Intrusion Detection System

Published on June 2016 | Categories: Types, School Work | Downloads: 49 | Comments: 0 | Views: 485
of 6
Download PDF   Embed   Report

From the last two decade it is very important and essential issue to maintain a high level security to ensure safe and secure communication of information between various organizations and business developments. But The Intrusion Detection System in Networking is to identify the intruder (abuse data) and block the data from the intruder to avoid the various types of system attack by the viruses. Secure data in the internet is not sure by anywhere. Now the Intrusion Detection Systems have become a needful in terms of computer and network security. This new system is a replacement of the existing system. In existing system, at run time it will not create a set of rules means some hidden information that is nothing but compulsory bits of information or some set of data. In the major components of the system are creating new set of rules during run time of the system. Now in this progression, here we present an Intrusion Detection System (IDS), by applying genetic algorithm (GA) to very efficiently detect various types of network attacks viruses and abuse data or intrusions. We propose effective and accuracy of an approach to generate rules for different types of anomalous connection Parameters and evolution processes for Genetic Algorithm are discussed in details and implemented.

Comments

Content

www.ijifr.com

[email protected]

ISSN (Online): 2347-1697

INTERNATIONAL JOURNAL OF INFORMATIVE & FUTURISTIC RESEARCH
An Enlightening Online Open Access, Refereed & Indexed Journal of Multidisciplinary Research

Volume -1 Issue -10, June 2014
An Execution of Intrusion Detection System by
Using Genetic Algorithm

Mr. Umakant Butkar1, Mr. Syed Akhter2,
Mr. Devidas Thosar3, Mr. Gadakh Prashant J.4
1, 2, 3

Aditya Engineering College, Beed
Sharadchandra Pawar College of Engineering, Pune

Abstract
From the last two decade it is very important and essential issue to maintain a high level
security to ensure safe and secure communication of information between various
organizations and business developments. But The Intrusion Detection System in Networking
is to identify the intruder (abuse data) and block the data from the intruder to avoid the
various types of system attack by the viruses. Secure data in the internet is not sure by
anywhere. Now the Intrusion Detection Systems have become a needful in terms of computer
and network security. This new system is a replacement of the existing system. In existing
system, at run time it will not create a set of rules means some hidden information that is
nothing but compulsory bits of information or some set of data. In the major components of
the system are creating new set of rules during run time of the system. Now in this
progression, here we present an Intrusion Detection System (IDS), by applying genetic
algorithm (GA) to very efficiently detect various types of network attacks viruses and abuse
data or intrusions. We propose effective and accuracy of an approach to generate rules for
different types of anomalous connection Parameters and evolution processes for Genetic
Algorithm are discussed in details and implemented.
Keywords: Intrusion Detection System, genetic algorithm, Networking, Technology Solutions, System Problems

PAPER ID: IJIFR / V1 / E10 / 006

4

1. Introduction
In 1987 DOROTHY E. DENNING (Distinguished Professor, Department of Defense
Analysis Naval Postgraduate School) proposed intrusion detection system as is an approach to find
out the computer and networking attacks and misuses. Intrusion detection is implemented by an
intrusion detection system. [1] Today there are many commercial intrusion detection systems
available in market. [5] I would like to present some IDS systems available in market. List – Ana
Disk, Audit Track for Netware, by-Life Line (Bind View Development), CRCMd5 Data Validation
Tool etc. Like that hundreds of IDS tools are currently working in market place. However tools are
available in market but some expert system hackers and some professional system designers are able
to break the information that are passes in various communication systems, but it is illegally. [1] The
Copyright © IJIFR 2014
Author’s Subject Area: Computer Networks
Available Online at: - http://www.ijifr.com/searchjournal.aspx

14

ISSN (Online): 2347-1697

INTERNATIONAL JOURNAL OF INFORMATIVE & FUTURISTIC RESEARCH
Volume -1 Issue -10, June 2014
Author’s Research Area: Computer Networks, Page No.:14-19

