Read without ads and support Scribd by becoming a Scribd Premium Reader.
See Premium Plans
 
AN INTRUSION DETECTION
SYSTEM
USING FUZZY DATA MINING
AND
GENETIC
ALGORITHMS
B.SAI PRAVEEN,
K.SUBRAHMANYAM 
Sa i_ p r a vee n 1 7 @
 
yah o o . c o m
rajaa. 0 32 1 @ ya h o o .co m
3RD YEAR 
CSE,
ANIL NEERUKONDA INSTITUTE OF TECHNOLOGY AND
SCIENCES,
SANGIVALASA,
VIZAG.
ABSTRACT :- Intrusion Detection systems
a
re
increasingly a key part of systems defense.
Va
ri
ous
approaches to Intrusion Detection are currently
b
ei
ng
used. Artificial intelligence plays a driving role
i
n
security services. This paper presents a
dynam
ic
intelligent Intrusion Detection system model, based
AI
approach which includes fuzzy logic and simple
data
mining techniques to process network data. This
syst
e
m
combines two distinct intrusion approaches:
1)Anoma
l
y
based intrusion detection system using fuzzy
data
mining techniques, and 2)Intrusion detection
syst
e
ms
using genetic
a
l
go
ri
thms.
1.
INTRODUCTION:
Information has become
an
organization’s most precious
asset.
Organizations have become
increasingly
dependent on information, since
more
information is being stored
and
processed on network-based
systems.
Hacking, viruses, worms and
trozan
horses are some of the major attacks.
A
significant challenge in providing
an
effective mechanism to a network is
the
ability to detect novel attacks or
any
intrusion works and implement
counter
measures. Intrusion detection is
a
critical component in
securing
information systems. Intrusion
detection
is implemented by an
Intrusion
detection system. Intrusion
detection
system, can detect, prevent and react
to
the attacks. Intrusion detection
has
become the integral part of 
the
information security
process.
2.0 INTRUSION DETECTION
SYSTEMS
2.1 AN OVERVIEW OF CURREN
INTRUSION
DETECTION
SYSTEMS
:
Intrusion detection is defined [1] as the process
of 
intelligently monitoring the events occurring in
a
computer system or network and analyzing
them
for signs of violations of the security policy.
The
primary aim of IDS is to protect the
availability,
confidentiality and integrity of critical
networked
information systems. IDS are defined by both
the
method used to detect attacks and placement
of 
the IDS on network. IDS may perform
either
misuse detection or anomaly detection and may
be
deployed as a network based system or host
based
system. This result in four general groups:
misuse-
host, misuse-network, anomaly host and
anomaly
network. Misuse detection relies on
matching
known patterns of hostile activity
against
databases of past attacks. They are
highly
effective at identifying known attack 
and
vulnerabilities, but rather poor in identifying
new
security threats. Anomaly detection will search
for
something rare or unusual by applying
statistical
measures or artificial intelligence methods
to
 
compare current activity against
historicknowledge.
Common problems with anomaly-based
systems
are that, they often require extensive training
data
for artificial learning algorithms, and they tend
to
be computationally expensive, because
several
metrics are often maintained, and need to
be
updated against every system activity. Some
IDS
combine qualities from all these categories and
are
known as hybrid
systems.
FIG
1[19]
2.2 COMPUTER ATTACK 
CATEGORIES
:
DARPA [2] categorizes the attacks into five
major
types based on goals and actions of the
attacker.
 DoS (Denial-of-service )
attacks tries to
make
services provided by or to computer users to
be
restricted or denied. For example, in
SYN-flood
attack, the attacker floods the victim host
with
more TCP connections requests that can
handle,
causing the host to be unable to respond even
to
valid requests. Probe attacks attempts to
get
information about an existing computer
or
network 
configurations.
 Remote to local (R2L)
attacks are caused by
an
attacker who has only remote access rights.
These
attacks occur when the attacker tries to get
local
access to a computer
network.
User to root(U2R)
attacks are performed by
an
attacker who has rights at user level access
and
tries to obtain super user
access.
 Probing attacks
: In this type of attacks,
an
attacker scans a network of computers to
gather
information of find known
vulnerabilities.
Data attacks are performed to gain access to
some
information to which the attacker is not
permitted
to access. Many R2L and U2L goals are
for
accessing the secret
files.
2.3 IDS DESIGN
PRINCIPLES:
IDS are designed and implemented on
modelled
network systems. Several points should
be
predefined and stated, inorder to find
proper
model for
network:
Normal behavior of a network system
is
the most dominant and frequent
behavior
of the network in a certain time
period.
Anomaly within the network system
least
frequent and abnormal behavior of 
the
network at certain time
period.
Modelling a dynamic and complex system such
as
the network is very difficult, for this reason
,
abstraction and partial modelling are used as
good
solution. The whole network components could
be
divided
into:HostUser
Network 
environment
The user itself could be divided
into
legimate user and malicious
user
(intruder). Many other nested
divisions
 
