Enhanced method for intrusion detection over kdd cup 99 datasetijctet
This document discusses an enhanced method for intrusion detection using the KDD Cup 99 dataset. It aims to improve the accuracy of the dataset by analyzing the contribution of different attack classes to metrics like true positive rate and precision. The study examines these evaluation metrics for an intrusion detection system to identify which attack classes most impact recall and precision. The goal is to help improve the quality of the KDD Cup 99 dataset to achieve higher accuracy with lower false positives.
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SETIJNSA Journal
In network security framework, intrusion detection is one of a benchmark part and is a fundamental way to protect PC from many threads. The huge issue in intrusion detection is presented as a huge number of false alerts; this issue motivates several experts to discover the solution for minifying false alerts according to data mining that is a consideration as analysis procedure utilized in a large data e.g. KDD CUP 99. This paper presented various data mining classification for handling false alerts in intrusion detection as reviewed. According to the result of testing many procedure of data mining on KDD CUP 99 that is no individual procedure can reveal all attack class, with high accuracy and without false alerts. The best accuracy in Multilayer Perceptron is 92%; however, the best Training Time in Rule based model is 4 seconds . It is concluded that ,various procedures should be utilized to handle several of network attacks.
TRUST FACTOR AND FUZZY-FIREFLY INTEGRATED PARTICLE SWARM OPTIMIZATION BASED I...IJCNCJournal
Mobile Ad hoc Networks (MANET) is one of the rapidly emanating technologies, which has gained attention in a wide range of applications in the fields of military, private sectors, commercials and natural calamities. Securing MANET is a dominant responsibility, and hence, a trust factor and fuzzy based intrusion detection and prevention system is proposed for routing in this paper. Based on the trust values of the nodes, the fuzzy system identifies the intruder, such that the path generated in the MANET is secured. Moreover, an optimization algorithm, entitled Fuzzy integrated Particle Swarm Optimization (FuzzyFPSO), is proposed by the concatenation of the Firefly Algorithm (FA) and Particle Swarm Optimization (PSO) for the optimal path selection in order to provide secure routing. The simulation of the proposed methodology is NS2 simulator and analysis is carried out considering four cases, like without attack, flooding attacks, black hole attack and selective packet drop attack concerning throughput, delay and detection rate. The remarkable evaluation measures of the proposed Fuzzy-FPSO are the maximal throughput of 0.634, minimal delay of 0.044 , maximal detection rate of 0.697 and minimal routing overhead of 0.24550 And the evaluation measure for the case without any attacks are the maximal throughput of 0.762, minimal delay of 0.029 ,maximal detection rate of 0.805 and minimal routing overhead of 0.11511.
Outstanding to the promotion of the Internet and local networks, interruption occasions to computer
systems are emerging. Intrusion detection systems are becoming progressively vital in retaining
appropriate network safety. IDS is a software or hardware device that deals with attacks by gathering
information from a numerous system and network sources, then evaluating signs of security complexities.
Enterprise networked systems are unsurprisingly unprotected to the growing threats posed by hackers as
well as malicious users inside to a network. IDS technology is one of the significant tools used now-a-days,
to counter such threat. In this research we have proposed framework by using advance feature selection
and dimensionality reduction technique we can reduce IDS data then applying Fuzzy ARTMAP classifier
we can find intrusions so that we get accurate results within less time. Feature selection, as an active
research area in decreasing dimensionality, eliminating unrelated data, developing learning correctness,
and improving result unambiguousness.
This document discusses network intrusion detection systems (NIDS) and their ability to handle high-speed traffic. It introduces NIDS and their role in monitoring network traffic. The document presents an experiment that tests the open-source NIDS Snort under high-volume traffic. The experiment shows that Snort drops more packets as traffic speed and volume increases, demonstrating a weakness of NIDS in high-speed environments. It suggests using a parallel NIDS technique to help NIDS better handle high-speed network traffic and reduce packet dropping.
MACHINE LEARNING IN NETWORK SECURITY USING KNIME ANALYTICSIJNSA Journal
Machine learning has more and more effect on our every day’s life. This field keeps growing and expanding into new areas. Machine learning is based on the implementation of artificial intelligence that gives systems the capability to automatically learn and enhance from experiments without being explicitly programmed. Machine Learning algorithms apply mathematical equations to analyze datasets and predict values based on the dataset. In the field of cybersecurity, machine learning algorithms can be utilized to train and analyze the Intrusion Detection Systems (IDSs) on security-related datasets. In this paper, we tested different machine learning algorithms to analyze NSL-KDD dataset using KNIME analytics.
Machine learning in network security using knime analyticsIJNSA Journal
Machine learning has more and more effect on our every day’s life. This field keeps growing and expanding into new areas. Machine learning is based on the implementation of artificial intelligence that gives systems the capability to automatically learn and enhance from experiments without being explicitly
programmed. Machine Learning algorithms apply mathematical equations to analyze datasets and predict values based on the dataset. In the field of cybersecurity, machine learning algorithms can be utilized to train and analyze the Intrusion Detection Systems (IDSs) on security-related datasets. In this paper, we tested different machine learning algorithms to analyze NSL-KDD dataset using KNIME analytics.
- Wireless sensor networks are vulnerable to security attacks due to their distributed nature, multi-hop communication, and lack of resources. Intrusion detection systems play an important role in detecting attacks.
- There are three main types of intrusion detection systems: signature-based, anomaly-based, and specification-based (a hybrid of the two). Signature-based systems detect known attacks but miss new ones, while anomaly-based systems can detect new attacks but have high false positives.
- The paper compares these intrusion detection systems for wireless sensor networks and finds that anomaly-based systems have the lowest resource usage but may miss known attacks, while signature-based systems detect known attacks but use more resources. The best approach
This document summarizes a research paper on adaptive personalized web search with safety seclusion. It discusses how personalized web search has improved search quality but user privacy concerns have limited its adoption. The paper proposes a system called UPS that can dynamically generalize user profiles during searches while respecting indicated privacy requirements. UPS uses greedy algorithms to balance personalization utility and privacy risk from exposing generalized profiles. The system aims to address limitations in existing personalized search regarding user security and accuracy needs.
IRJET- An Intrusion Detection and Protection System by using Data Mining ...IRJET Journal
This document proposes an Internal Intrusion Detection and Protection System (IIDPS) to detect insider attacks by analyzing system calls (SCs) using data mining and forensic techniques. The IIDPS creates personal profiles for each user to track their computer usage behaviors over time. When a user logs in, the IIDPS compares their current behaviors to the patterns in their personal profile to determine if they are the legitimate account holder or an unauthorized insider attacker. The IIDPS aims to more accurately authenticate users and detect insider threats compared to existing systems that rely only on usernames and passwords.