Intrusion Detection System in Networking Using Genetic Algorithm (IDS) is used for Global
Technology Solutions. Monitors the security systems and facilities that protect critical data and other
resources on your mainframe 24 hours a day seven days a week. Enforcer makes certain that the
standards, policies, rules and settings defined by your security experts are in force and stay in force.
With Vanguard Enforcer, you will never have to wonder whether the security implementation on your
mainframe is protecting your critical resources effectively. This technology ensures that security on
your mainframe systems continuously adheres to "best practices" standards and your own security
policies. [5] One more application to find hidden or deleted data on computer diskettes regardless of
format. Search any diskette by user-defined values, print data on a physical sector or file basis, and
copy almost any kind of diskette without regard to format or type.
System based IDS that has the ability to detect network reconnaissance stealth port scanning over
many months, warning against even the most determined attacks. Cyber Cop Monitor's unique system
based Intrusion Detection architecture provides both real-time packet analysis and system event
analysis. [5] Advanced security features include the detection and alerting of attacks destined not only
to the system it is trying to protect, but also when that system is being used as a "jumping off point" to
launch attacks against other network assets. Monitor's C2 auditing capabilities produce a more
detailed audit report and can create audit logs by user, event and class to integrate with the Solaris
Basic Security Mode (BSM) functionality. This capability enables powerful logging of events down
to the system call level to counter even the most skillful system misuse. [13]

2. Intrusion Detection Overview
The below sections give a short overview of all networking attacks, classifications and
various components of Intrusion Detection System that we are going to see in this report. [20]
2.1. Details of some Networking Attacks
This section is an overview of the four major categories of networking attacks. Every attack on a
network can comfortably be placed into one of these groupings [21].

 Denial






of Service (DOS): A DOS attack is a type of attack in which the hacker makes a
computing or memory resources too busy or too full to serve legitimate networking requests
and hence denying users access to a machine e.g. apache, smurf, neptune, ping of death, back,
mail bomb, UDP storm etc. are all DOS attacks. [1]
Remote to User Attacks (R2L): A remote to user attack is an attack in which a user sends
packets to a machine over the internet, which s/he does not have access to in order to expose
the machines vulnerabilities and exploit privileges which a local user would have on the
computer e.g. xlock, guest, xnsnoop, phf, send mail dictionary etc. [1]
User to Root Attacks (U2R): These attacks are exploitations in which the hacker starts off
on the system with a normal user account and attempts to abuse vulnerabilities in the system
in order to gain super user privileges e.g. Perl, xterm. [5]
Probing: Probing is an attack in which the hacker scans a machine or a networking device in
order to determine weaknesses or vulnerabilities that may later be exploited so as to
compromise the system. This technique is commonly used in data mining e.g. saint, port

This paper is available online at - http://www.ijifr.com/searchjournal.aspx
PAPER ID: IJIFR/V1/E10/006

15

S. Udayabaskaran, M. Reni Sagayaraj, C. Bazil Wilfred : Computation of service time distribution of Beacon
Message Dissemination in the DSRC using SMP Model
www.ijifr.com
Email: [email protected]
© IJIFR 2014

ISSN (Online): 2347-1697

INTERNATIONAL JOURNAL OF INFORMATIVE & FUTURISTIC RESEARCH
Volume -1 Issue -10, June 2014
Author’s Research Area: Computer Networks, Page No.:14-19













