Intrusion Detection System

Download PDF
5 downloads 0 Views 130KB Size Report
Comment
2 Dec 2017 - tells us whether it is Virus/Attack or it is a normal traffic. It can help us ... First Length etc. on the basis of these attributes neural network will label.
Intrusion Detection System M Hassan Zaib 01-243171-007 Anas Shahid 01-245161-028

December, 2017

1 Abstract In network there will be some intrusion undetected, machine learning can be used for this purpose. When data flow in network (through wire or wireless), it is monitored with some attributes. It can be studied with the flow explained. Network traffic is preprocessed for connection features then neural network tells us whether it is Virus/Attack or it is a normal traffic. It can help us in network clean traffic flow and block the viruses which occur in network traffic. The data of network flow could have following features Number of Packets, Total Bytes, Flow Duration, Bit Rate Packet Rate, Delta Mean and First Length etc. on the basis of these attributes neural network will label it whether it is a virus or normal signal. We can label the data as -1 for Virus and +1 for normal signal. There are different kind of tools used for the purpose of Intrusion detection. After a signal is labeled as Virus on the basis of given features it can be destroyed or prevented using some other tools. This document contains introduction about Intrusion in Data packets. How much important it is for network communication to find intrusion and act against it. Data packets are monitored for intrusion detecion. Some other techniques and methods are discussed

2 Introduction Intrusion is the malicious activity or policy violations in network or system. Which is detected by IDS (intrusion detection system). Importance of Intrusion detection is, If an intrusion is detected quickly, the intruder can be identified Bahria University Islamabad Tel.: +92-300-9564154 E-mail: [email protected]

2

Intrusion Detection System

and stopped before any harm occurs to system or data is compromised. It can enable the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. Detection System that helps computer to get aware of secure attacks. The concept of intrusion detection system was introduced by James Anderson in the year 1980. James defined intrusion as an attempt or a threat which deliberates an unauthorized attempt to Access information, Manipulate information, or Render a system unreliable or unusable. Data could have any values in the features/attributes. For example 177, 85314, 23.23, 29374.76, 7.617935, 131.3, 522 these could be values respectively for the attributes and according to test data it is labeled as virus. Currently there are two major approaches to intrusion detection. The first approach, called anomaly detection or behavior detection, is to define and characterize correct static form and/or acceptable dynamic behavior of the system, and then to detect wrongful changes or wrongful behavior. The second approach is misuse detection or signature detection. More commonly known as signature detection, this approach uses specifically known patterns of unauthorized behavior to detect subsequent similar attempts. These specific patterns are called signatures.

3 Some Previous Techniques There are some techniques used in IDS

3.1 Misuse detection (Signature Analysis) Signature based techniques use a signature associated with a particular malicious activity. The most common signature based technique is an anti-virus program, which checks the signature of all files traversing a network, or being downloaded onto a computer. If the file being checked is a known virus/Trojan/worm, etc. then an alert is triggered. Signature based techniques have the advantage that there is very rarely a false alarm, but the disadvantage that they can only detect known attacks. Some Misuse detection . [?]

3.2 Anomaly detection Anomaly based techniques rely on detecting abnormal behavior. These techniques take inputs from numerous network features, and label these features as anomalous or normal output. These techniques are the hardest for an attacker to avoid, as they are so general. However, they have the disadvantage of having high-false positive rates, which can make the detector useless in practical areas NAD (Network Anomaly Detection) is a big problem because of higher level protocols and high spread of data to be processed. A common way to

Intrusion Detection System

3

prevent intrusion is firewall programmed by the administrator to block packets lower level e.g. HTTP, SMTP, and DNS. This technique is used to block unauthorized to private services (e.g. SSH). For Intrusion/attack detection there is signature detection techniques (SNORT, BRD) are used for public services i.e. HTTP, SMTP, and DNS. A single instance or malware can cause unauthorized access or huge amount of data loss. High speed digital communication can effect and infect most very quickly so it is essential to detect and eliminate threats. Intrusion detection is the process of dynamically monitoring events occurring in a computer system or network, analyzing them for signs of possible incidents and often interdicting the unauthorized access. In any detection system, there exist two main issues which need to be solved: feature selection and classification. The features are the inputs which are selected as inputs to the algorithm. Features can include things like the Internet Protocol (IP) addresses, and much more. Classification is another word for which algorithm is used to determine which input data comes from a malicious source.

