call for papers, research paper publishing, where to publish research paper, journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJEI, call for papers 2012,journal of science and technolog
This document summarizes an article that proposes integrating conditional random fields (CRFs) and a layered approach to improve intrusion detection systems. CRFs can effectively model relationships between different features to increase attack detection accuracy. A layered approach reduces computation time by eliminating communication overhead between layers and using a small set of features in each layer. The proposed system aims to achieve both high attack detection accuracy using CRFs and high efficiency using the layered approach. It presents integrating these two methods for intrusion detection to address issues with limited coverage, high false alarms, and inefficiency in existing systems.
Network intrusion detection systems (NIDS) monitor network traffic for malicious activity by analyzing network packets at choke points like borders or the demilitarized zone. NIDS identify intrusions by comparing traffic patterns to known attack signatures or by detecting anomalies from established baselines. While NIDS can detect both previously known and unknown attacks, they require frequent signature database updates and may generate false positives. NIDS provide visibility without affecting network performance but cannot inspect encrypted traffic or all traffic on very large networks.
Intrusion detection and prevention systemNikhil Raj
This presentation describes how to implement Network based Intrusion Detection System (SNORT) in the network. Detecting and analyzing alerts generated and blocking the Attacker using Access Control List.
This document discusses intrusion detection techniques. It describes misuse detection, which detects known attacks based on predefined rules, and anomaly detection, which detects deviations from normal behavior. Common misuse detection methods include rule-based, state transition analysis, and expert systems. Anomaly detection methods include statistical methods, machine learning, and data mining. The document also proposes ideas to improve intrusion detection, such as using association rule mining to detect patterns in audit data and discovering new patterns by analyzing existing rulesets.
The document discusses different types of intruders and intrusion detection systems. It describes three classes of intruders: masqueraders, misfeasors, and clandestine users. It then defines intrusion detection systems, intrusion prevention systems, and intrusion detection and prevention systems. The document outlines different types of attacks and intrusion detection mechanisms, including misuse detection, anomaly detection, and hybrid detection. It also discusses network-based and host-based intrusion detection systems. Honeypots are described as systems designed to deceive attackers in order to learn about their tools and methods.
An intrusion detection system (IDS) monitors network traffic and analyzes system activities for potential threats. There are two main types of IDS - network-based IDS (NIDS) which analyzes network packets, and host-based IDS (HIDS) which analyzes the host system. An intrusion prevention system (IPS) also monitors for threats but can actively block or prevent intrusions by taking automatic actions in response to rules and detections. IDS and IPS use various analysis techniques like signature-based detection, anomaly detection, and machine learning to identify threats and protect networks and systems.
Optimized Intrusion Detection System using Deep Learning Algorithmijtsrd
A method and a system for the detection of an intrusion in a computer network compare the network traffic of the computer network at multiple different points in the network. In an uncompromised network the network traffic monitored at these two different points in the network should be identical. A network intrusion detection system is mostly place at strategic points in a network, so that it can monitor the traffic traveling to or from different devices on that network. The existing Software Defined Network SDN proposes the separation of forward and control planes by introducing a new independent plane called network controller. Machine learning is an artificial intelligence approach that focuses on acquiring knowledge from raw data and, based at least in part on the identified flow, selectively causing the packet, or a packet descriptor associated with the packet. The performance is evaluated using the network analysis metrics such as key generation delay, key sharing delay and the hash code generation time for both SDN and the proposed machine learning SDN. Prof P. Damodharan | K. Veena | Dr N. Suguna "Optimized Intrusion Detection System using Deep Learning Algorithm" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-2 , February 2019, URL: https://www.ijtsrd.com/papers/ijtsrd21447.pdf
Paper URL: https://www.ijtsrd.com/engineering/other/21447/optimized-intrusion-detection-system-using-deep-learning-algorithm/prof-p-damodharan
2 14-1346479656-1- a study of feature selection methods in intrusion detectio...Dr. Amrita .
This document provides a survey of feature selection methods for intrusion detection systems. It discusses three categories of feature selection approaches: filter, wrapper, and hybrid. The KDD Cup 99 dataset is commonly used to evaluate feature selection methods, which contains 41 features divided into four categories. Performance is typically evaluated based on metrics like detection rate, false alarm rate, and accuracy rates derived from a confusion matrix. Feature selection aims to select a minimal subset of relevant features to improve detection performance while reducing computational requirements.
The document provides a review of recent intrusion detection systems for wireless sensor networks. It begins with an introduction to wireless sensor networks and different types of intrusions. It then analyzes 14 recent intrusion detection systems, listing their advantages and disadvantages. Finally, it concludes that future work is needed to develop systems that can accurately detect intrusions in an energy-efficient manner.
A hybrid intrusion detection system for cloud computing environmentsMohamed Jelidi
This document discusses a proposed hybrid intrusion detection system for cloud computing environments. It aims to increase detection quality by deploying multiple intrusion detection systems (IDS) at different layers, including network IDS (NIDS), host IDS (HIDS), and web application IDS (WIDS). The proposed architecture also incorporates signature-based detection, anomaly-based detection, and event correlation between detection methods. The model is evaluated using real network traffic, web vulnerability scans, and simulated host attacks, demonstrating detection of various attacks across network, host, and application layers.
