. Intrusion detection is a security technology that attempts to identify intrusions against a computer network. An intrusion is an unauthorized usage of or misuse of a computer system. In order to discover these intrusions a network administrator can employ an intrusion detection system (IDS). 2.3 Hybrid The management and alerting from both network and host based intrusion detection devices, and provide the logical complement to NID and HID - central intrusion detection management. 3. Classification of IDS 3.1 Misuse Detection-based IDS Misuse detection technique is the most widespread approach used in the commercial world of IDSs. The basic idea is to use the knowledge of known attack patterns and apply this knowledge to identify attacks in various sources of data being monitored. 3.2 Signature based approach Signature based approach of misuse detection works just similar to the existing anti-virus software. In this approach the semantic characteristics of an attack is analyzed and details is used to form attack signatures. The attack signatures are formed in such a way that they can be searched using information in audit data logs produced by computer systems. 3.3 Anomaly-Based Detection historical data are collected over a period of normal operation. IDSs monitor current event data and use a variety of measures to distinguish between abnormal and normal activities. 4. Existing Snort system Snort is a free and open source Network Intrusion Prevention System (NIPS) and Network Intrusion Detection System (NIDS) capable of performing packet logging and real time traffic analysis on IP networks. Snort performs protocol analysis and content searching/ matching, it is commonly used to actively block or passively detect a variety of attacks and probes, such as buffer overflows, stealth port scans, web applications attacks, SMB Probes, and OS fingerprinting attempts amongst other features. The software is mostly used for intrusion prevention purposes by dropping attacks as they are taking place. Snort Tap Placement Natural Choke Points: Areas where the network topology creates a single traffic path Artificial Choke Points: Exist due to logical topology of the network Intranet Trust/Un-trust Zone Boundaries: Similar to Natural Choke Points but are intra-network Snort Rules The license applied to the rules depends on who wrote or maintains them; there are several sources of rules on Snort: Official Snort Rules: Rules maintained by the Vulnerability Research Team (VRT). Certified Rules are distributed under the VRT Certified Rules License Agreement [68]. It enables registered endusers to freely download and use rules that have been certified by the Sourcefire VRT while restricting commercial redistribution. Community Rules: SourceFire is committed with keeping Snort as an open platform. They host rules submitted by the community, previously performing some basic tests to make sure they will not break Snort. These rules are distributed under the GPL and are freely available to all Snort users. Other Sources: Rules found on other sources might be under any license; freely available or not. It is up to its owner to decide which license applies. Anomaly detection identifies abnormal behavior. It requires the prior construction of profiles for normal behavior of users, hosts or networks; therefore, 467

Detection Plug-ins are modules referenced from its definition in the rules files. They are used to identify patterns whenever a rule is evaluated. Detection Engine Making use of the detection plug-ins, it matches packets against rules loaded into memory during Snort initialization. Output Plug-ins are the modules which allow formating the notifications (alerts, logs) for the user to access them in many ways (console, extern files etc). 5. Different AI Types There are several different soft computing techniques and algorithms that can be successfully used to detect intrusions. These techniques include: Fuzzy logic Probabilistic reasoning Neural networks Genetic algorithms Fig.1: Snort Architecture [5] Internal Structure It illustrates the modules in which Snort is divided: Packet Capture Module is based on the popular packet programming library libpcap; can be optimized for MMAPed pcap in case of looking for performance. It provides a high-level interface to packet capture. Decoder fits the captured packets into data structures and identifies link level protocols. Then, it takes the next level, decodes IP, and then TCP or UDP in order to get useful information like ports and addresses. Snort will alert if it finds malformed headers. Preprocessors could be seen like some kind of filter, which identifies things that should be checked later such as suspicious connection attempts to some TCP/UDP ports or too many TCP SYN packets sent in a short period of time. Preprocessors function is to take packets potentially dangerous for the detection engine to try to find known patterns, as we explained before they will be in charged of doing the Stateful Protocol Analysis. Rules Files are plain text files which contain a list of rules with a known syntax. This syntax includes protocols, addresses, output plug-ins associated and some other things. Those rules files can be updated. Using neural network classifier which efficiently and rapidly classifies observed network packets with respect to attack patterns which it has been trained to recognize. This is a feed forward network which uses supervised training, and which: _ can be trained rapidly, _ can be trained incrementally, _ once trained, can perform fast and accurate classification of its input. The idea here is to train the neural network to predict a user's next action or command, given the window of n previous actions or commands. The network is trained on a set of representative user commands. After the training period, the network tries to match actual commands with the actual user profile already present in the net. Neural networks are basically sets of individual cells that have weighted connections to other connected cells. The training process of a neural network consists of setting weights for each connection and comparing the output with the desired output. 6. Hybrid model using Snort Hybrid model is the combination of snort system, neural network and involving data mining technique. This improves the current security of the system. 468

