a heuristic approach for alert aggregation in intrusion detection system
TRANSCRIPT
-
7/31/2019 A Heuristic Approach for Alert Aggregation in Intrusion Detection System
1/6
Journal of Computer Applications (JCA)
ISSN: 0974-1925, Volume V, Issue 3, 2012
101
Abstract - Intrusion Detection System (IDS) is an
important protection mechanism for wireless
networks. It helps to identify suspicious attacks and
provide an alert. In IDS, alert aggregation is one of the
mandatory subtasks, in which alerts are grouped into
clusters. Based on the information provided by the
cluster head, alerts are aggregated and send to the
reaction layer. We proposed to introduce a new layer
between detection and alert aggregation layers namely
alert pre-processing layer. This layer filters the false
alerts by sending only the correct packets to the
destination and thus prevent suspicious one to proceed
further. We proposed this scheme for enhanceddetection and false alarm rates.
Index Terms Intrusion detection, alert aggregation, genetic
algorithm, backtracking.
I. INTRODUCTIONDue to the enormous and fast growth of computer networks,
varieties of attacks are grown accordingly. Intrusion
Detection System (IDS) is the system that identifies
different categories of attacks by different security
mechanisms and safeguards the system properties and
configuration including data. An IDS always analyze the
traffic entering into the network and differentiates betweentrue packet and attack. The system classifies the attack
identification methods into two general types: anomaly and
misuse detection. An Intrusion Detection (ID) system
collects and analyzes required information from various
components in a computer or network to identify possible
loopholes that makes the system insecure. An Intrusion
detection system is designed in such a way that gathers data
as normal or abnormal. Day by day ID systems are being
developed to minimize the increasing number of attacks on
significant sites and in different types of networks. Intrusion
detection is the action of separating both wanted and
unwanted traffic on a network or in a device. For differentnetwork configurations, many IDS technologies exist in the
present and increases further in the near future [1]. Currently,
several IDS are reliable in detecting various suspicious
actions by evaluating TCP/IP connections or log files, for
example. Whenever IDS finds the suspicious packet, it
creates an alert
Manuscript received 10/Sep/2012.
Manuscript selected 4/Oct/2012.
N.Anitha, Department of Information Technology, Kongu Engineering
College, Assistant Professor ,Perundurai. Tamil Nadu, India,
E-mail: [email protected]
S.Anitha, Department of Information Technology, Kongu Engineering
College, Assistant Professor, Perundurai. Tamil Nadu, India.
E-mail: [email protected]
B.Anitha, Department of Information Technology, Kongu Engineering
College, Assistant Professor, Perundurai. Tamil Nadu, India.
E-mail: [email protected]
which include source from where it is originated, target towhich it is send and category of attack. Even the single
intrusive action generated by a single intruder often allow
hundreds or thousands of alerts be created, which cause
incorrect action by the network. IDS focus only on detecting
the different types of attack by the attacker irrespective of
different ways of attack caused to the system. Increase in the
number of low rates of false alerts caused by a single attack
would damage the entire network in a severe manner [2]. Inorder to overcome this, IDS creates low level of abstraction
techniques to minimize the false alerts. The information from
single alert might be incorrect with high probability, so it is
very difficult for security expert to identify those groups of
alerts.
Low-level IDS may generate alerts with the use of firewall
etc.,. To avoid the overhead of alerts generated from single
attack, clustering those alerts is performed. Information
about the clustered alert is called as Meta-alert also
generated. The main motive is to minimize the number of
alerts originated for single attack instance without losing
important information which gives perfect clue for finding
the attack type but in turn false or redundant meta-alerts to a
certain degree is accepted.
Based on the principles of evolution and natural selection,
genetic algorithm works by using the model created from the
different problems of various domains. The modelresembles the chromosomes like structure and various
processes like selection, recombination and mutation takes
place. Genetic algorithm is used in computer security to find
the best result to a specific problem by compromising
certain parameters.
Selecting the number of chromosomes constitute
population in a random manner is the foremost step in the
genetic algorithm. The problem is solved using the
chromosome representation. Each chromosome positions
are encoded as bits, characters or numbers according to the
attribute requirement of the problem. During evolution, each
position of chromosomes say gene can be randomly changed
within specified range. Population is the set of chromosomesthat are present during the evolution stage. Each
chromosome is selected based on the evaluation function
goodness. Natural reproduction and mutation are simulated
using two basic operators crossover and mutation during
evaluation. Based on the fittest chromosomes, survival of
chromosomes and its combination is determined.
