A Survey on Building Intrusion Detection SystemUsing Data Mining Framework
V. Jaiganesh,
Assistant Professor
Department of Computer ScienceDr.N.G.P. Arts and Science CollegeCoimbatoree-mail: jaiganeshree@gmail.com
M. Thenmozhi
Assistant Professor
Department of InformationTechnologyAvinashilingam University forWomen, Coimbatoree-mail: thenujai@gmail.com
Dr. P. Sumathi,
Assistant ProfessorDepartment of Computer Science,Chikkanna Government Arts College,Tirupure-mail: sumi_rajes@yahoo.com
Abstract
—
Recently, network attacks have increased to a greaterextent. Hackers and intruders can produce several successfulefforts to cause the crash of the networks and web services byillegal intrusion. New threats and interrelated solutions to avoidthese threats are budding jointly with the secured systemevolution. So, Intrusion Detection System (IDS) has become anactive area of research in the field of network security. Theoptimization of IDS becomes an attractive domain due to thesecurity audit data as well as complex and active properties of intrusion behaviors. The main purpose of IDS is to protect theresources from threats. Intrusion Detection System examines andcalculates the user behavior, and then these behaviors will beconsidered an attack or a normal behavior. Intrusion detectionsystems have been integrated with data mining approaches toidentify intrusions. There are various data mining approachessuch as classification tree, Support Vector Machines, etc., usedfor intrusion detection. In this paper, thorough investigationshave been done on the existing data mining approaches to detectintrusions..
(Abstract)
Keywords-
Intrusion Detection System (IDS), intruders, Machine Learning techniques, Data mining
I.
I
NTRODUCTION
Computer networks and their related applications havebecome an attractive source in the era of information society[1]. Similarly, in recent years, the potential thread to the globalinformation infrastructure has also increased greatly. In orderto guard against several cyber attacks and computer viruses,numerous computer security approaches have been extensivelyresearched in the recent years. The major security techniquesproposed are cryptography, firewalls, anomaly, intrusiondetection, etc. Among the available existing techniques,intrusion detection techniques have been considered to be oneof the most significant and competent techniques for protectingcomplex and dynamic intrusion attacks.Network intrusion and information safety issues are mainlydue to the consequences of extensive internet usage. Forexample, on February 7th, 2000 the first Denial of Service(DoS) attacks of huge volume were established, aiming thecomputer systems of huge corporates like Yahoo!, eBay,Amazon, CNN, ZDnet and Dadet [2]. Alternatively, network intrusion is regarded as a new weapon of world war. Thus, ithas become the major concern of the computer society to detectand to prevent intrusions efficiently.An intrusion is a violation of the security policy of thesystem, and thus, intrusion detection mainly refers to themethods that detect violations of system security policy. Sincethe cruelty of attacks in the network has increased radically,Intrusion detection system has become an essential factor to thesecurity infrastructure of several companies. Intrusion detectionfacilitates companies to defend their systems from variousattacks that come with rising network connectivity anddependence on information systems [3].Recently, intrusion detection techniques through datamining approaches have attracted several researchers. As anessential application area of data mining, intrusion detectionfocus to lessen the burden of examining vast volumes of auditdata and recognizing the performance optimization of detectionrules. Several researchers have suggested numerous techniquesin various groups, from Bayesian techniques [4] to decisiontrees [5, 6], from rule based models [7] to functions studying[8]. These techniques have improved the efficiency of thedetection to a certain extent.It is observed from the existing techniques that, mostresearchers utilized a single algorithm to detect multiple attack classes with miserable performance in certain scenarios. But,detection performance can be greatly improved throughcomplicated technique.In the present scenario, data mining approaches have takenvaluable steps towards solution of several issues in differentintrusion detection issues. There are various benefits inutilizing the data mining approaches for solving the problem of network intrusion [9]. Some of the benefits are listed below:
•
It can process huge amount of data.
•
User’s subjective evaluation is not needed, and it ismore appropriate to detect the unobserved andhidden information.Moreover, data mining systems easily performs datasummarization and visualization that facilitate the securityanalysis in various research areas [10].This paper thoroughly investigates the existing data miningapproaches which help in preventing intrusion attacks. The
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 3, March 201232http://sites.google.com/site/ijcsis/ISSN 1947-5500
characteristic features of the intrusion detection techniques arepresented in this paper which would facilitate further researchin the field of network security.II.