DESIGN AND EFFICIENT DEPLOYMENT OF HONEYPOT AND DYNAMIC RULE BASED LIVE NETWO...IJNSA Journal
The continuously emerging, operationally and managerially independent, geographically distributed computer networks deployable in an evolutionarily manner have created greater challenges in securing them. Several research works and experiments have convinced the security expert that Network Intrusion Detection Systems (NIDS) or Network Intrusion Prevention Systems (NIPS) alone are not capable of securing the Computer Networks from internal and external threats completely. In this paper we present the design of Intrusion Collaborative System which is a combination of NIDS,NIPS, Honeypots, software tools like nmap, iptables etc. Our Design is tested against existing attacks based on Snort Rules and several customized DDOS , remote and guest attacks. Dynamic rules are generated during every unusual behavior that helps Intrusion Collaborative System to continuously learn about new attacks. Also a formal approach to deploy Live Intrusion Collaboration Systems based on System of Systems Concept is Proposed.
A secure intrusion detection system against ddos attack in wireless mobile ad...vishnuRajan20
At Softroniics we provide job oriented training for freshers in IT sector. We are providing IEEE project guidance and Final year project guidance. We are Pioneers in all leading technologies like Android, Java, .NET, PHP, Python, Embedded Systems, Matlab, NS2, VLSI, Modelsim, Tanner, Xilinx etc. We are specializiling in technologies like Big Data, Cloud Computing, Internet Of Things (iOT), Data Mining, Networking, Information Security, Image Processing and many other. We are providing long term and short term internship also. We are also providing IEEE project support at Calicut, Thrissur and Palakkad. For more details contact 9037291113, 7907435072
As the Supervisory Control and Data Acquisition (SCADA) system are deployed in infrastructures which are critical to the survival of a nation, they have emerged as a potential terrain for cyber-war, thus attracting the considered attention of ‘nation-states’. The analysis of worms like ‘stuxnet’ ‘flame’ and ‘duqu’ reveals the hand of a ‘nation-state’ in their design and deployment. Hence, the necessity to understand various issues in the defence of SCADA systems arises. The forensics of the SCADA system provide deep insight into the design and deployment of the worm (the malware) once the system is attacked. This is precisely the scope of this essay.
This document proposes a two-phase system using genetic algorithms and fuzzy logic to classify intrusion detection system (IDS) alerts and reduce false positives. In the first phase, similar alerts are grouped and normalized. Irrelevant alerts are identified through asset verification. In the second phase, labeled alerts are classified using genetic fuzzy rules to efficiently detect intrusions. The system is tested on KDD Cup 99 dataset and effectively reduces false positives through optimized fuzzy rules, reducing analyst workload.
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logicijdpsjournal
This document summarizes a research paper on current studies of intrusion detection systems using genetic algorithms and fuzzy logic. The paper presents an overview of intrusion detection systems, including different techniques like misuse detection and anomaly detection. It discusses using genetic algorithms to generate fuzzy rules to characterize normal and abnormal network behavior in order to reduce false alarms. The paper also outlines the dataset, genetic algorithm approach, and use of fuzzy logic that are proposed for the intrusion detection system.
In recent years, wireless sensor network (WSN) is used in several application areas resembling observance, tracking, and dominant in IoTs. for several applications of WSN, security is a crucial demand. However, security solutions in WSN disagree from ancient networks because of resource limitation and process constraints. This paper analyzes security solutions: TinySec, IEEE 802.15.4, SPINS, MiniSEC, LSec, LLSP, LISA, and LISP in WSN. This paper additionally presents characteristics, security needs, attacks, cryptography algorithms, and operation modes. This paper is taken into account to be helpful for security designers in WSNs.
A Modular Approach To Intrusion Detection in Homogenous Wireless NetworkIOSR Journals
This document discusses a modular approach to intrusion detection in homogeneous wireless networks. It begins by introducing wireless networks and the need for intrusion detection systems (IDS) due to security vulnerabilities. It then discusses different types of IDS, including signature-based detection that identifies known attacks, and anomaly-based detection that identifies deviations from normal behavior but can result in high false positives. The document proposes a modular approach combining advantages of signature-based and anomaly-based detection for high detection rates and low false positives. Requirements for IDS in wireless networks are also outlined.
When talk about intrusion, then it is pre- assume
that the intrusion is happened or it is stopped by the intrusion
detection system. This is all done through the process of collection
of network traffic information at certain point of networks in the
digital system. In this way the IDS perform their job to secure the
network. There are two types of Intrusion Detection: First is
Misuse based detection and second one is Anomaly based detection.
The detection which uses data set of known predefined set of
attacks is called Misuse - Based IDSs and Anomaly based IDSs are
capable of detecting new attacks which are not known to previous
data set of attacks and is based on some new heuristic methods. In
our hybrid IDS for computer network security we use Min-Min
algorithm with neural network in hybrid method for improving
performance of higher level of IDS in network. Data releasing is
the problem for privacy point of view, so we first evaluate training
for error from neural network regression state, after that we can get
outer sniffer by using Min length from source, so that we
hybridized as with Min – Min in neural network in hybrid system
which we proposed in our research paper
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
A method and a system for the detection of an intrusion in a computer network compare the network traffic of the computer network at multiple different points in the network. In an uncompromised network the network traffic monitored at these two different points in the network should be identical. A network intrusion detection system is mostly place at strategic points in a network, so that it can monitor the traffic traveling to or from different devices on that network. The existing Software Defined Network SDN proposes the separation of forward and control planes by introducing a new independent plane called network controller. Machine learning is an artificial intelligence approach that focuses on acquiring knowledge from raw data and, based at least in part on the identified flow, selectively causing the packet, or a packet descriptor associated with the packet. The performance is evaluated using the network analysis metrics such as key generation delay, key sharing delay and the hash code generation time for both SDN and the proposed machine learning SDN. Prof P. Damodharan | K. Veena | Dr N. Suguna "Optimized Intrusion Detection System using Deep Learning Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-2 , February 2019, URL: https://www.ijtsrd.com/papers/ijtsrd21447.pdf
Paper URL: https://www.ijtsrd.com/engineering/other/21447/optimized-intrusion-detection-system-using-deep-learning-algorithm/prof-p-damodharan
Three level intrusion detection system based on conditional generative advers...IJECEIAES
Security threat protection is important in the internet of things (IoT) applications since both the connected device and the captured data can be hacked or hijacked or both at the same time. To tackle the above-mentioned problem, we proposed three-level intrusion detection system conditional generative adversarial network (3LIDS-CGAN) model which includes four phases such as first-level intrusion detection system (IDS), second-level IDS, third-level IDS, and attack type classification. In first-level IDS, features of the incoming packets are extracted by the firewall. Based on the extracted features the packets are classified into three classes such as normal, malicious, and suspicious using support vector machine and golden eagle optimization. Suspicious packets are forwarded to the second-level IDS which classified the suspicious packets as normal or malicious. Here, signature-based intrusions are detected using attack history information, and anomaly-based intrusions are detected using event-based semantic mapping. In third-level IDS, adversary packets are detected using CGAN which automatically learns the adversarial environment and detects adversary packets accurately. Finally, proximal policy optimization is proposed to detect the attack type. Experiments are conducted using the NS-3.26 network simulator and performance is evaluated by various performance metrics which results that the proposed 3LIDS-CGAN model outperforming other existing works.
Articles - International Journal of Network Security & Its Applications (IJNSA)IJNSA Journal
International Journal of Network Security & Its Applications (IJNSA) is a bi monthly open access peer-reviewed journal that publishes articles which contribute new results in all areas of the computer Network Security & its applications. The journal focuses on all technical and practical aspects of security and its applications for wired and wireless networks. The goal of this journal is to bring together researchers and practitioners from academia and industry to focus on understanding Modern security threats and countermeasures, and establishing new collaborations in these areas.
COMBINING NAIVE BAYES AND DECISION TREE FOR ADAPTIVE INTRUSION DETECTIONIJNSA Journal
In this paper, a new learning algorithm for adaptive network intrusion detection using naive Bayesian classifier and decision tree is presented, which performs balance detections and keeps false positives at acceptable level for different types of network attacks, and eliminates redundant attributes as well as contradictory examples from training data that make the detection model complex. The proposed algorithm also addresses some difficulties of data mining such as handling continuous attribute, dealing with missing attribute values, and reducing noise in training data. Due to the large volumes of security audit data as well as the complex and dynamic properties of intrusion behaviours, several data miningbased intrusion detection techniques have been applied to network-based traffic data and host-based data in the last decades. However, there remain various issues needed to be examined towards current intrusion detection systems (IDS). We tested the performance of our proposed algorithm with existing learning algorithms by employing on the KDD99 benchmark intrusion detection dataset. The experimental results prove that the proposed algorithm achieved high detection rates (DR) and significant reduce false positives (FP) for different types of network intrusions using limited computational resources.
This document summarizes an international journal on information technology and management information systems. It discusses detecting and classifying attacks in a computer network. Existing approaches to intrusion detection include anomaly-based systems, host-based intrusion detection systems (HIDS), and network-based intrusion detection systems (NIDS). A multilayer perceptron (MLP) algorithm is commonly used for intrusion detection but has limitations. The paper proposes a modified apriori algorithm to generate rules for detecting and classifying attacks into categories and types to enable recommending appropriate responses.
This document summarizes an international journal on information technology and management information systems. It discusses detecting and classifying attacks in a computer network. Existing approaches to intrusion detection include anomaly-based systems, host-based intrusion detection systems (HIDS), and network-based intrusion detection systems (NIDS). A multilayer perceptron (MLP) algorithm is commonly used for intrusion detection but has limitations. The paper proposes a modified apriori algorithm to generate rules for detecting and classifying attacks into categories and types to enable recommending appropriate responses.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The Practical Data Mining Model for Efficient IDS through Relational DatabasesIJRES Journal
Enterprise network information system is not only the platform for information sharing and information exchanging, but also the platform for enterprise production automation system and enterprise management system working together. As a result, the security defense of enterprise network information system does not only include information system network security and data security, but also include the security of network business running on information system network, which is the confidentiality, integrity, continuity and real-time of network business. Network security technology has become crucial in protecting government and industry computing infrastructure. Modern intrusion detection applications face complex requirements – they need to be reliable, extensible, easy to manage, and have low maintenance cost. In recent years, data mining-based intrusion detection systems (IDSs) have demonstrated high accuracy, good generalization to novel types of intrusion, and robust behavior in a changing environment. Still, significant challenges exist in the design and implementation of production quality IDSs. Incrementing components such as data transformations, model deployment, and cooperative distributed detection remain a labor intensive and complex engineering endeavor. This paper describes DAID, a database-centric architecture that leverages data mining within the Relational RDBMS to address these challenges. DAID also offers numerous advantages in terms of scheduling capabilities, alert infrastructure, data analysis tools, security, scalability, and reliability. DAID is illustrated with an Intrusion Detection Center application prototype that leverages existing functionality in Relational Database 10g. Intrusion detection system work at many levels in the network fabric and are taking the concept of security to a whole new sphere by incorporating intelligence as a tool to protect networks against un-authorized intrusions and newer forms of attack. We have described formal model for the construction of network security situation measurement based on d-s evidence theory, frequent mode, and sequence model extracted from the data on network security situation based on the knowledge found method and convert the pattern on the related rules of the network security situation, and automatic generation of network security situation.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
This document proposes an intrusion detection system using customized rules for the Snort tool to improve security. The system uses Wireshark to scan network traffic for anomalies, Snort to detect attacks using customized rulesets for faster response times, and Wazuh and Splunk to analyze log files. Rules are created using the Snorpy tool and added to Snort to monitor for specific attacks like ICMP ping impersonation and authentication attempts. When attacks are attempted, the system successfully detects them and logs the alerts. The integration of these tools provides low-cost intrusion detection capabilities with automated threat identification and faster response compared to existing Snort configurations.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Intrusion Detection System using AI and Machine Learning AlgorithmIRJET Journal
This document discusses using artificial intelligence and machine learning algorithms to develop an intrusion detection system (IDS). It begins with an abstract that outlines using AI to act as a virtual analyst to concurrently monitor network traffic and defend against threats. It then provides background on IDS and the need for more effective automated threat detection. The document discusses classifying attacks, different types of IDS (host-based and network-based), and detection methods like signature-based and anomaly-based. It aims to develop an IDS using machine learning algorithms that can learn patterns to provide automatic intrusion detection without extensive manual maintenance.
An Efficient Classification Mechanism For Network Intrusion Detection System Based on Data Mining
Techniques:A Survey..........................................................................................................................1
Subaira A. S. and Anitha P.
Automated Biometric Verification: A Survey on Multimodal Biometrics ..............................................1
Rupali L. Telgad, Almas M. N. Siddiqui and Dr. Prapti D. Deshmukh
Design and Implementation of Intelligence Car Parking Systems ........................................................1
Ogunlere Samson, Maitanmi Olusola and Gregory Onwodi
Intrusion Detection Techniques for Mobile Ad Hoc and Wireless Sensor Networks..............................1
Rakesh Sharma, V. A. Athavale and Pinki Sharma
Performance Evaluation of Sentiment Mining Classifiers on Balanced and Imbalanced Dataset ...........1
G.Vinodhini and R M. Chandrasekaran
Demosaicing and Super-resolution for Color Filter Array via Residual Image Reconstruction and Sparse
Representation..................................................................................................................................1
Jie Yin, Guangling Sun and Xiaofei Zhou
Determining Weight of Known Evaluation Criteria in the Field of Mehr Housing using ANP Approach ..1
Saeed Safari, Mohammad Shojaee, Mohammad Tavakolian and Majid Assarian
Application of the Collaboration Facets of the Reference Model in Design Science Paradigm ...............1
Lukasz Ostrowski and Markus Helfert
Personalizing Education News Articles Using Interest Term and Category Based Recommender
Approaches .......................................................................................................................................1
Intrusion Detection Systems (IDSs) have become widely recognized as powerful tools for identifying, deterring and deflecting malicious attacks over the network. Intrusion detection systems (IDSs) are designed and installed to aid in deterring or mitigating the damage that can be caused by hacking, or breaking into sensitive IT systems. . The attacks can come from outsider attackers on the Internet, authorized insiders who misuse the privileges that have been given them and unauthorized insiders who attempt to gain unauthorized privileges. IDSs cannot be used in isolation, but must be part of a larger framework of IT security measures. Essential to almost every intrusion detection system is the ability to search through packets and identify content that matches known attacks. Space and time efficient string matching algorithms are therefore important for identifying these packets at line rate. In this paper we examine string matching algorithm and their use for Intrusion Detection. Keywords: System Design, Network Algorithm
This document summarizes various soft computing techniques that can be used for intrusion detection, including fuzzy logic, graph-based approaches, and neural networks. Fuzzy logic can be used to classify parameters and detect anomalies by comparing normal and new fuzzy association rule sets. Graph-based approaches model network traffic as graphs of nodes and edges and use clustering algorithms to detect anomalies. Neural networks can be trained on audit log data to recognize normal behavior and detect deviations that may indicate attacks. These soft computing methods aim to improve on signature-based detection by learning patterns of normal network activity and detecting anomalies.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
This document proposes a hybrid architecture for a distributed intrusion detection system using multiple agents. The key aspects of the architecture include:
- Using multiple independent tracker agents that monitor hosts and generate reports sent to monitors and storage.
- Monitors analyze activity and compare to signatures to detect known attacks, or send data to anomaly detectors.
- Anomaly and misuse detectors use classification and pattern matching to detect known and unknown attacks.
- An inference module coordinates entities across hosts to classify new attacks using a knowledge base and signature generator.
- A countermeasure module alerts administrators and can take actions like dropping packets in response to detected attacks.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
In order to the rapid growth of the network application, new kinds of network attacks are emerging endlessly. So it is critical to protect the networks from attackers and the Intrusion detection technology becomes popular. Therefore, it is necessary that this security concern must be articulate right from the beginning of the network design and deployment. The intrusion detection technology is the process of identifying network activity that can lead to a compromise of security policy. Lot of work has been done in detection of intruders. But the solutions are not satisfactory. In this paper, we propose a novel Distributed Intrusion Detection System using Multi Agent In order to decrease false alarms and manage misuse and anomaly detects.
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...ijsptm
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to
rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus
or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection
System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data
created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for
anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack
signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with
the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System
called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in
detecting abnormal content in the traffic data during information passing from one node to another and
also detects known attack signature and unknown attack. This approach is tested by running the artificial
network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
Network Intrusion Detection And Countermeasure Selection In Virtual Network (...ClaraZara1
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in detecting abnormal content in the traffic data during information passing from one node to another and also detects known attack signature and unknown attack. This approach is tested by running the artificial network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
Intrusion Detection against DDoS Attack in WiMAX Network by Artificial Immune...Editor IJCATR
IEEE 802.16, known as WiMax, is at the top of communication technology because it is gaining a great position in the wireless networks. In this paper, an intrusion detection system for DDOS attacks diagnosis is proposed, inspired by artificial immune system. Since the detection unit on all subscriber stations in the network is WIMAX, proposed system is a fully distributed system. A risk theory is used for antigens detection in attack time. The proposed system decreases the attack effects and increases network performance. Results of simulation show that the proposed system improves negative selection time, detection Precision, and ability to identify new attacks compared to the similar algorithm.
This document proposes a machine learning approach using the Naive Bayes algorithm to detect distributed denial of service (DDoS) attacks through network intrusion detection. It first discusses the issues with existing intrusion detection systems, including long training times and low accuracy. It then summarizes research on applying various machine learning techniques like neural networks, decision trees, and Naive Bayes to intrusion detection. The proposed system would build a classifier using Naive Bayes, which provides faster training than other methods, to distinguish normal and attack traffic. This approach aims to improve upon the training time and detection accuracy of existing intrusion detection systems.
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...Murugan Solaiyappan
Title: Relational Database Management System Concepts(RDBMS)
Description:
Welcome to the comprehensive guide on Relational Database Management System (RDBMS) concepts, tailored for final year B.Sc. Computer Science students affiliated with Alagappa University. This document covers fundamental principles and advanced topics in RDBMS, offering a structured approach to understanding databases in the context of modern computing. PDF content is prepared from the text book Learn Oracle 8I by JOSE A RAMALHO.
Key Topics Covered:
Main Topic : DATA INTEGRITY, CREATING AND MAINTAINING A TABLE AND INDEX
Sub-Topic :
Data Integrity,Types of Integrity, Integrity Constraints, Primary Key, Foreign key, unique key, self referential integrity,
creating and maintain a table, Modifying a table, alter a table, Deleting a table
Create an Index, Alter Index, Drop Index, Function based index, obtaining information about index, Difference between ROWID and ROWNUM
Target Audience:
Final year B.Sc. Computer Science students at Alagappa University seeking a solid foundation in RDBMS principles for academic and practical applications.
About the Author:
Dr. S. Murugan is Associate Professor at Alagappa Government Arts College, Karaikudi. With 23 years of teaching experience in the field of Computer Science, Dr. S. Murugan has a passion for simplifying complex concepts in database management.
Disclaimer:
This document is intended for educational purposes only. The content presented here reflects the author’s understanding in the field of RDBMS as of 2024.
Feedback and Contact Information:
Your feedback is valuable! For any queries or suggestions, please contact muruganjit@agacollege.in
No, it's not a robot: prompt writing for investigative journalismPaul Bradshaw
How to use generative AI tools like ChatGPT and Gemini to generate story ideas for investigations, identify potential sources, and help with coding and writing.
A talk from the Centre for Investigative Journalism Summer School, July 2024
Is Email Marketing Really Effective In 2024?Rakesh Jalan
Slide 1
Is Email Marketing Really Effective in 2024?
Yes, Email Marketing is still a great method for direct marketing.
Slide 2
In this article we will cover:
- What is Email Marketing?
- Pros and cons of Email Marketing.
- Tools available for Email Marketing.
- Ways to make Email Marketing effective.
Slide 3
What Is Email Marketing?
Using email to contact customers is called Email Marketing. It's a quiet and effective communication method. Mastering it can significantly boost business. In digital marketing, two long-term assets are your website and your email list. Social media apps may change, but your website and email list remain constant.
Slide 4
Types of Email Marketing:
1. Welcome Emails
2. Information Emails
3. Transactional Emails
4. Newsletter Emails
5. Lead Nurturing Emails
6. Sponsorship Emails
7. Sales Letter Emails
8. Re-Engagement Emails
9. Brand Story Emails
10. Review Request Emails
Slide 5
Advantages Of Email Marketing
1. Cost-Effective: Cheaper than other methods.
2. Easy: Simple to learn and use.
3. Targeted Audience: Reach your exact audience.
4. Detailed Messages: Convey clear, detailed messages.
5. Non-Disturbing: Less intrusive than social media.
6. Non-Irritating: Customers are less likely to get annoyed.
7. Long Format: Use detailed text, photos, and videos.
8. Easy to Unsubscribe: Customers can easily opt out.
9. Easy Tracking: Track delivery, open rates, and clicks.
10. Professional: Seen as more professional; customers read carefully.
Slide 6
Disadvantages Of Email Marketing:
1. Irrelevant Emails: Costs can rise with irrelevant emails.
2. Poor Content: Boring emails can lead to disengagement.
3. Easy Unsubscribe: Customers can easily leave your list.
Slide 7
Email Marketing Tools
Choosing a good tool involves considering:
1. Deliverability: Email delivery rate.
2. Inbox Placement: Reaching inbox, not spam or promotions.
3. Ease of Use: Simplicity of use.
4. Cost: Affordability.
5. List Maintenance: Keeping the list clean.
6. Features: Regular features like Broadcast and Sequence.
7. Automation: Better with automation.
Slide 8
Top 5 Email Marketing Tools:
1. ConvertKit
2. Get Response
3. Mailchimp
4. Active Campaign
5. Aweber
Slide 9
Email Marketing Strategy
To get good results, consider:
1. Build your own list.
2. Never buy leads.
3. Respect your customers.
4. Always provide value.
5. Don’t email just to sell.
6. Write heartfelt emails.
7. Stick to a schedule.
8. Use photos and videos.
9. Segment your list.
10. Personalize emails.
11. Ensure mobile-friendliness.
12. Optimize timing.
13. Keep designs clean.
14. Remove cold leads.
Slide 10
Uses of Email Marketing:
1. Affiliate Marketing
2. Blogging
3. Customer Relationship Management (CRM)
4. Newsletter Circulation
5. Transaction Notifications
6. Information Dissemination
7. Gathering Feedback
8. Selling Courses
9. Selling Products/Services
Read Full Article:
https://digitalsamaaj.com/is-email-marketing-effective-in-2024/
(T.L.E.) Agriculture: Essentials of GardeningMJDuyan
(𝐓𝐋𝐄 𝟏𝟎𝟎) (𝐋𝐞𝐬𝐬𝐨𝐧 𝟏.𝟎)-𝐅𝐢𝐧𝐚𝐥𝐬
Lesson Outcome:
-Students will understand the basics of gardening, including the importance of soil, water, and sunlight for plant growth. They will learn to identify and use essential gardening tools, plant seeds, and seedlings properly, and manage common garden pests using eco-friendly methods.
Split Shifts From Gantt View in the Odoo 17Celine George
Odoo allows users to split long shifts into multiple segments directly from the Gantt view.Each segment retains details of the original shift, such as employee assignment, start time, end time, and specific tasks or descriptions.
Understanding and Interpreting Teachers’ TPACK for Teaching Multimodalities i...Neny Isharyanti
Presented as a plenary session in iTELL 2024 in Salatiga on 4 July 2024.
The plenary focuses on understanding and intepreting relevant TPACK competence for teachers to be adept in teaching multimodality in the digital age. It juxtaposes the results of research on multimodality with its contextual implementation in the teaching of English subject in the Indonesian Emancipated Curriculum.
Join educators from the US and worldwide at this year’s conference, themed “Strategies for Proficiency & Acquisition,” to learn from top experts in world language teaching.
1. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
EFFICACY OF ATTACK DETECTION CAPABILITY OF
IDPS BASED ON ITS DEPLOYMENT IN WIRED AND
WIRELESS ENVIRONMENT
Shalvi Dave1, Bhushan Trivedi2 and Jimit Mahadevia3
1
Department of MCA, Indus University, Ahmedabad
shalvidave.mca@iite.edu.in
2
Director, MCA, GLSICT,Ahmedabad
bhtrivedi@yahoo.com
3
Elitecore Technologies Pvt. Ltd., Ahmedabad
jimitm@yahoo.com
ABSTRACT
Intrusion Detection and/or Prevention Systems (IDPS) represent an important line of defence against a
variety of attacks that can compromise the security and proper functioning of an enterprise information
system. Along with the widespread evolution of new emerging services, the quantity and impact of attacks
have continuously increased, attackers continuously find vulnerabilities at various levels, from the network
itself to operating system and applications, exploit them to crack system and services. Network defence and
network monitoring has become an essential component of computer security to predict and prevent
attacks. Unlike traditional Intrusion Detection System (IDS), Intrusion Detection and Prevention System
(IDPS) have additional features to secure computer networks.
In this paper, we present a detailed study of how deployment of an IDPS plays a key role in its
performance and the ability to detect and prevent known as well as unknown attacks. We categorize IDPS
based on deployment as Network-based, host-based, and Perimeter-based and Hybrid. A detailed
comparison is shown in this paper and finally we justify our proposed solution, which deploys agents at
host-level to give better performance in terms of reduced rate of false positives and accurate detection and
prevention.
KEYWORDS
Intrusion Prevention, TCP re-assembly, IDPS sensors/agents, Host-based IDPS, network-based IDPS,
Perimeter-based IDPS, Hybrid IDPS
1. INTRODUCTION
In order to apply admission and access control for a network, various Intrusion Detection
and Prevention systems (IDPS) are available in the market. Intrusion detection system is used to
manage traffic in real-time for increasing the accuracy detection and decreasing false alarm rate.
In some instances, IPS adopts techniques from intrusion detection, such as detection approach,
monitoring sensor, and alert mechanism. An IDPS is also used for gateway appliance, perimeter
defence appliance, all-in-all capability, and network packet inspection/prevention. It is designed
to identify and recognize potential security violations in stream network. However, the primary
intrusion prevention use signature mechanism to identify activity in network traffic and host
DOI : 10.5121/ijnsa.2013.5208 103
2. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
where perform detect on inbound – outbound packets and would block that activity before they
access and damage network resources.
Fig.1 and Fig. 2 shows the basic scenario of an Intrusion Detection System (IDS) and an
Intrusion Prevention System (IPS).
Fig.1 Intrusion Detection System
Fig.2 Intrusion Prevention System
An IDPS is an inline approach to monitor network activity. The detection technique used by the
IDPS classifies it into two categories: signature based if it detects an attack by comparing it
against a stored set of pre-defined signatures. It is anomaly-based if any abnormal behavior or
intrusive activity occurs in the computer system, which deviates from system normal behavior.
System normal behavior such as kernel information, system logs event, network packet
information, software-running information; operating system information etc is stored into the
database [1]
The deployment of an IDPS categorizes it as host-based or network-based. In addition,
when deployed around the boundary of a network, it is known as perimeter-based IDPS. A
distributed deployment of IDPS, wherein certain tasks are handled at the host-level and remaining
at the network-level is known as hybrid IDPS. In this paper, we present a case study on the above
mentioned techniques of deployment of existing IDPS, including problem areas faced in today’s
environment and enhancements possible to address each of these problem areas.
2. RELATED WORK
The primary deployment of IDPS is either at network level or at host level. The deployment
determines the basic characteristics of an IDPS, which is then known as network-based IDPS
104
3. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
(NIDPS) or host-based IDPS (HIDPS). In an NIDPS, an IPS sensor is usually placed at network
ingress point. The IPS sensor monitors network traffic and inspect packet transmissions for
suspicious behaviour. A network-based system can be used to provide detection for multiple hosts
by locating the monitoring component appropriately (at a network ingress point, for example).
HIDPS operate on single hosts, and operate on low-level system data, such as patterns of system
calls, file access, or process usage. They can monitor for suspicious behaviour, or they can scan
configurations to detect potential vulnerabilities using techniques such as port scan. Fig. 3 shows
the deployment using HIDPS.
Fig.3 Host-based IDPS
Nowadays, the host-based approach plays a more prominent role than a decade ago. First,
modern operating systems have grown in complexity, driven by the explosive growth of the
Internet, thus it is more difficult to achieve an extensive monitoring. Secondly, system
administrators are usually concerned about the impact of an HIDS on host performance. A
notable HIDS (it is usually called a “web application firewall”) is ModSecurity [9]. It is a module
(i.e., a pluggable software component) for the Apache web server. ModSecurity intercepts
incoming requests, runs the analysis and, in case a request is considered suspicious, can drop it,
thereby preventing the request from being processed by the Apache instance.
The main advantage of the NIDS approach is the possibility to monitor data and events
without affecting host performance. On the other hand, the fact it is not host-based turns out to be
one of the main disadvantages (especially for systems analysing the payload of network packets).
For instance, a NIDS cannot function properly in combination with applications or application
protocols which apply data encryption (e.g. SSH and SSL), unless the encryption key is provided.
A possible solution to this makes use of a host-based component to access data after decryption,
but this causes an overhead on the monitored host. This problem is going to grow in importance
since now IPv6 is gradually replacing IPv4: in fact, one of the main design goals of IPv6 is the
authentication and confidentiality of data (through cryptography). Fig. 4 shows deployment using
NIDS.
105
4. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Fig.4 Network-based IDPS
Another common problem for a NIDS is the reconstruction of network traffic. Data
streams are split into TCP segments and IP datagram. In order to analyse the content, the system
needs to reassemble the traffic into the original form. Modern networks operate at high speed (up
to 10Gbs): while the traffic reconstruction would be theoretically possible for an arbitrarily
powerful system, a NIDS faces performance and implementation constraints. First, the NIDS
must save a significant amount of data for a long time, depending on system time-outs and data
throughput (this is resource consuming). Secondly, operating systems implement heterogeneous
network stacks and handle data reconstruction differently. Therefore the NIDS engine should
implement some context-awareness functionalities. All of these limitations resulted in the so-
called evasion and insertion attacks, formalised by Ptacek and Newsham [10]. Attackers craft
communications to fool the NIDS, e.g., by overwriting inside NIDS memory some data
previously sent or by forcing the NIDS to drop data (that has not been analysed yet) after
sometime.
The EMERALD system [3] attempted to merge the advantages offered by both the HIDS
and the NIDS approaches into (virtually) single IDS. The problems of data normalization from
different sources, event fusion and correlation and suitable metric definition are still open issues.
These problems stopped the development of improvements after the first proof of concept of
EMERALD.
There are further two types of NIDPS. Promiscuous-mode network intrusion detection is
the standard technique that “sniffs” all the packets on a network segment to analyze the behavior.
In Promiscuous-mode Intrusion detection & prevention systems, only one sensor is placed on
each segment in the network. Network-node intrusion detection and prevention system sniffs the
packets that are bound for a particular destination computer. Network-node systems are designed
to work in a distributed environment [13].
In order to detect and prevent maximum number of attacks, we need to capture data that
is distributed spatially and temporally. For example, an attack detected at different monitoring
locations can be a distributed attack. Also, same attack that is detected during different time
intervals gives an indication of co-ordinated, automatic attack. To capture data spatially and
temporally, we require a hybrid system, which incorporates centralized monitoring feature of
NIDPS and localized, distributed feature of HIDPS.
106
5. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
3. COMPARISON OF NIDPS AND HIDPS
This section describes deployment considerations to be taken while deploying an IDPS. We have
studied few host-based and network-based deployment and show details of each with pros and
cons. Host-based IDSs have certain advantages when compared with network-based intrusion
detection systems. One advantage is that HIDSs can access semantically rich information about
the operations performed on a host, whereas NIDSs that analyze network traffic have to
reassemble, parse, and interpret the application-level traffic to identify application-level actions
[10]. This is even more evident when application-level traffic is encrypted. In this case, a
network-based monitor has to be equipped with the key material needed to decrypt the traffic;
otherwise, the application-level information is not accessible. In addition, the amount of
information that HIDSs have to process is usually more limited, because the rate at which events
are generated by the OS and applications is smaller than the rate at which network packets are
sent over busy links. A third advantage is that HIDSs are less prone to evasion attacks because it
is more difficult to desynchronize the view that the intrusion detection system has of the status of
a monitored application with respect to the application itself. Finally, a host-based intrusion
detection system has a better chance of performing a focused response because the process
performing an attack can sometimes be easily identified and terminated.
One of the more popular host-based intrusion detection and prevention systems is
Hawkeye solution. [2] The architecture of Hawkeye solution proposed in [2] includes components
such as sensors/agents, management server, database server, console and demilitarized zone
(DMZ). This solution scores over other HIDPS by providing features such as capturing packets
organized by TCP or UDP threads, passively monitoring network, packet viewing and logging in
hex-format, detection of abnormal packet on comparison with benchmark ones and stating cause
of abnormality. In case of abnormality, the source IP address can be traced. However, the basic
detection methodology is packet-based. If an attack is distributed across multiple packets, it
cannot be detected. Therefore, detection should be stream-based or data-based but not individual
packet-based.
Another problem of Hawkeye solution is discussed [3][4]. It says that network flow
identification should be done in such a way that every packet is monitored. To address this
problem, an adaptive sampling algorithm is proposed. This algorithm predicts future behavior
based on observed samples. It utilizes the weighted least squares predictor to select the next
sampling interval. Inaccurate predictions by the weighted least squares predictor indicates a
change in the network traffic behavior and requires a change in the sampling rate.
On the other side, this algorithm only looks for trends in network traffic and can detect
few attacks such as DOS attacks. When we deploy detection system on host, an IDPS that
monitors network activity can only measure trends in network traffic and thus detect attacks such
as DOS.
A major trend found nowadays is co-existence of IPv4 and IPv6 networks. This is
because the depletion of IPv4 addresses space. Due to the massive investment in IPv4, network
and established lots of applications, and IPv6 networks need to be gradually perfect and
recognized; the transition from IPv4 to IPv6 will be a very slow process [5]. The CIDP [5] is a
proposed multi-level, distributed, three-dimensional architecture of intrusion detection and
prevention. It consists of UTM (Unified Threat Management) for network-based intrusion
detection and prevention systems UTM NIDP at the network boundary, the network-based
intrusion detection and prevention systems Subnet NIDP in each subnet, Host-based HIDP, host-
107
6. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
based mobile users HIDP in IPv6/IPv4 IPSec tunnel endpoint, host-based intrusion detection and
prevention systems HIDP composition in the public domain server DMZ. The subnet NIDP
incorporated in one of the three layers, detects back door attacks. Subnet NIDP protects other
subnets from the host, which launches an attack, but the subnet itself is still vulnerable. For this
protection, we require host-based IDPS. This proposed architecture [5] deploys HIDPS only on
certain endpoints. Rather the deployment should be done on each host, since it protects the
network not only from server-side attacks but also from client-side attacks.
Without NAT, the IPv4 address space would have been exhausted a long time ago.
However, the translation of address/port by NAT affects different other applications since
applications behind the NAT have no way to know what the real address/port used by the hosts
[14,15].Whenever an attack is generated from within the network or a host is being victimized in
the network, IP address of both attacker and victim is necessary. For this, IDPS must be re-
examined to perform correctly with NAT. When an IDPS is deployed on a perimeter router,
which is behind NAT device, we lack actual identity of attacker and victim. IDPS deployed in the
network must be aware about the presence of a NAT device that changes the packets headers. [6]
One of the solution to this [6] deploys two IDPS: one deployed above the NAT and another below
the NAT, so these two systems will refer attacker and victim with different identities even if they
alert the same attack, so these two alerts will be considered as two different alarms which
increases the number of alerts and overwhelm the security operator. Identification module
analyzes output of the analysis module to determine the real hosts’ identities that are implicated in
the security issue based on the NAT table.
To integrate IDPS to NAT box is tough and not every NAT device may provide such
information outside the box. If we deploy IDPS functionality on a host, then the attacker and
victim information will always be correct.
In case of wireless networks, because of some characteristics network, it is not so
convenient to build an IDPS in wireless environment as in wired environment. For example, a
company’s trusted workers may need “inside” kinds of connectivity while using wireless devices.
Inversely, visitors may need “outside” kinds of connectivity while connecting to the company’s
wired network through an access point inside the corporate firewall. It is very hard to place a
firewall between “inside” and “outside”. [16]
Secondly, the IDPS engine should be placed in sole path of user’s traffics. But attacks on
a wireless network can come from all directions and target at any node. Therefore, it is not easy to
find a sole path to place an IPS engine that all traffic must pass.
Therefore, it is difficult to build an IPS engine in wireless environment as in wired
networks. In order to address this issue, WBIPS (WTLS-Based IPS) model has been described
[7]. In this mode, a logical sole path is built between every wireless terminal and its destination,
so an IPS engine can detect and prevent the traffics of user.
108
7. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Fig. 5. Wireless Setup
VPN tunnel should be created between wireless device and gateway. The traffic should be re-
directed through the tunnel. If we deploy HIDPS on wireless device, tunneling will not be
necessary.
4. CONCLUSION AND THE PROPOSED SOLUTION
In order to detect and prevent maximum number of attacks, we need to capture data that
is distributed spatially and temporally. For example, an attack detected at different monitoring
locations can be a distributed attack. In addition, same attack that is detected during different time
intervals gives an indication of co-ordinated, automatic attack. To capture data spatially and
temporally, we require a hybrid system, which incorporates centralized monitoring feature of
NIDPS and localized, distributed feature of HIDPS.
Fig.6 Typical Deployment of Proxy Server in Local Network
If someone wants to implement above-mentioned approach then it can better implemented
using our work. As we have explained that implementing, it at edge router level might lead
chances to run into a situation of false positives due to wrong operative frequency calculation. If
the same can be implemented at host level then one can find out operating frequency of services
109
8. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
easily using our Application Aware Logger System. Using our system one can get the hold on
application data also to determine if the request is coming from proxy server as whenever any
proxy server sends a request on behalf of any host we can find out actual host using “X-
ForwardedFor” tag in request header. Using this parameter, we can implement operating
frequency of concurrent connection in a better way.
Figure 8. Implementation of Network Interceptor
In our proposed hybrid system, we have developed a module called Network Interceptor
[16], which works to access real-time application data. It is shown in Figure 7. It captures socket
calls using layered service provider of Winsock control and obtains all application related
information and socket information. It monitors the data sent or received from each application
using Suricata for attack detection and prevention. If any malicious activity has been found then it
generates the event for the same, which includes not only source and destination information of
connection but application information also like name of the application, version of the
application, etc. For distributed monitoring, we have deployed a Logging agent in our hybrid
system on each host. The logging agent captures events and sends the event information using
UDP protocol, to Event Collector [17], which stores the log in database. Figure 8.shows how
event collector works.
110
9. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Figure 8: Role of Event Collector
First, we are using rule-set of Suricata, which is an IDPS used widely nowadays. From
the existing rule-set of Suricata, we have taken two sets: Web-client and Web-server rules. Since
our proposed system is designed taking into consideration corporate environment, we have
classified the rule-set into further four categories:
1) Server-side Inbound.
2) Client-side Inbound.
3) Server-side Outbound.
4) Client-side Outbound.
This categorization is because an attack can be launched from within the network or from
outside the network. In a typical network, there are two types of applications running: Client
application and Server Application. Whenever a client application in the network requests for any
service outside the network, it may become vulnerable to attacks from servers running outside the
network. In addition, when any service provided by a Server application within the network is
requested by an outside application, it may also launch an attack on server application. Apart
from this, any vulnerable or infected application, client or server can possibly make attacks, to an
application outside the network.
4.1 CLIENT-SIDE ATTACK
When any client accesses any service from server, there are high chances that an attack
can be launched on client by the program running on remote server. This attack would generally
be client specific. It is due to any known vulnerability of specific client version. We can
categorize all such rules under Web-Client rules category and classify this type of attack as client-
side attack. The client –side attack can be inbound as well as outbound depending on the direction
of connection.
111
10. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
A. Outbound Attack (Inside Client being victimized): In this scenario, TOMCAT
server is hosted on the internet. One of the desktop machines tries to access site hosted on the
TOMCAT using Internet Explorer. If this site or server is being compromised then it can launch
an attack on the internet explorer application. One such type of attack is “Possible Microsoft
Internet Explorer URI Validation Remote Code Execution Attempt”. If the version running of
Internet Explorer is vulnerable to this attack then it is being victimized by such an attack. Our
logging agent inspects the data and logs the event. The following diagram shows the actual
working of the same:
Fig 9: Client-Side Outbound Attack
B. Inbound Attack (Inside server attacking on outside client): In this scenario, TOMCAT
server is running in our network. Some client from the internet tries to access the site using
Internet Explorer. If our server is infected or compromised, then it can launch an attack on the
remote client’s IE. Our logging agent detects this attack and sends the log to central event
collector. Event collector then stores this information into database. As it is the case of attack
being generated within the network, so collector also adds this record into quarantine database. So
in future, we can quarantine such infected applications running within the network.
4.2 SERVER-SIDE ATTACK
When anyone requests any service from the server, he can also land an attack along with
the request. If running application server has any known vulnerability, services can suffer due to
attack. We can have categorized all such rules under Web-Server rules category and classified
this type of attack as server side attack. Again, depending on direction of connection, attack can
be inbound as well as outbound.
112
11. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
A. Outbound Attack: A server is hosted on the internet. One of the desktop machines in
our network tries to launch a DOS attack using an NKiller2 application. This application launches
TCP Zero window attack on to remote server which is DDOS attack and due to that service gets
interrupted. Our logging agent inspects this data, identifies an attack, and sends this data to event
collector. Event collector stores this event log into database. Since it is an attack, which being
generated from within the network Event collector also stores information into quarantine
database.
Fig.10: Server-Side Outbound Attack
B. Inbound Attack: In this case, TOMCAT server is running in our network. Client tries
to attempt directory traversal on our server. Our logging agent logs event related information of
such attacks and sends a log to central collector.
5. EVENT LOGGING FOR ADMIN USE
As described in previous section, logging agent with the help of network interceptor and Suricata
inspects traffic to check whether exploit has been found. If found then agent sends an event to
central event collector. This event log majorly identifies four different kinds of events. Inside
client being victimized, Inside server being victimized, Inside client is attacking and Inside server
is attacking. In case of attack generated by inside client or server collector also, add application
related information like version, application name, and name of the attack into quarantine
database. Administrator can also choose to apply any new security hot-fixes to application if
available. As mentioned before we are using Suricata in our solution. Following is a brief
description of how Suricata is used by our Event logger.
6. SURICATA
Our IDS logging agent inspects the data with the help of Suricata. Suricata is an open-source IDS
available on all the platforms. It identifies an attack based on pre-defined signature rule-set.
113
12. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Logging agent sends data along with application and connection information to Suricata.
Therefore, Suricata does not need to track the connection for TCP Reassembly. After
vulnerability scanning, IDS logging agent receives result back from Suricata. Result includes
information about attack if detected along with its severity.
Suricata uses standard rule-set available from emerging threats. To achieve full security IDS
signature rule-set has to be up to date. The logging agent contacts the administration server to
check availability of new signature in the signature database. If new signature is found, logging
agent also updates Suricata with new signature.
REFERENCES
[1] Usman Asghar Sandhu, Sajjad Haider, Salman Naseer, and Obaid Ullah Ateeb, A Study of the Novel
Approaches Used in Intrusion, International Journal of Information and Education Technology, Vol.
1, No. 5, December 2011 Detection and Prevention Systems
[2] Indraneel Mukhopadhyay, Mohuya Chakraborty, Satyajit Chakrabarti, A Comparative Study of
Related Technologies of Intrusion Detection & Prevention Systems, Journal of Information Security,
2011, 2, 28-38
[3] S.Vasanthi, Dr. S.Chandrasekar , A study on network intrusion detection and prevention system
current status and challenging issue, Proceedings. of International Conference on Advances in Recent
Technologies in Communication and Computing 2011
[4] Khalid Alsubhi, Nizar Bouabdallah , Raouf Boutaba, Performance Analysis in Intrusion Detection
and Prevention Systems, 12th IFIP/IEEE International Symposium on Integrated Network
Management 2011
[5] Ke Yun, Zhu Jian Mei, Research of hybrid intrusion detection and prevention system for IPv6
network, 2011 International Conference on Internet Technology and Applications (iTAP), , vol., no.,
pp.1-3, 16-18 Aug. 2011
[6] Sourour, M.; Adel, B.; Tarek, A.;, Security Implications of Network Address Translation on Intrusion
Detection and Prevention Systems,IEEE International Conference on Network and Service Security,
2009. N2S '09., pp.1-5, 24-26 June 2009
[7] Dong Lijun; Yu Shengsheng; Xia Tao; Liao Rongtao; , "WBIPS: A Lightweight WTLS-Based
Intrusion Prevention Scheme," Wireless Communications, Networking and Mobile Computing, 2007.
WiCom 2007. International Conference on , vol., no., pp.2298-2301, 21-25 Sept. 2007
[8] Usman Asghar Sandhu, Sajjad Haider, Salman Naseer, Obaid Ullah Ateeb, “A Survey of Intrusion
Detection & Prevention Techniques”, 2011 International Conference on Information Communication
and Management,IPCSIT vol.16 (2011) IACSIT Press, Singapore
[9] Nwogu Emeka Joshua, “Network Intrusion Detection and Prevention Systems in Educational
System”, Bachelor Thesis of the Degree Programme in Business Information Technology Bachelor of
Business Administration, 2012
[10] David Wagner, Paolo Soto, “Mimicry attacks on host-based intrusion detection systems”, Proceedings
of the 9th ACM Conference on Computer and Communications Security, 2002, pg 255-64
[11] Usman Asghar Sandhu, Sajjad Haider, Salman Naseer, and Obaid Ullah Ateeb, “A Study of the Novel
Approaches Used in Intrusion Detection and Prevention Systems”, International Journal of
Information and Education Technology, Vol. 1, No. 5, December 2011
[12]Harley Kozushko. Intrusion Detection: Host-Based and Network-Based Intrusion Detection
Systems, (2003).
[13] D. Senie, "Network Address Translator (NAT)-Friendly Application Design Guidelines", RFC 3235.
[14] T. Hain, "Architectural Implications of NAT", RFC 2993.
[15] R. Cohen. “On the establishment of an access VPN in broadband access networks”. Communications
Magazine, IEEE, 41(2): 156-163. 2003
[16] Shalvi Dave, Bhushan Trivedi, Jimit Mahadevia, Windows based application aware network
interceptor, International Journal of Enterprise Computing and Business Systems, Vol. 2 Issue 1
January 2012
[17] Shalvi Dave, Bhushan Trivedi, Jimit Mahadevia, “Security policy implementation using connection
and event log to achieve network access control”, ACAI '11 Proceedings of the International
114
13. International Journal of Network Security & Its Applications (IJNSA), Vol.5, No.2, March 2013
Conference on Advances in Computing and Artificial Intelligence, pg 29-33, ACM digital xplore, doi:
10.1145/2007052.2007059
AUTHORS
SHALVI DAVE received the Master Computer Applications degree in 2001 from South Gujarat
University, Surat, India. She is full time professor at department of MCA at Indus University, Ahmedabad,
India. She is interested in Intrusion detection and Prevention Systems. E-mail: daveshalvi@yahoo.com
Dr. BHUSHAN TRIVEDI received his Ph.D in 2008 from North Gujarat University,India. He is working
as Director of MCA department, GLSICT, Gujarat, India. His research interests include Intrusion Detection
and Prevention Systems, Cryptography and Artificial Intelligence/ E-mail: bhtrivedi@yahoo.com
MR. JIMIT MAHADEVIA received his bachelor in computer engineering degree 1995. He is currently
serving as Asst. Vice President, Elitecore Technologies Pvt. Ltd., Ahmedabad, India. His interests are
Intrusion Detection and Prevention Systems, Wired and Wireless Network Security. Email:
jimitm@yahoo.com
115