In our perspective, ideal IDS must know about the various
types of attack and attackers. In the existing system, a novel
technique called Generative Data Stream Modeling is used
for online alert aggregation and meta-alerts are generated
[2].In this paper, we make an important step towards
generation of meta-alerts by introducing a new layer
in-between detection and alert processing layer namely alert
pre-processing layer.
A Heuristic Approach for Alert Aggregation in
Intrusion Detection SystemN.Anitha
a,*, S.Anithab,1, B.Anitha
c,2
-
7/31/2019 A Heuristic Approach for Alert Aggregation in Intrusion Detection System
2/6
A Heuristic Approach for Alert Aggregation in Intrusion Detection System
102
Our approach has the following distinctive properties:
It is a genetic algorithm approach using heuristicmethods. Once the decision is raised based on the
suspicious alert, we generate the offspring such as false
positive (FP) and false negative (FN) functions.
It is a backtracking approach in which each observedfalse alert is prevented to proceed further into the
system.
The remainder of this paper is organized as follows: In Section IIreview of related work is presented. Section III describes the
proposed alert generation approach. Finally Section IV describes
the conclusion and future work.
II. REVIEW OF RELATED WORKSMost existing IDS are optimized to detect attacks with high
accuracy. However, they still have various disadvantages that
have been outlined in a number of publications and a lot of
work has been done to analyze IDS in order to direct future
research [3] .Besides others, one drawback is the large amount
of alerts produced some of which are redundant and
unnecessary. Alert aggregation approach which is at each pointin time based on probabilistic model of the current situation.
This system focuses on a structurally very similar so-called ID
agent.
Figure 1.Outline of the Layered Architecture of an ID Agent
The sensor layer provides the interface to the network and the
host on which the agent resides. Sensors acquire raw data from
both the network and the host, filter incoming data and extract
interesting and potentially valuable information which is
needed to construct an appropriate event. At the detection
layer, different detectors, e.g., classifiers trained with machine
learning techniques such as support vector machines (SVM) or
conventional rule-based systems such as Snort assess these
events and search for known attack signatures (misuse
detection) and suspicious behavior (anomaly detection). In
case of attack suspicion, they create alerts which are thenforwarded to the alert processing layer. Alerts may also be
produced by FW or the like. At the alert processing layer, the
alert aggregation module has to combine alerts that are
assumed to belong to a specific attack instance. Thus, so called
meta-alerts are generated. Meta-alerts are used or enhanced in
various ways, e.g., scenario detection or decentralized alert
correlation. An important task of the reaction layer is
reporting.[4]
In other words, with the alert aggregation moduleon which
we focus in this paperwe want to have a minimal number of
missing meta-alerts (false negatives) and we accept some false
meta alerts (false positives) and redundant meta-alerts in turn.With the creation of a new component, an appropriate meta-
alert that represents the information about the component in an
abstract way is created. Every time a new alert is added to a
component, the corresponding meta-alert is updated
incrementally, too. That is, the meta-alert evolves with the
component. Meta-alerts may be the basis for a whole set
further tasks:
Sequences of meta-alerts may be investigated further in
order to detect more complex attack scenarios.
Meta-alerts may be exchanged with other ID agents in order
to detect distributed attacks such as one-to many attacks.
Based on the information stored in the meta-alerts, reports
may be generated to inform a human security expert aboutthe ongoing attack situation.
Meta-alerts could be used at various points in time from the
initial creation until the deletion of the corresponding
component. For instance, reports could be generated
immediately after the creation of the component or which
could be more preferable in some cases a sequence of updated
reports could be created in regular time intervals. Another
example is the exchange of meta-alerts between ID agents: Due
to high communication costs, meta-alerts could be exchanged
based on the evaluation of their interestingness [6].
According to the task for which meta-alerts are used, they may
contain different attributes. Examples for those attributes are
aggregated alert attributes (e.g., lists or intervals of source
addresses or targeted service ports, or a time interval that marksthe beginning and the endif availableof the attack
instance), attributes extracted from the probabilistic model
(e.g., the distribution parameters or the number of alerts
assigned to the component), an aggregated alert assessment
provided by the detection layer (e.g., the attack type
classification or the classification confidence), and also
information about the current attack situation (e.g., the number
of recent attacks of the same or a similar type, links to attacks
originating from the same or a similar source).
The existing technique detects the attacks using rule set with
the help of Genetic Algorithm [7]. It develops rules R2L,
U2R, Probe, DoS attacks. The average performance of the
method is low detection rate. Another existing technique is acombination of fuzzy data mining procedures and Genetic
algorithm in identifying network anomalies and misuses.
The attributes of the network audit data are not recognized
accurately in the most of the existing Genetic Algorithm
based IDS. Though the features play a main role in Intrusion
Detection, the author introduces fuzzy numerical functions.
Another technique uses Genetic Algorithm to recognize the
best parameters of the fuzzy functions for choosing the
features of the related network [5]. The network anomalies
can be identified by applying multiple agent techniques and
Genetic Programming. The set of agents that establish the
network actions can be finding out by an agent, which
examines one parameter of the network audit data and
Genetic Programming. Several small independent agents
can be used in that technique which is an advantage and the
communication between the agents is a problem.
-
7/31/2019 A Heuristic Approach for Alert Aggregation in Intrusion Detection System
3/6
Journal of Computer Applications (JCA)
ISSN: 0974-1925, Volume V, Issue 3, 2012
103
Another Proposed Genetic Algorithm technique [8] for
anomaly detection. Random digits were produced using
Genetic Algorithm. An entry value was produced at any
conviction value more than this threshold value was
classified as a malicious attack. The main drawback of this
approach was established the threshold value is more
difficult and high false alarm rate leading when used to
detect unknown or new attacks. One IDS tool that uses GAsto detect intrusions, and is available to the public is the
Genetic Algorithm as an Alternative Tool for security Audit
Trails Analysis (GASSATA). GASSATA finds among all
possible sets of known attacks, the subset of attacks that are
the most likely to have occurred in a set of audit data. Since
there can be many possible attack types, and finding the
optimal subset is very expensive to compute. GAs is used to
search efficiently. The population to be evolved consists of
vectors with a bit set for each attack that is comprised in the
data set. Crossover and mutation converge the population to
the most probable attacks.
This paper presents Genetic Algorithm and backtracking
algorithm which recognizes attack type connections. Thesetwo algorithms consider different features by duration,
protocol type, hot etc. in creating a rule set. The Genetic
Algorithm and backtracking algorithms in order to create a
set of rules which applied on Intrusion Detection System
classify different kinds of attacks. Our goal is to produce a
high detection rate and low false alarm rate for Denial
of Service (DoS), Root to Local (R2L), User to Root (U2R)
and Probe attacks. We mainly focus on introducing genetic
algorithm with backtracking to reduce the minimum number
of alerts as well as to handle the new types of attacks.
III.A HYBRID APPROACH FOR ALERTGeneration
In thealert pre-processing layer, novel approaches such asGenetic Algorithm and Backtracking is used. A Genetic
algorithm is essentially a type of search algorithm which is
used to solve a wide variety of problems. The goal of a
Genetic algorithm is to create optimal solutions to specific
problems. Potential solutions are encoded as a sequence of
bits, characters or numbers. This unit of encoding is called
a gene and the encoding sequence is known as a
chromosome. The GA begins with a set of these
chromosomes and an evaluation function that measures the
fitness of each chromosome. It uses reproduction such ascrossover and mutation to create new solutions which are
then evaluated
Figure 2.Proposed Layered Architecture of an ID Agent
Genetic algorithms are defined as a computational concept
inspired by the mechanics of natural evolution, including
survival of the fittest, reproduction and mutation In thestandard Genetic algorithm, an initial population of
individuals is generated at random or heuristically. In every
generation the individuals in the current population are
evaluated according to some predefined quality criterion
referred to as the fitness. Fitness is determined by the fitness
function. The fitness function takes a string and assigns a
relative fitness value to the string. Based on their fitness,
strings are selected as parents using selection operators .To
form a new generation or child, the strings are put together
and they reproduce through operators such as crossover and
mutation. The Genetic algorithm comes to a halt when the
determined fitness value is met or when variation ofindividuals from one generation to the next reaches a pre
specified level of stability.