sweep, mscan, nmap etc.
Passive Attack: A passive attack monitors unencrypted traffic and looks for clear-text
passwords and sensitive information that can be used in other types of attacks. [10] Passive
attacks include traffic analysis, monitoring of unprotected communications, decrypting
weakly encrypted traffic, and capturing authentication information such as passwords. Passive
interception of network operations enables adversaries to see upcoming actions. Passive
attacks result in the disclosure of information or data files to an attacker without the consent
or knowledge of the user. [10]
Active Attack: In an active attack, the attacker tries to bypass or break into secured systems.
This can be done through stealth, viruses, worms, or Trojan horses. Active attacks include
attempts to circumvent or break protection features, to introduce malicious code, and to steal
or modify information. These attacks are mounted against a network backbone, exploit
information in transit, electronically penetrate an enclave, or attack an authorized remote user
during an attempt to connect to an enclave. [5] Active attacks result in the disclosure or
dissemination of data files, DOS, or modification of data. [10]
Distributed Attack: A distributed attack requires that the adversary introduce code, such as a
Trojan horse or back-door program, these attacks introduce malicious code such as a back
door to a product to gain unauthorized access to information or to a system function at a later
date.
Insider Attack: An insider attack involves someone from the inside, such as a disgruntled
employee, attacking the network Insider attacks can be malicious or no malicious. Malicious
insiders intentionally eavesdrop, steal, or damage information; use information in a fraudulent
manner; or deny access to other authorized users. No malicious attacks typically result from
carelessness, lack of knowledge, or intentional circumvention of security for such reasons as
performing a task. [20]
Close-in Attack: A close-in attack involves someone attempting to get physically close to
network components, data, and systems in order to learn more about a network Close-in
attacks consist of regular individuals attaining close physical proximity to networks, systems,
or facilities for the purpose of modifying, gathering, or denying access to information. Close
physical proximity is achieved through surreptitious entry into the network, open access, or
both. One popular form of close in attack is social engineering attack, the attacker
compromises the network or system through social interaction with a person, through an email message or phone. Various tricks can be used by the individual to revealing information
about the security of company. [10] The information that the victim reveals to the hacker
would most likely be used in a subsequent attack to gain unauthorized access to a system or
network. [1]
Phishing Attack: In phishing attack the hacker creates a fake web site that looks exactly like
a popular site such as the SBI bank or PayPal. The phishing part of the attack is that the
hacker then sends an e-mail message trying to trick the user into clicking a link that leads to
the fake site. When the user attempts to log on with their account information, the hacker
records the username and password and then tries that information on the real site. [5]

 Hijack attack:

Hijack attack in a hijack attack, a hacker takes over a session between you
and another individual and disconnects the other individual from the communication. You

This paper is available online at - http://www.ijifr.com/searchjournal.aspx
PAPER ID: IJIFR/V1/E10/006

16

S. Udayabaskaran, M. Reni Sagayaraj, C. Bazil Wilfred : Computation of service time distribution of Beacon
Message Dissemination in the DSRC using SMP Model
www.ijifr.com
Email: [email protected]
© IJIFR 2014

ISSN (Online): 2347-1697

INTERNATIONAL JOURNAL OF INFORMATIVE & FUTURISTIC RESEARCH
Volume -1 Issue -10, June 2014
Author’s Research Area: Computer Networks, Page No.:14-19






still believe that you are talking to the original party and may send private information to the
hacker by accident. [10]
Spoof attack: Spoof attack in a spoof attack, the hacker modifies the source address of the
packets he or she is sending so that they appear to be coming from someone else. This may be
an attempt to bypass your firewall rules. [5]
Buffer overflow: Buffer overflow a buffer overflow attack is when the attacker sends more
data to an application than is expected. A buffer overflow attack usually results in the attacker
gaining administrative access to the system in a command prompt or shell. [10]
Exploit attack: Exploit attack in this type of attack, the attacker knows of a security problem
within an operating system or a piece of software and leverages that knowledge by exploiting
the vulnerability. [10]
Password attack: Password attack an attacker tries to crack the passwords stored in a
network account database or a password-protected file. There are three major types of
password attacks: a dictionary attack, a brute-force attack, and a hybrid attack. A dictionary
attack uses a word list file, which is a list of potential passwords. A brute-force attack is when
the attacker tries every possible combination of characters. [5]

3.3. Components of Intrusion Detection System
An intrusion detection system normally consists of three functional components [23]. The first
component of an intrusion detection system, also known as the event generator, is a data source. Data
sources can be categorized into four categories namely Host-based monitors, Network-based
monitors, Application-based monitors and Target-based monitors. [20] The second component of an
intrusion detection system is known as the analysis engine. [20]This component takes information
from the data source and examines the data for symptoms of attacks or other policy violations. The
analysis engine can use one or both of the following analysis approaches:

 Misuse/Signature-Based

Detection: This type of detection engine detects intrusions that
follow well-known patterns of attacks (or signatures) that exploit known software

 Anomaly/Statistical

Detection: An anomaly based detection engine will search for
something rare or unusual [26]. They analyses system event streams, using statistical
techniques to find patterns of activity that appear to be abnormal. The primary disadvantages
of this system are that they are highly expensive and they can recognize an intrusive behavior
as normal behavior because of insufficient data. [5]

 Response

Manager: The third component of an intrusion detection system is the response
manager. In basic terms, the response manager will only act when inaccuracies (possible
intrusion attacks) are found on the system, by informing someone or something in the form of
a response.

4 Existing Systems And Their Problems
Here we describe some of the important Intrusion Detection systems and their problems.

This paper is available online at - http://www.ijifr.com/searchjournal.aspx
PAPER ID: IJIFR/V1/E10/006

17

S. Udayabaskaran, M. Reni Sagayaraj, C. Bazil Wilfred : Computation of service time distribution of Beacon
Message Dissemination in the DSRC using SMP Model
www.ijifr.com
Email: [email protected]
© IJIFR 2014

ISSN (Online): 2347-1697

INTERNATIONAL JOURNAL OF INFORMATIVE & FUTURISTIC RESEARCH
Volume -1 Issue -10, June 2014
Author’s Research Area: Computer Networks, Page No.:14-19

4.1. Existing Intrusion Detection Systems

 Noisy:

In 2009, Noisy/Snort entered Open Source Programming as one of the “greatest open
source software of all time”. Through protocol analysis, content searching, content sorting
and various pre-processors, Noisy detects thousands of vulnerability exploit attempts, worms
etc.

 OSSEC:

(Open Source Host-based Intrusion Detection System) it performs time-based
alerting, log analysis, rootkit detection, integrity checking, and active response. In addition to
its IDS functionality, OSSEC HIDS to monitor and analyze their firewalls, web servers and
authentication logs. [20]

 OSSIM: (Open Source Security Information Management)The goal of OSSIM is to provide a
synonym compilation of tools which, when working together in the form of multiple
programming, grant permission for network/security administrators, server Authentications,
hosting procedures, physical access devices. OSSIM incorporates several other tools,
including Nations and OSSEC HIDS. is a free and open source host-based intrusion detection
system (HIDS) created by Sucuri foundation.

 Suricata: it is a High performance security monitoring engine; it is a non-profit base security
system foundation. [5]

 Bro: it is an open-source, Unix-based network intrusion detection system. While focusing on
network security monitoring, Bro provides a comprehensive platform for more general
network traffic analysis as well. Today, it is relied upon operationally in particular by many
scientific environments for securing their cyber infrastructure and security doors. [20]
4.2. Problems and some Disadvantages with Existing Systems
 Noise can severely limit an intrusion detection system's effectiveness. Bad packets generated
from software bugs, corrupt DNS data, and local packets that escaped can create a significantly high
false-alarm rate.
 It is not uncommon for the number of real attacks to be far below the number of false-alarms.
Number of real attacks is often so far below the number of false-alarms that the real attacks are often
missed and ignored. [20]
 Many attacks are geared for specific versions of software that are usually outdated. A
constantly changing library of signatures is needed to mitigate threats. Outdated signature databases
can leave the IDS vulnerable to newer strategies.
 For signature-based Ides there will be lag between a new threat discovery and its signature
being applied to the IDS. During this lag time the IDS will be unable to identify the threat. [20]

This paper is available online at - http://www.ijifr.com/searchjournal.aspx
PAPER ID: IJIFR/V1/E10/006

18

S. Udayabaskaran, M. Reni Sagayaraj, C. Bazil Wilfred : Computation of service time distribution of Beacon
Message Dissemination in the DSRC using SMP Model
www.ijifr.com
Email: [email protected]
© IJIFR 2014

ISSN (Online): 2347-1697

INTERNATIONAL JOURNAL OF INFORMATIVE & FUTURISTIC RESEARCH
Volume -1 Issue -10, June 2014
Author’s Research Area: Computer Networks, Page No.:14-19

 It cannot compensate for a weak identification and authentication mechanisms or for
weaknesses in network protocols. When an attacker gains access due to weak authentication
mechanism then IDS cannot prevent the adversary from any mal practice.
 Intrusion detection software provides information based on the network address that is
associated with the IP packet that is sent into the network. This is beneficial if the network address
contained in the IP packet is accurate. However, the address that is contained in the IP packet could
be faked or scrambled. [20]

5 References
[1] Denning, P. J. and Denning, D. E., "Discussing Cyber Attack," Comm. of the ACM, Vol. 53, No. 9,
2010.
[2] Sept.
Zhang,
D., Zeng, S., Huang, C-N, Fan, L., Yu, X., Dang, Y., Larson, C., Denning, D.,
[3] Denning, D. E., “Barriers to Entry: Are They Lower for Cyber Warfare?” IO Journal, April 2009.
[4] Denning, D. E., “Assessing the CNO Threat of Foreign Countries,” in Information Strategy and
Warfare (J. Arquilla and D. Borer eds.), Routledge, 2007. of pre-publication version)
[5] Denning, D. E., “The Ethics of Cyber Conflict,” in Information and Computer Ethics (K. E. Himma
and H. T. Tavani eds.), Wiley, 2007.
[6] Kinniburgh, J. and Denning, D. E., “Blogs and Military Information Strategy,” IO Sphere, Joint
Information Operations Center, Summer 2006, pp. 5-13. Also issued as JSOU Report 06-05, Joint
Special Operations University, June 2006. Also in Information Strategy and Warfare (J. Arquilla and
D. Borer eds.), Routledge, 2007.
[7] Yuill, J., Denning, D., and Feer, F.,
[8] “Psychological Vulnerabilities to Deception for Use in Computer Security,” DoD Cyber Crime
Conference 2007, St. Louis, MO, January 2007.
[9] Denning, D. E., “A View of Cyberterrorism Five Years Later,” Readings in Internet Security: Hacking,
Counterhacking, and Society (K. Himma ed.), Jones and Bartlett Publishers, Boston, 2006. Yuill, J.,
Denning,
[10] D., and Feer, F., “Using Deception to Hide Things from Hackers,” Journal of Information Warfare,
Vol. 5, No. 3, 2006, pp. 26-40
[11] “Designing Deception Operations for Computer Network Defense,” DoD Cybercrime Conference
2005, Palm Harbor, FL, January 2005.
[12] Denning, D. E., “Key Concerns,” Information Security, Vol. 4, No. 11, November 2001, p. 120.
[13] Denning, D. E., “Cyberwarriors,” Harvard International Review, Summer 2001, pp.
[14] Denning, D. E., “Obstacles and Options for Cyber Arms Control,” proceedings of Arms Control in
Cyberspace, Heinrich Böll Foundation, Berlin, Germany, June 29-30, 2001.
[15] Denning, D. E., “Why I Love Biometrics,” Information Security, Vol. 4, No. 1, January 2001, p. 96.

This paper is available online at - http://www.ijifr.com/searchjournal.aspx
PAPER ID: IJIFR/V1/E10/006

19

S. Udayabaskaran, M. Reni Sagayaraj, C. Bazil Wilfred : Computation of service time distribution of Beacon
Message Dissemination in the DSRC using SMP Model
www.ijifr.com
Email: [email protected]
© IJIFR 2014

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close