4 Application Now a days most important applications like - E-Business - E-Banking - E-Commerce - Public health services - Private Shared Networks - Defense system are dependent of computer network. Basically malicious software are designed to intrude the system without letting owner know through virus , malware, backdoor, spyware, key logger, bot nets. So malware detection is important.

5 Neural Networks For the purpose of Neural Network Implementation there are several tools that could be used for different kind of data. Many Organizations use different tools like PyTorch is being used by Facebook, and MxNet being used by Amazon and there are many other tools/languages being used. For the purpose of Intrusion Detection in Network we used Python Programming Language. For implementation of Neural Network on data set for Intrusion Detection system following main libraries of python were used for this purpose – NumPy is the fundamental package for scientific computing with Python. It contains among other things: a powerful N-dimensional array object; sophisticated (broadcasting) functions

4

Intrusion Detection System

– Pandas is an open source, BSD-licensed library providing high-performance, easy-to-use data structures and data analysis tools for the Python programming language. pandas is a NUMFocus sponsored project. This will help ensure the success of development of pandas as a world-class open-source project – Tensorflow is an open-source software library for Machine Intelligence. For most classification problems ”one-hot vectors” are used. A one-hot vector is a vector that contains a single element equal to 1 and the rest of the elements equal to 0. In this case, the nth digit is represented as a zero vector with 1 in the nth position There is a neural network example for our data for intrusion detection.

Fig. 1 Flow Diagram

Data details for training are given below

Fig. 2 Traning Data

Intrusion Detection System

5

6 Results Data Computation takes more time Training data for testing whole file is passed and model accuracy is 87.44 Percent in data was computed and data was classified with linear perceptron and Data is classified as Virus and normal which was labeled as 1 and -1 as follows.

6.1 Support Vector Machine Implementation Results Data Computation takes lesser time on our training data for testing model accuracy is 79 percent for Support Vector Classifier. And accuracy for Support Vector Machine Classifier on Training Data set was 78percent. Our Passed Training data set was 80percent of all available rows. Average precision of data set is 81percent. As support vector machine takes less time to train but its accuracy is less then Neural Network for same data set.

6

Intrusion Detection System

References 1. H. Arasteh et al., ”Iot-based smart cities: A survey,” 2016 IEEE 16th International Conference on Environment and Electrical Engineering (EEEIC), Florence, 2016, pp. 1-6. doi: 10.1109/EEEIC.2016.7555867 accessed:23-Nov-2017 2. H. Arasteh et al., ”Iot-based smart cities: A survey,” 2016 IEEE 16th International Conference on Environment and Electrical Engineering (EEEIC), Florence, 2016, pp. 1-6. doi: 10.1109/EEEIC.2016.7555867 accessed:17-Nov-2017 3. L. B. Campos, C. E. Cugnasca, A. R. Hirakawa and J. S. C. Martini, ”Towards an IoT-based system for Smart City,” 2016 IEEE International Symposium on Consumer Electronics (ISCE), Sao Paulo, 2016, pp. 129-130. doi: 10.1109/ISCE.2016.7797405 accessed:2-Dec-2017 4. http://www.rfidjournal.com/articles/view?4986 accessed:24-Nov-2017 5. S. Chakrabarty and D. W. Engels, ”A secure IoT architecture for Smart Cities,” 2016 13th IEEE Annual Consumer Communications and Networking Conference (CCNC), Las Vegas, 2016, pp. 812- 813. doi: 10.1109/CCNC.2016.7444889 accessed:24-Nov-2017 6. J. P. G. Sterbenz, ”Smart city and IoT resilience, survivability, and disruption tolerance: Challenges, modelling, and a survey of research opportunities,” 2017 9th International Workshop on Resilient Networks Design and Modeling (RNDM), Alghero, 2017, pp. 1-6. doi: 10.1109/RNDM.2017.8093025 accessed:25-Nov-2017