L
ITERATURE
S
URVEY
The idea of intrusion detection system was proposed byAnderson in 1980 [11]. Anderson employed statistic techniqueto examine the behavior of user and to detect those attackerswho accesses the system in an unauthorized way. Denning[12] presented a prototype of IDES (Intrusion DetectionExpert System) in 1987, then, the concept of intrusiondetection system was known progressively, and Denning’sapproach was considered as a considerable landmark in thearea of intrusion detection.Zenghui and Yingxu [13] proposed a data miningframework for generating intrusion detection models. The mangoal is to employ data mining techniques namely,classification, meta-learning, association rules, and frequentepisodes to review data for computing misuse and abnormalitydetection models that correctly capture the actual behavior
(i.e., patterns) of intrusions and normal behaviors. Eventhough
,
this
detection model can significantly detect aconsiderable percentage of old and new PROBING and U2Rattacks, it missed a vast number of new DOS and R2L attacks.Theodoros Lappas and Konstantinos Pelechrinis [14] mostlyconcentrated on data mining approaches that are being usedfor dealing with DOS and R2L attacks, and then proposed anew idea on how data mining can help IDSs by utilizingbiclustering as a tool to analyze network traffic and improveIDSs.Sun and Wang [15] presented a new weighted supportvector clustering algorithm and utilized it to deal with theproblem of anomaly detection. Experimental results reveal thefact that this method obtains high detection rate with low falsealarm rate. Su-Yun Wu and Ester Yen [16] compared theperformance efficiency of machine learning techniques suchas classification tree and support vector machines in intrusiondetection system. It is observed from the results that thealgorithm of C4.5 for classification tree and SVM are similarto certain level for R2l attack in terms of accuracy, but theaccuracy of C4.5 is higher than SVM for other types of attack.Intruder is one of the most common threats to security. Atpresent, intrusion detection has come out as a significantpractice for providing network security. In recent times, datamining approaches have been exploited for the purpose of intrusion detection. The effectiveness of the feature selectiontechniques is one of the fundamental parameter that has aneffect on the success of Intrusion Detection System (IDS).Amudha and Abdul Rauf [17] evaluated the performance of data mining classification approaches specifically, J48, NaiveBayes, NBTree and Random Forest with the use of KDDCUP'99 dataset and mainly concentrated on CorrelationFeature Selection (CFS) measure. The results of thisevaluation revealed that NBTree and Random Forest performsbetter than other two approaches based on the predictiveaccuracy and detection rate.Data mining approaches have achieved considerableimportance in presenting the helpful information and therebycan assist in improving the decision on recognizing theintrusions (attacks). Panda and Patra [18] evaluated theperformance of several rule based classifiers, for instance,JRip, RIDOR, NNge and decision table by using ensembleapproach with the intention of constructing an efficientnetwork intrusion detection system. The author exploitedKDDCup'99, intrusion detection benchmark dataset (which isa fraction of DARPA evaluation program) for thisexperimentation. It can be revealed from the outcome that thethis scheme is perfect in identifying network intrusions,provides low false positive rate, uncomplicated, consistent andfaster in constructing an efficient network intrusion system.Due to the increase in the number of computer networks atthe present scenario, ensuring security in a network againstvarious attacks is essential. Intrusion detection system is oneof the popular tools to provide security against the intruders ina network. Exploiting data mining approaches has increasedthe quality of intrusion detection neither as anomaly detectionor misrepresented detection from large scale network trafficoperation. Association rule is a popular method to constructquality misused detection. On the other hand, the limitation of association rule is the fact that it often produced withthousands rules which diminishes the performance of IDS.Namik and Othman [19] concentrated on applying post-mining to decrease the number of rules and remaining themost quality rules to generate quality signature. Each partitionis mined using Apriori Algorithm, which later carries out post-mining using Chi-Squared () computation approaches. Theexcellence of rules is measured depending on Chi-Squarevalue, which is computed based on the support, confidenceand lift of every association rule.Emerging technologies have metamorphosed thecharacteristics of surveillance and monitoring application,however the sensory data obtained using different gadgets stillremain unreliable and inadequately synchronized. Statetransition analysis is turning out to be significant componentsin recognizing intrusions. Ganesh et al., [20] developed asemantic based intrusion detection system in which statetransition analysis, pattern matching and data miningtechniques are incorporated to enhance the intrusion detectionaccuracy. Patterns and rules are generated depending on theevents identified by WSN. The sink obtains informationregarding the numerous actions taking place in the coveragearea and correlates the streaming data in spatial domain andtime domain. The semantic rules are generated using ANTLRtool.Networks are safeguarded by means of exploiting severalfirewalls and encryption software's. However most of theseavailable methods are not adequate and efficient. Majority of the current intrusion detection systems for mobile ad-hocnetworks are mostly concentrating on either routing protocols
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 3, March 201233http://sites.google.com/site/ijcsis/ISSN 1947-5500