could occur according to the
designer’s
point of view and the areas of 
focus.
An Intruder detection system basically raises
an
alarm whenever an anomaly event occurs,
which
could be caused by an intruder to the
system.
These systems do not react equally at all
times,
false alarms could occur sometime and this
is
called False Positive (FP).The lower value of 
FP
gives a higher value of the
IDS.[3][4]
2.4 IDS DESIGN
TRENDS
There are number of different ways to
classify
IDS in order to distinguish between their
different
types. The most generic classification 1 found
for
IDS
is:
Analysis
approach
Placement of 
IDS
Under each of these categories
several
classifications could
occur.[5]
2.4.1.ANALYSIS
 APPROACH:
Boer and Pels[6], gave three types of IDS
which
could be listed under this
approach:
NIDS: Network-based IDS
which
monitors the network for
malicioustraff ic.
HIDS: Host-based IDS which
monitors
the activities of a single
host.
DIDS: Distributed IDS correlate
events
from different Host- or Network 
basedIDS
2.4.2.PLACEMENT OF
IDS:
In this respect IDS are usually divided
into:
SIDS: Signature-based IDS, which
studies
the attacks patterns and defines
a
signature for it, to enable
security
specialists to design a defense against
thatattack.
AIDS: Anomaly-based IDS, which
learns
the usual behavior of a network 
patterns,
and suspects an attack once an
anomalyoccurs.
2.5 DATA CAPTURING USING
SNORT:
Snort is mainly a Network Intrusion
Detection
System (NIDS);it is Open Source and available
for
a variety of unices. Snort also can be used as
a
sniffer to troubleshoot network 
problems.
Basically there are three modes in which
Snort
can be
configured:
Sniffer mode simply reads the packets
off 
of the network and displays them in
a
continuous stream on the
console.
Packet logger mode logs the packets
to
the
disc.
Network intrusion detection system is
the
most complex and
configurable
configuration, allowing snort to
analyze
network traffic for matches against a
user
defined rule set and performs
several
actions based upon what it
sees.
3.DATAMINING AND FUZZY 
LOGIC3.1DATAMINING
Data mining methods are used to
automatically
discover new patterns from a large amounts
of 
data[7]. Data mining is the automated
extraction
of previously unrealized information from
large
data sources for the purpose of 
supporting
actions. The rapid development in data
mining
has made available a wide variety of 
algorithms,
drawn from the field of statistics,
pattern
recognization, machine learning and
databases.
Specifically, data mining approaches have
been
proposed and used for anomaly
detection.
3.1.1.ASSOCIATION
RULES
Association rules were first developed to
find
correlations in tractions using real data[8].
For
example, if a customer who buys a soft
drink(A)
usually also buys potato chips(B), then
potato
chips are associated with soft drinks using the
rule
A->B. suppose that 25% of all customers buy
both
A and B and that 50% of the customers who
buy
Search
Search History:
Searching...
Result 00 of 00
00 results for result for
  • p.
    • Notes
    Load more