Intrusion Detection System

By:Aniruddh Siddh

Introduction

Intrusion Detection is the process of observing and analyzing the events arising in a computer or network system to identify all security problems. IDS provides three important security functions; monitor, detect and respond to unauthorized activities .

IDS Types

• Host Based Intrusion Detection (HIDS):Host based intrusion detection (HIDS) refers to intrusion detection on a single host system. The data is collected from an individual host system If there is any unauthorized change or activity is detected, it alerts the user.

• Network Based Intrusion Detection (NIDS):A network-based intrusion detection system (NIDS) is used to monitor and analyze network traffic to protect a system from network-based threats where the data is traffic across the network. NIDS examines the traffic in real time for attempting to detect intrusion patterns.

• Hybrid Intrusion Detection :The current trend in intrusion detection is to combine both types host-based and network-based IDS to design hybrid systems. flexibility increases the security level.

The Data

• In the 1998 DARPA intrusion detection evaluation program, an environment was set up to acquire raw TCP/IP dump data for a network by simulating a typical U.S. Air Force LAN.

• KDD Cup99 dataset

Attack types fall into four main categories:1. DOS: denial of service2. Unauthorized access from a remote

machine(R2L)3. User to Root Attacks(U2Su)4. Probing: surveillance and other probing

INTRUSION DETECTION APPROACHES

• Misuse Detection: Misuse Detection system tries to match data with known attack pattern. Disadvantages· Any new form of misuse is not detected· Resource consuming and slows down the throughputAdvantages· It raises fewer false alarms because they can be very specific about what it is they are looking for.

• Anomaly detection:This System watches for unknown intrusion for abnormalities in traffic.Disadvantages· It raises high false alarm· Limited by training dataAdvantage· New form of attack can be detected.

Different intrusion detection approaches

• Back propagation network• Fuzzy logic Intrusion Detection System• Support Vector Machine Intrusion Detection

System• Extreme learning machine

Back Propagation networks

• A Back Propagation network learns by example.• You give the algorithm examples of what you

want the network to do and it changes the network’s weights so that,when training is finished, it will give you the required output for a particular input.

• Back Propagation networks are ideal for simple Pattern Recognition and Mapping Tasks.

RESULTS

The proposed IDS is experimented using the Waikato Environment for Knowledge Analysis (WEKA) and the dataset used is KDD Cup99 dataset.Performance measure used to evaluate BPN

• Detection rate :indicates the percentage of detected attack among all attack data.

• False-alarm rate

• Back Propagation Neural Network Algorithm, which shows a poor detection of attackers. So in future to improve the security the ELM technique is used.

Genetic fuzzy based automatic IDS

By combining fuzzy set theory with Genetic, the proposed method can deal with the mixed database that contains both discrete and continuous attributes.

Features of the proposed method aresummarized as follows

• can deal with both discrete and Continuous attributes

• fitness function contributes to mining more new Rules with higher accuracy.

• can be flexibly Applied to both misuse and anomaly detection.

• Experienced knowledge on intrusion patterns is not required before the training

• High detection rates are obtained in both misuse detection and anomaly detection.

• In the misuse detection method shows high Detection rate and low false alarm.

• In the anomaly detection, the results show high Detection rate and reasonable false alarm even without pre experienced knowledge, which is an important advantage of the proposed method.

• The important function of the proposed method is to efficiently extract new rules that are statistically significant and they can be used for several purposes.

• run speed of algorithm is faster in the learning stage compared with the published run speeds of the existing algorithms.

Support Vector Machine Intrusion Detection System

Support vector machine proposed as an essential technique for intrusion detection system . It is a machine learning algorithm which is used for both classification and regression.

• Support vector machine (SVM) performs classification by constructing hyper planes in a multi-dimensional space that separates two classes. SVM tries to achieve maximum separation between the classes.

SVM is popular because• it can be easy to use and this algorithm • has good adaptability and generalization

performance regarding new attacks signature • this same algorithm detect a variety of attacks

with little tuning.• SVMs have great potential to be used due to its

scalability and faster training and running time.

• Even though Support Vector Machine can produce better generalization performance, it has drawbacks as well:

• the intensive computation involved in its training which is at least quadratic with respect to the number of training examples.

• Large training time ,for large complex applications, it generates large network size.

Extreme Learning Machine (ELM)

features:• It is easy to use• Faster learning speed• High generalization performance• Suitable for all non-linear activation functions• Suitable for complex activation functions

Extreme Learning Machines (ELM) has worked for the ``generalized'' single-hidden layer feed forward networks (SLFNs).(i) Randomly assign input weights and biasesaccording to some continuous probability density function.(ii) Calculate hidden layer of output matrix .(iii) Calculate the output weights

• In comparison, basic ELM and SVM increase slowly when the number of data increases. Eventually, SVM starts consuming more time for both training and testing than basic ELM.

• As the dataset becomes larger, basic ELM outperforms SVM with faster learning speed.

• Mr. Kamlesh Lahre, Mr. Tarun dhar Diwan Analyze Different approaches for IDS using KDD 99 Data Set

• Feature Selection for Intrusion Detection using Neural Networks and Support Vector Machines Andrew H. Sung1,2 & Srinivas Mukkamala1

• 1Department of Computer Science• V. Jaiganesh, Dr. P. Sumathi, S. Mangayarkarasi An Analysis of

Intrusion Detection System using Back Propagation Neural Network• Intrusion Detection Systems: A Survey and Analysis of Classification

Techniques V. Jaiganesh 1, S. Mangayarkarasi 2, Dr. P. Sumathi 3• A STUDY ON GENETIC-FUZZY BASED AUTOMATIC INTRUSION

DETECTION ON NETWORK DATASETS J.JABEZ 1, DR. G.S.ANADHA MALA2

• Survey: Learning Techniques for Intrusion Detection System (IDS) Roshani Gaidhane, Student*, Prof. C. Vaidya, Dr. M. Raghuwanshi

• Intrusion Detection Using Neural Networks and Support Vector Machines Srinivas Mukkamala, Guadalupe Janoski, Andrew Sung

• Extreme Learning Machine: Towards Tuning-Free Learning• - A Unified Learning Technique for Regression and Multiclass

Classification by Guang-Bin HUANG

•Thank you

Artificial Neural Network Intrusion Detection System

• IDS designers exploit ANN as a pattern recognition technique. Pattern recognition can be implemented by using a feed-forward neural network that has been trained accordingly.

They consist of many similar building blocks – neurons. It iseligible to distinguish three types of units or layers:

1. Input layer – receives an input data from externalresources. Neuron's output is after processing passed to nextlayer.

2. Hidden layer(s) – receives an input from neuron atadjacent layer. Output signals are passed to output layer orremain within the ANN.

3. Output layer – receives an input from adjacent hiddenlayer. Output signals are sent out of ANN to post-processing.

• drawbacks of ANN-based: lower detection precision, especially for low-frequent attacks, e.g., Remote to Local (R2L), User to Root (U2R).