Reports from network Snort system Neural network Result Declaration Fig.2: Hybrid Model Data mining technique Report Generation Alarm Report generation: Report is generated giving the information about attacks. These reports are then send to the security manger. Alarm: - If it detects an intrusion then it raises the alarm. It beeps the alarm when it finds the intrusion in a system. 7. Conclusion A hybrid intrusion detection system is a part of the defensive operations that complements the defenses such as firewalls. Intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. Snort has a team dedicated to the creation, test, maintenance, and documentation of its official rules to ensure their quality. Snort is oriented to high speed links. These are a highly flexible security tool that can be used in a variety of different deployments. These are tools to acquire knowledge. The education they provide is their most important contribution. They also require substantial resources to operate correctly. It can provide a fantastic learning tool in computer security. These are a cheap and simple way to add protection to a network and help developing new ways for countering them. Steps involved: Reports from network: It collects the network traffic of the leaf level sensor when it receives reports from lower layer. These are deployed in a network or on a device to collect data. They take input from various sources, including network packets, log files, and system call traces. Input is collected, organized and then forwarded to one or more analyzers. Snort system: It detects intrusions by first parsing network traffic to extract is application-level semantics and then executing event oriented analyzers that compare the activity with patterns deemed troublesome. Neural network and data mining: Using neural network classifier with combination of misuse technique which efficiently and rapidly classifies observed network packets with respect to attack patterns which it has been trained to recognize. This is a feed forward network which uses supervised training, and which: _ can be trained rapidly, _ can be trained incrementally, _ once trained, can perform fast and accurate classification of its input. It is used and trained to fetch information using data mining technique from the previously stored data. Result Declaration: In this step the result in concluded and the result is further passed to the next level for storing results for later use. 8. REFERENCES: [1] Bridges, Susan, and Rayford B. Vaughn. 2000, Intrusion Detection Via Fuzzy Data Mining in Proceedings 12 th Annual Canadian information Tech. securitysymposium,pp.109-122.ottawa, canada [2] Bezroukov, Nikolai. 19 July 2003. Intrusion Detection. Softpanorama: Open Source Softwarec ducational Society. Nikolai Bezroukov. [3] Divya and Amit Chugh, GHIDS: A Hybrid Honeypot Using Genetic Algorithm, published in IJCTA, vol 3. Jan 2012 [4] Miguel A. Calvo Moya, analysis and evaluation of The snort and bro network intrusion detection system September 2008. [5] A. F. Arboleda and C. E. Bedon, Snort diagrams for developers, Universidad del Cauca Colombia, 2005 http://afrodita.unicauca.edu.co/cbedon/snort/snortdevdiagra ms.htm [6] Divya and Amit Chugh, Wsnort: A Hybrid Snort System For Intrusion Detection Using Genetic Algorithm In Wireless Environment, published in Proc. of NationalConference on Data Mining & Warehousing 2012 2012 [7] Network-based Hybrid Intrusion Detection and Honeysystems as Active Reaction Schemes Pedro García-Teodoro in 2007. [8] Cliff, A. Password Crackers - Ensuring the Security of Your Password. Unknown: SecurityFocus.com, 2001, accessed 12 October 2004 [9] New Methods of Intrusion Detection using Control- Loop Measurement May 16, 1996 469

[10] Moradi and M. Zulkernine. A neural network based system for intrusion detection and Classification of attacks. In 2004 IEEE International Conference on Advances in in Intelligent Systems. [11] Mounji. Rule-Based Distributed Intrusion Detection. PhD thesis, University of Namur 1997 [12] VG. C. F.M. Valtorta. Paid: A probabilistic agent- Based intrusion detection system. In Computers & Security, pages 529 545, 2005. [13] S. Zanero and S. M. Savaresi. Unsupervised Learning techniques for an intrusion detection System. In SAC 04: Proceedings of the 2004 ACM symposium on Applied computing, pages 412 419, New York, NY, USA 2004. 470

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback