Add to collection(s) Add to saved
  1. No category
Uploaded by gotestit2

Modelling of Intelligent Intrusion Detection System

advertisement 
2017 IEEE Conference on Wireless Sensors
Modelling of Intelligent Intrusion Detection System:
Making a case for Snort
Rashidah Funke Olanrewaju#1, Ku Afiza Ku Zahir#2, Ani liza Asnawi#3, Mistura L. Sanni##4 Abdulkadir Adekunle
Ahmed*5
#
Department of Electrical and Computer Engineering, International Islamic University Malaysia, Malaysia
1frashidah@iium.edu.my, 2kuunorafiza@gmail.com, 3aniliza@iium.edu.my
##
Department of Computer Engineering, Obafemi Awolowo University, Ile Ife, Nigeria
4misturasanni@gmail.com
*
Department of Electrical and Computer Engineering, College of Engineering and
Technology, Kwara State University, Malete, Nigeria
5abdulkadiradekunle@live.com
implementation was done
(MATLAB), and Snort.
Abstract—Intrusion Detection System (IDS) is a dynamic
network security defense technology that can help to provide realtime detection of internal and external attacks on a computer
network and alerting the administration for necessary action.
However, the inconsistent nature of networks has resulted in a
high number of false positives which makes many network
administrators thought IDS to be unreliable for today’s network
security system. Nowadays, hackers and attackers have created
many new viruses and malware to invade one’s computer network
system. Hence, this study proposes a method for early detection of
an intrusion by using Snort software. The data collected was used
to train the Multilayer Feedforward Neural Network (MLFNN)
with Back-propagation (BP) algorithm. This MLFNN with BP
algorithm was simulated using MATLAB software. The
performance of this classifier was evaluated based on three
parameters: accuracy, sensitivity, and False Positive Rate (FPR).
Preprocessing was done to classify the output data into normal and
attack. Performance evaluation was done using confusion matrix
on the data. The results showed that network-based intrusion
detection system could be employed for early detection of intrusion
due to the excellent performance recorded which were 94.92% of
accuracy, 97.97% for sensitivity, and 0.69% for FPR.
Keywords—intrusion
artificial intelligence
detection
system;
network
MATrix
LABoratory
The remainder of this paper is structured as follows: Section
2 provides a review on IDS; Section 3 describes the
methodology; Section 4 provides analysis of the experimental
results and Section 5 concludes the paper and offers our plan for
future work.
II. INTRUSION DETECTION SYSTEM
Nowadays, the internet is accessible from all over the place.
With the growing number of electronic devices connected to the
web, computer network security could be endangered. This
problem has risen the question on how to effectively defend the
computer network from internal and external attacks [3].
Intrusion Detection System (IDS) could be the first line defense
mechanism to detect intrusion before computer network is
endangered. This section covered the discussion of all elements
of this study which includes an introduction to IDS, types of
IDS, software used for detection, evaluation of IDS, limitations,
and challenges.
The implementation of IDS can be as Host-based IDS
(HIDS) or Network-based IDS (NIDS) which are the two types.
According to Vijayarani and Syllviaa [4], HIDS is used to detect
intrusions that cannot be detected by NIDS due to the system’s
more massive scale and comprehensiveness. Achieving realtime detection and prompt response in NIDS are possible
through a collection of information from the network rather than
from each host [4,5]. It can also retain the evidence of the
attacks. Although they are different types of IDS, the
functionalities are quite similar which is to detect intrusions in a
computer network and alert the user accordingly [5]. HIDS acts
like a virus scanner, where it scans-traffic-destined-for-the hostand generates-alarm for any sign of malicious activity [4]. As for
NIDS, the concept is much simpler than HIDS. It connects the
device to the network like a network protocol analyzer [5]. NIDS
closely monitors all network traffic and generates an alarm to the
user upon sensing any form of intrusion. IDS is a system which
can help to reduce the risk of losing all the information and data
security;
I. INTRODUCTION
Intrusion Detection System (IDS) is a component of a
computer network system acting as an alarm. Generally, IDS
alerts the user before the network of equipment is endangered
when it detects internal and external intrusion. Over the years,
operating system security technology has been enhanced to
prevent issues of confidentiality, integrity, and availability in a
network [1].
Initially, system administrator implements IDS manually by
monitoring the network through a console [2]. The primary
objective of this study was to design a network security system
implementing the Artificial Neural Network (ANN) using Back
Propagation (BP) algorithm. The study developed an ANN
model to investigate the performance of IDS. The
978-1-5386-1971-1/17/$31.00 ©2017 IEEE
using
1
2017 IEEE Conference on Wireless Sensors
stored on the network as it contributes to strengthening the
security of a system. Meanwhile, traditional IDS are known as
signature-based, which only detect known patterns [4], which
may give rise to the problem as the nature of the network varies
from time to time [6]. A good system should not be a "black
box," which means the inside of a working system should be
examinable from outside [7]. A sound system must be adaptive.
Although every system has a different usage pattern, a suitable
defense mechanism should be able to adapt quickly. There is
mainly two major software used for IDS, which are Snort and
Suricata [8]. Suricata is a better software to be used as it shows
higher accuracy than Snort. Also, Snort has less-control-alertstriggered-by-the-attack than Suricata. However, Suricata
requires more considerable processing compared to Snort to
reach its operational capacity faster [9]. IDS was evaluated using
Support Vector Machines (SVM) as a mechanism in the study
presented by Mohammadpour et al. [10]. It was a review of
various techniques of IDS using SVM as a classifier with false
alarm and detection rate as a measure of performance. Brindasri
and Saravanan [5] used Markov Chain implementing K-Means
as classifier and Apriori algorithm to remove infrequent data
from the database and used to evaluate the performance of
NIDS. K-Means clustering is also used in our design of ANN for
the phase classification and clustering the data. There are other
approaches to evaluating IDS such as Gaussian Mixture Model
(GMM), Multilayer Perceptron (MLP) and Linear Model [11].
In data formatting, most organizations used KD 99 Cup dataset
to test the performance of IDS which are also used for research
purposes. Parkinson’s disease database obtained from Oxford
Parkinson’s Disease Detection Dataset was used in Olanrewaju
et al. [12]. Classification can be done using K-Means, an
unsupervised algorithm that defines an unlabeled class to which
the clustering is performed [5]. Sometimes the system alerts the
user when there is no intrusion in the computer network [13],
this is called False Positive. Although the percentage of False
Positive is minimized, it is still not a 100% accurate system
where it is unable to detect every single intrusion whenever it
happens [14].
Fig.1.
Methodology
A. Materials and Methods
Fig. 1 shows Intrusion Detection System (IDS) step-by-step
implementation procedure using Artificial Neural Network
(ANN) with Back-Propagation (BP) algorithm. Snort, a free
open source software is available for download from
http://www.snort.org/ [8], is compatible for use on both Linux
and Windows platforms.
III. EXPERIMENTAL PROCEDURE
Detection and Classification are the two required steps which
were implemented using Artificial Intelligence (Snort) and
MATLAB respectively. Fig. 1 shows the methodology of this
study.
I) Create rules for Snort: Snort is pre-installed with all the
ground rules. However, rules can be added based on the
requirement of the system. From Fig. 2, there are three major
types of rules in Snort software [9]. A received packet by Snort
is checked using the rules sequentially in the order shown in Fig.
2. First, the received packet will go through all Alert rules before
it is allowed to pass if no threat is detected. This order can be set
in many ways. However, this is the most secure way since no
packet passes through without being checked first.
Alert
rules
Fig.2.
Pass
rules
Log
rules
Three basic types of rules in Snort
The order for this rule is written in the snort.conf file which
is stored in C:/Snort/etc/snort.conf. There are many preinstalled rules when Snort is downloaded. However, some rules
2
2017 IEEE Conference on Wireless Sensors
are added to meet this study’s requirement. The additional rules
added to Snort software is shown in Fig. 3.
C. Performance Evaluation
In this study, Intrusion Detection System (IDS) was
evaluated using three main parameters. These are accuracy,
sensitivity and False Positive Rate (FPR).
Accuracy is the percentage of correct alerts to all recorded
warnings or how close are the predicted values to the actual
values; this is computed in this study as given in (1).
Fig.3.
Additional experimental rules in Snort
(1)
Where,
TP is True Positive
TN is True Negative
B. Feature Extraction
For result analysis, only 35 features out of 41 were used to
examine the performance of IDS. Four broad categories of
attacks were considered in the dataset; this includes Denial of
Services (DoS), Remote to Local (R2L), User to Root (U2R),
and Probing [15]. Table I shows the Classification of attack
types to four broad categories of attacks.
TABLE I.
∗ 100
=
II) Train and format data: All the data and information of
the attacks are stored using the logging command in Snort.
However, data training and formatting were done separately
using MATLAB software by the nntools application. The
dataset used was to determine the performance of IDS using
Snort. All the data stored from Snort is called as Snort_dataset.
FP is False Positive
FN is False Negative, for all equations.
Sensitivity is the measure of predicted output with respect to
the change in input or the ratio of true positives that are identified
correctly. Sensitivity can be calculated using the confusion
matrix. Theoretically, it can be calculated as shown in (2).
CLASSIFICATION OF ATTACKS
=
∗ 100
(2)
False Positive Rate (FPR) can be described as the percentage
of normal data in a database which is wrongly recognized as an
attack and is computed as given in (3).
=
100
(3)
IV. EXPERIMENTAL RESULT AND ANALYSIS
500 of the sorted data during formatting phase have been
selected to analyze the performance of the classifier. In
MATLAB, nntool (Neural Network Toolbox) was used to
classify and train data into the respective category of attack:
Normal, Denial of Services (DoS), Remote to Local (R2L), User
to Root (U2R), and Probing. For performance analysis, the
metrics used are accuracy, sensitivity and False Positive Rate
(FPR).
A DoS attack is a category of attack in which the hackers
make the memory resources too busy in serving the network
requests hence causing the system to deny the users access while
in U2R attacks local root privileges are invaded by unauthorized
access [13]. Hackers will first send a packet to the system over
the network, then invade the network’s vulnerabilities to gain
local access illegally in an R2L attack while Probing attack is
another trick the hackers used to get information about the target
host [16].
3
2017 IEEE Conference on Wireless Sensors
TABLE II.
PRE-PROCESSING RESULT
Table II shows the product after pre-processing phase where
features from the data were converted into the target data. After
pre-processing, the dataset was then trained using MATLAB
software with the nntool. From this dataset, only 100 from each
category of attack concerning for the training and data
evaluation purposes. In Table III, the result shown is the
illustration for data training process including the model
proposed in this study. The Neural Network model was
generated from MATLAB software with specification as
indicated in Table IV. Fig. 4 is the proposed Neural Network
model.
TABLE III.
35
Hidden
nodes
5
Learning
Rate
0.9
Epoch
405
iteration
from 500
0.7
Transfer
function
for output
layer
Linear
transfer
functio
n
(pureli
n)
The training and testing datasets are compared to the target
data. The Neural Network with Back Propagation algorithm was
trained until the desired mean square error (MSE) of 0.001 is
achieved. Table IV shows the performance of neural network
training algorithm. The bottom row indicates the overall
accuracy of the training phase.
TABLE IV.
Time
0.00.4
Networ
k
training
functio
n
Levenver
gMarquardt
back
propagati
on
(trainlm)
Output
nodes
Performan
ce mean
squared
error
Transfer
function
for hidden
layer
Weight/bia
s function
TRAINING PERFORMANCE FOR PROPOSED NEURAL NETWORK
Category of
attacks
% of
correctly
classified
data
Normal
100
100
DoS
100
92.35
U2R
100
91.54
R2L
100
93.21
Probing
100
97.50
Overall Accuracy for classification =
(Accuracy(normal) + Accuracy (DoS) +
Accuracy(U2R) + Accuracy (R2L) + Accuracy
(Probing)) / 5
DATA TRAINING SPECIFICATION
Input
nodes
Momentu
m
constant
Fig.4. Proposed neural network model
5
0.001
Hyperboli
c tangent
sigmoid
transfer
function
(tansig)
Gradient
descent
with
momentu
m
(learngd
m)
% of training
data for each
attack
Accuracy
100%
92.35%
91.54%
93.21%
97.50%
94.92%
The values obtained from confusion matrix was used to
calculate the sensitivity and false positive rate. Table V shows
the confusion matrix data for the training set.
TABLE V.
4
CONFUSION MATRIX
2017 IEEE Conference on Wireless Sensors
The sensitivity of the system can be calculated by taking the
recall value as stated in the 6th row. Theoretically, the
sensitivity is calculated as,
=
=
+
.
REFERENCES
[1]
100
[2]
.
.
= 97.97%
[3]
It shows that the proposed neural network model has a
suitable detection mechanism. As for the False Positive Rate,
the column (labeled class 5) in confusion matrix can be
indicated as the detected attacks to be normal. The first four
values are misclassified as an attack thus, resulting in the False
Positive Rate (FPR). FPR can be calculated as follows,
FPR =
.
.
.
.
[4]
[5]
× 100 = 0.69%
[6]
V. CONCLUSION
In this study, Intrusion detection and classification was done
using Artificial Neural Network with Back Propagation
algorithm. The attributes are classified into 40 types, and only
35 of them were used as the primary attributes. There were five
categories of attack which was classified into Normal, DoS,
R2L, U2R, and Probing. From the result obtained, the accuracy
of 94.92% indicated the performance of classifier good; the
sensitivity of 97.97% is also a good result for intrusion detection.
Finally, the False Positive Rate (FPR) of 0.69% showed that the
proposed neural network model has a low false positive rate.
Low false positive rate depicts that the model has an excellent
classification and training algorithm. This shows that Artificial
Neural Network with Back Propagation algorithm is a useful
tool to determine the performance of Network-based Intrusion
Detection System. A further research study can be done to
enhance the performance of Neural Network Model for Intrusion
Detection System. Various other attacks may be introduced in
the future for testing the reliability of the proposed model and
improving its accuracy. Moreover, deeper neural networks shall
be investigated like convolutional and recurrent neural network
approach.
[7]
ACKNOWLEDGMENT
[14]
This work was partially supported by Ministry of Higher
Education Malaysia (Kementerian Pendidikan Tinggi) under the
Fundamental Research Grant Scheme FRGS15-254-0495.
[15]
[8]
[9]
[10]
[11]
[12]
[13]
[16]
5
Y.S. Chen, G. Hui, Y.G. Xian, J.X. Ling, L.N. Zhang and T.J. Shao, “The
solution to how to select an optimal set of features from many features
used to intrusion detection system in wireless sensor network”, in 2010
Second WRI Global Congress on Intelligent Systems, 2010, pp. 368-371.
P. Schwab and P. Schwab, “The History of Intrusion Detection Systems
(IDS) – Part 1 – Threat Stack”, Blog.threatstack.com, 2015. [Online].
Available: http://blog.threatstack.com/the-history-of-intrusion-detectionsystems-ids-part-1. [Accessed: 28- Sep- 2017].
T. Mehraj, B. Rasool, B.U.I. Khan, A. Baba and A.G. Lone,
“Contemplation of effective security measures in access management
from adoptability perspective”, International Journal of Advanced
Computer Science and Applications (IJACSA), vol. 6, no. 8, pp. 188-200,
2015.
S. Vijayarani and M.S. Sylviaa, “Intrusion detection system – A study”,
International Journal of Security, Privacy and Trust Management
(IJSPTM), vol. 4, no. 1, pp. 31-44, 2015.
S. Brindasri and K. Saravanan, “Evaluation of network intrusion detection
using Markov chain”, International Journal of Cybernetics & Informatics
(IJCI), vol. 3, no. 2, pp. 11-20, 2014.
J.A. Khan and N. Jain, “Improving intrusion detection system based on
KNN and KNN-DS with detection of U2R, R2L attack for network probe
attack detection”, International Journal of Scientific Research in Science,
Engineering and Technology, vol. 2, no. 5, pp.209-212, 2016.
M. Stampar, “Artificial intelligence in network intrusion detection”, in
Information and Communication Technology, Electronics, and
Microelectronics (MIPRO), 2015 38th International Convention on,
Opatija, 2015, 2015, pp. 1318-1323.
D.J. Day and B.M. Burns, “A performance analysis of snort and Suricata
network intrusion detection and prevention engines”, in ICDS 2011: The
Fifth International Conference on Digital Society, 2011, 187-192, 2011.
E. Albin, “A comparative analysis of the snort and Suricata intrusion
detection systems”, (Master dissertation). Institutional Archive of the
Naval Postgraduate School, 2011.
L. Mohammadpour, M. Hussain, A. Aryanfar, V.M. Raee and F. Sattar,
“Evaluating performance of intrusion detection system using support
vector machines: Review”, International Journal of Security and Its
Applications, vol. 9, no. 9, pp. 225-234, 2015.
S. Pastrana, A. Mitrokotsa, A. Orfila and P.P. Lopez, “Evaluation of
classification algorithms for intrusion detection in MANETs”,
Knowledge-Based Systems, vol. 36, pp. 217-255, 2012.
R. F.Olanrewaju, N.S. Sahari, A.A. Musa and N. Hakiem, “Application
of neural networks in early detection and diagnosis of Parkinson's
disease”, Cyber and IT Service Management (CITSM), 2014 International
Conference on, South Tangerang, 2014, pp. 78-82.
V. Sekar, R. Krishnaswamy, A. Gupta and M.K. Reiter, “Network-wide
deployment of intrusion detection and prevention systems”, in ACM
CoNEXT 2010, Philadelphia, USA, 2010.
M. Bakhsh and I.I. Awan, “Real-time intrusions detection system by
resilient backpropagation (RBP)”, City University Research Journal, vol.
2, no. 1, pp. 138-145, 2012.
B. Pillai and U.P. Singh, “NIDS for unsupervised authentication records
of KDD dataset in Matlab”, International Journal of Advanced Computer
Science and Applications (IJACSA), Special Issue on Wireless & Mobile
Networks, pp. 57-61, 2011.
L. Dhanabal and S.P. Shantharajah, “A study on NSL-KDD dataset for
intrusion detection system based on classification algorithms”,
International Journal of Advanced Research in Computer and
Communication Engineering, vol. 4, no. 6, pp.446-452, 2015
Related documents
SNORT
SNORT
ABSTRACT: Nowadays, organizations discover that it is essential to protect ...
ABSTRACT: Nowadays, organizations discover that it is essential to protect ...
Guide to Network Defense and Countermeasures, 2nd Edition, ISBN
Guide to Network Defense and Countermeasures, 2nd Edition, ISBN
Security Analyst - Collins McNicholas
Security Analyst - Collins McNicholas
Slides
Slides
Download
advertisement