First, an initial population of strings is created. Then the
individuals are selected iteratively according to the fitness.
Based on the fitness value of each string, strings which
comply with the fitness value are combined to make a new
generation that may be able to solve the problem. Initially
the process selects individuals referred to
as parents. The fit individuals of the new generation then
become parents. If a solution is found, then the loop
terminates, otherwise the loop starts from the individuals
selected from the new generation and continues until the
termination criteria are met.
-
7/31/2019 A Heuristic Approach for Alert Aggregation in Intrusion Detection System
4/6
A Heuristic Approach for Alert Aggregation in Intrusion Detection System
104
False alerts dropped
Figure 3.The Simple Structure of the Proposed Model
The network traffic used for the GA is a pre-classified data
set that differentiates normal network connections from
anomalous ones. This pre-classified data set is manually
created by analyzing the data captured by the network
sniffer. The network sniffer is a program used to recordnetwork traffic without doing something harmful to the
network traffic. The data set includes the necessary
information to generate rules. This information includes the
source IP address, the destination IP address, the source
port, the destination port, the protocol used, and finally a
field indicating whether the specific connection indicates an
intrusion or not. The data set will include both normal and
anomalous network connections. A connection refers to an
entry in the dataset. If the connection is an intrusion, then it
will be indicated by the value true, and if it is not an
intrusion, it will be indicated by the value false. These
network connections in the dataset are, as stated before,
manually created. This is the initial phase of developing the
system using the GA. Once the GA is trained with the rules,
more network connections can be added to the dataset. This
means that the dataset will have to be updated by
administrators to add a new connection or to discard a
connection. Once the initial data set is created, the next
action is to create the rule set. By analyzing the dataset, rules
will be generated in the rule set. These rules will be in the
form of an if then format as follows.
if {condition} then {act}
The condition in the format above refers to the attributes in
the rule set that forms a network connection in the dataset, as
shown in table 1, such as source and destination IPaddresses, source and destination port numbers, protocol
used, and a field indicating the possibility of an intrusion.
Note that the condition will result in a true or false. The
act field in the if-then format above will refer to an action
once the condition is true, such as reporting an alert to the
system administrator. For example, a rule in the rule set can
be defined as follows:
if {the connection has the following information: source IP
address 150.165.13.1; destination IP address:
130.179.16.43; source port number: 25; destination port
number: 80; protocol used: IP} then {detect whether the
connection is an intrusion or not}
This rule will detect an intrusion because the source IPaddress 150.165.13.1 is recognized by the IDS as, for
example, a blacklisted address. Hence any service requested
from this address is rejected. Since the GA has to use such
rules to detect intrusions, such rules in the rule set will be
codified to the GA format in the GA rule set. Each rule will
be represented in the form of a chromosome in the GA. This
is carried out by extracting certain characteristics of the
attributes in the rule set into a GA format. As stated before
the GA uses the rules in the GA rule set which are encoded
as chromosomes to detect anomalous connections. The first
part of the GA will act as a search algorithm. In the initial
stage, only the search algorithm will beexecuted. This is tohelp the rules acquire values which are to be later used in the
fitness function, when the complete GA is executed. Initially
the search algorithm will match the rules with any
anomalous connections that occur on the network to detect
an intrusion. Each rule will carry values for the intrusions
that they have detected, and a value for a false alarm that the
rule produces. The initial values for the rule will be
initialized to zero. The rules will acquire these values when
the search algorithm is executed. Once the rules have
acquired the values, then the complete GA, which includes
the fitness function and mutation, is executed.
The second part of the GA is the fitness function. The fitness
function F determines whether a rule is good i.e. it
detects intrusions, or whether the rule is bad, i.e. it does not
detect intrusions. F is calculated for each rule. It will
depend on the following equation In the initial stage, this
equation will be used to determine the fitness function, but
future work will test and improve
the equation to make the GA more effective in selecting fit
individuals.
F = a / Ab / B
In the fitness function, a contains the value that the
specific rule carries for the number of correctly detected
intrusions. b contains the value that the specific rule carries
for the number of false alarms. A is calculated by addingthe value of the correctly detected intrusions from all the
rules. B is the total number of normal connections in the
dataset. A normal connection is not an intrusion, and is
indicated by the value false. When an intrusion occurs, it is
notified by the response mechanism. The response
mechanism is a popup window indicating the rule, and a
message notifying that an intrusion has occurred. When an
intrusion does not occur, but the response mechanism
confirms it as an intrusion, then it is considered as a false
alarm. When a rule pops up indicating an intrusion, but the
connection actually has not taken place, then it is a false
alarm. The network sniffer provides the information of
connections on the network. Hence, when an intrusion isdetected, the network sniffer will be executed to determine
whether it is an intrusion or a false alarm.
Simple generational genetic algorithm procedure:
1.Choose the initial population ofindividuals2..Evaluate the fitness of each individual in that
Population
3.Repeat on this generation until termination(time limit, sufficient fitness achieved, etc.):
1. Select the best-fit individuals for reproduction2. Breed new individuals through crossover and mutation
operations to give birth to offspring3. Evaluate the individual fitness of new individuals4. Replace least-fit population with new individuals
Genetic
Algorithm Rule
set
Learning
PhaseResponse
Testing Phase GeneticAlgorithm
classifier
Backtracked
True alerts
http://en.wikipedia.org/wiki/Populationhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Population -
7/31/2019 A Heuristic Approach for Alert Aggregation in Intrusion Detection System
5/6
Journal of Computer Applications (JCA)
ISSN: 0974-1925, Volume V, Issue 3, 2012
105
Algorithm for New Layer in Intrusion detection agent:
Formation of Rule set with Genetic Algorithm
Input: Production number, Binary String Set,
Range of Population, possibility of Crossover and
Mutation Output: Selected Features set
Simple generational genetic algorithm procedure:
1.Choose the initial population ofindividuals2. Evaluate the fitness of each individual in that
Population
3. Repeat on this generation until termination(time limit, sufficient fitness achieved, etc.):
1. Select the best-fit individuals for reproduction2. Breed new individuals through crossover and
mutation operations to give birth to offspring
3. Evaluate the individual fitness of new individuals4. Replace least-fit population with new individuals
Genetic algorithm procedure for Alert Generation:
1. Choose the initial population of alerts2. Evaluate the FP and FN of each alert in thatPopulation3. Repeat on this generation until termination
1. Select the appropriate attack for both FP
and FN
2. Generate offspring for best FP and FN
attack
3. Assign weight for the best offspring
4. Remove false alert and send the packet
to the destination[7]
The Algorithm first generates the initial population and
loads the network audit data. Then the initial population is
developed for a number of generations. In every creation,
the qualities of the rules are firstly calculated, and then
quantities of best-fit rules are selected. The training
procedure starts by arbitrarily generating an initial
population of rules (Step 1). Step 2 estimates the total
number of records in the audit data. Steps 3 compute the
fitness of each rule and select the best-fit rules into new
population. Step 4 estimates the rank selection of entities.
Step 5-7 apply the crossover and mutation operators to every
rule in the new population. Step 8 chooses the top best
chromosomes into new population. Finally, Step 9 verifies
and decides whether to stop the training process or to go into
the next generation to continue the development process
Algorithm for New Layer in Intrusion detection agent:
Formation of Rule set with Genetic Algorithm
Input: Production number, Binary String Set,
Range of Population, possibility of Crossover and
Mutation
Output: Selected Features set
Step 1) Random Population initialization
Step 2) Number of Training Set Records
Step 3) Estimate Fitness = f(a)/ f (sum)
Where f (a) is the fitness of individual a and f
is the entire fitness of all individualsStep 4) Rank Selection Rs(x) = s(x) / ssum
Where Rs(x) is probability of selection
individuals(x) is rank of individuals sum is sum of all fitness
values
Step 5) For New Population with chromosomes
Step 6) Chromosome is applied to crossover
Step 7) Chromosome is applied to mutation operator
Step 8) Choose new population with 60% of top best
chromosomesStep 9) Continue upto the number of generations
goto Step 3
A backtracking algorithm tries to build a solution to a
computational problem incrementally. Whenever the
algorithm needs to decide between two alternatives to the
next component of the solution, it simply tries both options
recursively.
Backtracking algorithm for false alert:
1.If P is a goal node, return success2.If P is a leaf node, return failure3.For each child C of P
3.1 Explore C
3.1.1. If C was successful, return Success
4.Return FailureIV.CONCLUSION AND FUTURE WORK
The Genetic Algorithm is a well suitable mechanism for
Intrusion Detection compared to enhanced C4.5 algorithm.
Obtain different classification rules for Intrusion Detection
through Genetic Algorithm. The proposed Genetic
Algorithm with backtracking presents the Intrusion
Detection System for detecting different types of attacks
with different Datasets. It will reduce the high detectionrate and low false alarm rate. Backtracking algorithm is for
increasing the efficiency of intrusion detection system. In
the future we will implement this idea to detect various
attacks such as DoS, R2L, U2R, Probe from KDDCUP99
Dataset.
REFERENCES
[1] S. Axelsson, Intrusion Detection Systems: A Survey andTaxonomy,Technical Report 99-15, Dept. of Computer Eng.,
Chalmers Univ.of Technology, 2000.
[2] T.Pietraszek, Alert Classification to Reduce False Positives inIntrusion Detection,, July 2006.
[3] A.Allen,Intrusion Detection Systems: Perspective, TechnicalReport DPRO-95367, Gartner, Inc., 2003.
[4] Alexander Hofmann, Online Intrusion Alert aggregation withGenerative Data Stream Modeling, Proc. IEEE Transactions on
Dependable and Secure Computing, pp. 282-294.
[5] S. Selvakani K, Rengan S Rajesh Integrated Intrusion Detection System Using SoftComputing, IJNS, Vol.10, No.2,pp.87-92, March 2010.
[6] Hofmann.A, I. Dedinski, B. Sick, and H. de Meer, A Novelty-DrivenApproach to Intrusion Alert Correlation Based on Distributed Hash
Tables, Proc. 12th IEEE Symp. Computers and Comm. (ISCC 07),
pp. 71-78, 2007.
[7] Dr. J.A. Chandula,Machine Learning Techniques for IntrusionDetection System, (IJCSIS) International Journal of Computer
Science and Information Security, Vol. 10,No.4, April 2012.
[8] Venter . H.S., An Approach to Implement a Network IntrusionDetection System using Genetic Algorithms Proceeding SAICSIT
'04 Proceedings of the 2004 annual research conference of the SouthAfrican institute of computer scientists and information
technologists on IT research in developing countries.
http://en.wikipedia.org/wiki/Populationhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Individualhttp://en.wikipedia.org/wiki/Population -
7/31/2019 A Heuristic Approach for Alert Aggregation in Intrusion Detection System
6/6
A Heuristic Approach for Alert Aggregation in Intrusion Detection System
106
BIOGRAPHY
N.Anitha received B.E Degree in Information
Technology from Shri Angalamman College of
Engineering and Technology, Trichy in 2004 and
M.Tech Degree in Advanced IT from Bharathidhasan
University in 2006. From 2006 to 2008 she worked as
a Lecturer in the department of IT in Shri
Angalamman College of Engineering and Technology,
Trichy. Currently she is working as an AssistantProfessor in the Department of IT, Kongu Engineering College,
Perundurai. She has conducted various workshops and published several
papers in the area of Security. She has research interest towards Intrusion
Detection Techniques. She is a member of ISTE. E-mail:
S.Anitha received B.E Degree in Electronics and
Communication Engineering from Coimbatore Institute
of Engineering and Information Technology,
Coimbatore in 2006 and M.E Degree in Computer
Science and Engineering from Kongu Engineering
College in 2009. From 2009 to 2010 she worked as a
Lecturer in the department of IT, Velalar College of
Engineering and Technology. Currently she is working as an Assistant
Professor in the Department of IT, Kongu Engineering College,
Perundurai. She has conducted various workshops and published severalpapers in the area of Network Security. She is a member of ISTE.
E-mail:[email protected]
B.Anitha received B.E Degree in Computer Science
and Engineering from K.S.R College of Technology,
Erode in 2001 and M.E Degree in Computer Science
and Engineering from Kongu Engineering College in
2006. From 2007 to 2009 she worked as a Lecturer in
the department of Computer Science and Engineering
in Bannari Amman College of Engineering and
Technology, Sathyamangalam. Currently she is working as an Assistant
Professor in the Department of IT, Kongu Engineering College,
Perundurai. She has conducted various workshops and published several
papers in the area of Security Techniques. She has research interesttowards Intrusion Detection Techniques. She is a member of ISTE.
E-mail: [email protected]