or only on its effectiveness, but it is unsuccessful to addressthe security related issues. Some of the nodes which take partin the communication may be selfish, for instance, certainnodes may not forward the packets to the target and by thismeans it reduces the battery power utilization. In some othercases, certain nodes may act as malicious by initiating securityattacks like Denial-of-Service or hack the information. Thevital objective of the security solutions for wireless networksis to offer security services, for instance, authentication,confidentiality, integrity, anonymity and availability to mobileusers. Esfandi [21] integrates agents and data miningapproaches to avoid anomaly intrusion in mobile ad-hocnetworks. Home agents present in each system obtain the datafrom its individual system and by means of data miningapproaches the local anomalies are observed. The Mobileagents observe the neighboring nodes and obtain theinformation from adjacent home agents to find out thecorrelation between the observed anomalous patterns before itsends the data. This scheme was capable of preventing all thesecurity attacks in an ad-hoc network and reduces the falsealarm positive.Te-Shun Chou and Tsung-Nan Chou [22] proposed a hybriddesign for intrusion detection that integrates anomalydetection with misuse detection. This technique also includesan ensemble feature selecting classifier and a data miningclassifier. The former includes four classifiers using dissimilarsets of features and each of them utilizes a machine learningalgorithm called fuzzy belief k-NN classification algorithm.The latter exploits data mining approaches to automaticallyobtain computer users' normal behavior from training network traffic data. The outcome of ensemble feature selectingclassifier and data mining classifier are then combinedtogether to obtain the final decision.Several techniques have been developed for intrusiondetection using data mining approaches but from thebeginning it is uncertain that which data mining approach ismost efficient. Zhenwei Yu and Tsai [23] developed a Multi-Class SLIPPER (MC-SLIPPER) scheme for intrusiondetection to discover whether there is any significantadvantage from boosting dependent learning approach. Thefundamental idea is to employ the available binary SLIPPERas a central module, which is a rule learner depending onconfidence-rated boosting. Numerous arbitral strategiesdepending on prediction confidence are developed to judgeresults from all binary SLIPPER modules.Security of computers and the networks that connect them isprogressively turning out to be much essential. On the otherhand, constructing effective intrusion detection techniqueswith better accuracy and real-time implementation areindispensable. Muntean et al., [24] developed a novel datamining dependent method for intrusion detection by utilizingCost-sensitive classification together with Support VectorMachines. The author introduced an algorithm that enhancesthe classification for Support Vector Machines, by multiplyingin the training phase the instances of the underrepresentedclasses. This technique has exposed that by oversampling theinstances of the anomaly and moreover this technique assiststhe Support Vector Machine algorithm to overcome the softmargin. Consequently, it classifies better future instances of this class of interest.Some heterogeneous security equipments for instance,firewalls, intrusion detection systems and anti-virus gateways,can generate considerable security events which arecomplicated to manage effectively. As a result a log-basedmining, distributed and multi-protocol supported framework of security monitoring system is developed by Lv Guangjuanet al., [25] and described the structural design of theinformation security monitoring system. The majorconcentration is on the correlation analysis engine whichillustrates the process that the detection model is constructedusing data mining approaches. Security event correlationdepending on data mining analysis can automatically obtainassociation rules, investigate alarming and found new invasionmodel, and hence it is extremely intelligent technique.Xin Xu et al., [26] proposed a outline for adaptive intrusiondetection with the help of machine learning approaches. Multi-class Support Vector Machines (SVMs) is employed toclassifier construction in IDSs and the performance of SVMsis assessed on the KDD99 dataset. Significant results wereobtained in the experimental evaluation. For instance,detection rates of 76.7%, 81.2%, 21.4% and 11.2% wereobtained for DoS, Probe, U2R, and R2L attacks respectivelywhile False Positive is maintained at the fairly low level of average 0.6% for the four groups. But, this approach can beonly employed to a very small set of data (10,000 randomlysampled records) comparing to the huge original dataset (5million audit records). So, this method is not suitable for allthe circumstances and is not regarded as one of the bestapproach.Yang Li and Li Guo [27] have already recognized theinsufficiency of KDD dataset. However, a supervised network intrusion detection technique depending on TransductiveConfidence Machines for K-Nearest Neighbors (TCM-KNN)machine learning algorithm and active learning based trainingdata selection method had been proposed by Yang Li and LiGuo. This new approach was evaluated on a subset of KDDdataset by random sampling 49,402 audit records for thetraining phase and 12,350 records for the testing phase. Anaverage TP of 99.6% and FP of 0.1% was reported but noadditional information about the exact detection rate of eachattack categories was presented by the authors..III.
P
ROBLEMS
A
ND
D
IRECTIONS
There are various problems and issues present in theexisting intrusion detection techniques which are analyzed inthis section. This section also provides certain possiblesolutions to the problems in the existing techniques.Majority of the intrusion detection techniques available inthe literature employed a single algorithm to detect multipleattack categories with miserable performance in most of the
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 3, March 201234http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
A Survey on Building Intrusion Detection System Using Data Mining Framework
Recently, network attacks have increased to a greater extent. Hackers and intruders can produce several successful efforts to cause the crash of the networks and web services by illegal intrusion. New threats and interrelated solutions to…
(More)
278
Reads
2
Readcasts
0
Embed Views
Recommended
More From This User
Notes
Load more