This document discusses various topics related to intruders and network security. It covers intrusion techniques like password guessing and capture. It also discusses approaches to intrusion detection such as statistical anomaly detection, rule-based detection, and audit record analysis. Finally, it discusses password management strategies like education, computer-generated passwords, and proactive password checking.
This document provides an overview of intrusion detection systems (IDS). It begins with an introduction that defines intrusion, intrusion detection, and IDS. It then discusses the history and typical scenarios of intrusions. The document outlines different types of attacks and what an IDS is supposed to do in detecting them. It classifies IDS based on detection approach and protected system, covering network/host-based detection. The advantages and disadvantages of different IDS types are presented. Commonly used open source and commercial IDS are listed, with Snort discussed in more detail. References for further information are provided at the end.
The document discusses using data mining approaches for intrusion detection. It describes current intrusion detection approaches like misuse detection using signatures of known attacks and anomaly detection using deviations from normal behavior profiles. Data mining can help by providing a systematic framework to select relevant audit data features, build and update detection models, and combine multiple models. Relevant techniques include building classifiers from audit data and mining patterns within audit records.
With the growth of computer networking, electronic commerce and web services, security networking systems have become very important to protect infomation and networks againts malicious usage or attacks. In this report, it is designed an Intrusion Detection System using two artificial neural networks: one for Intrusion Detection and the another for Attack Classification.
In this research work an Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) will be implemented to detect and prevent critical networks infrastructure from cyber-attacks. To strengthen network security and improve the network's active defense intrusion detection capabilities, this project will consist of intrusion detection system using honey token based encrypted pointers and intrusion prevention system which based on the mixed interactive honeypot. The Intrusion Detection System (IDS) is based on the novel approach of Honey Token based Encrypted Pointers. This honey token inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based per their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool e.g. Pool-A contains 4 HT/frame, Pool-B contains 3 HT/frame, Pool-C contains 2 HT/frame and Pool-D contain 1 HT/frame. Moreover, every pool uses different types of encryption schemes (AES-128,192,256). Our critical infrastructure network of 64 nodes is under the umbrella of unified security provided by this single Network Intrusion Detection System (NIDS). After the design phase of IDS, we analyze the performance of IDS in terms of True Positives (TP) and False Negatives (FN). Finally, we test these IDS through Network Penetration Testing (NPT) phase. The detection rate depends on the number of honey tokens per frame. Our proposed IDS are a scalable solution and it can be implemented for any number of nodes in critical infrastructure network. However, in case of Intrusion Prevention System (IPS) we use Virtual honeypot technology which is the best active prevention technology among all honeypot technologies. By using the original operating system and virtual technology, the honeypot lures attackers in a pre-arranged manner, analyzes and audits various attacking behavior, tracks the attack source, obtains evidence, and finds effective solutions.
Intrusion Detection and Prevention System in an Enterprise NetworkOkehie Collins
This document describes a project on intrusion detection and prevention systems in an enterprise network. It was submitted by Okehie Collins Obinna to the Department of Computer Science at the Federal University of Technology in partial fulfillment of a Bachelor of Technology degree in Computer Science. The project analyzes intrusion detection and prevention technologies used in enterprise networks and designs a desktop application to monitor a computer network system for possible intrusions and provide an interface for a network administrator.
Intrusion detection systems monitor computer networks and systems for unauthorized access or activity. There are two main types: network-based systems examine network traffic for attacks, while host-based systems check the integrity of individual systems. Methods include knowledge-based systems that detect known attacks and behavior-based systems that identify deviations from normal usage profiles. Regular auditing of systems, logs, user rights and files is needed to detect intrusions. While intrusion detection is important for security, intrusion prevention systems that can block attacks in real-time are increasingly replacing detection-only systems.
This document summarizes research on developing an adaptive PID controller for speed control of a DC motor. The controller combines model reference adaptive control (MRAC) with PID control to improve performance over traditional MRAC. Simulation results show that the proposed model reference adaptive PID controller (MRAPIDC) achieves satisfactory speed tracking performance for the DC motor. The adaptation gains in the MRAPIDC are tuned to minimize rise time, overshoot, and settling time of the motor's speed response to a step input. Compared to traditional MRAC, the MRAPIDC requires less information about the motor's parameters while achieving good control performance.
This document studies the sensitivity of body surface potentials to variations in cardiac size using numerical and analytical boundary element methods. A spherical heart and torso model is used. Simulation results show there is a linear relationship between heart size and body surface potentials, with about a 0.01% rise in body surface potential and 5.14% rise in epicardial potential reported for a 10% increase in heart size. This confirms electromagnetic laws relating potential to source-observation distance. The study establishes a direct relationship between heart size and body surface potentials while neglecting other factors.
The document discusses clustering documents using a multi-viewpoint similarity measure. It begins with an introduction to document clustering and common similarity measures like cosine similarity. It then proposes a new multi-viewpoint similarity measure that calculates similarity between documents based on multiple reference points, rather than just the origin. This allows a more accurate assessment of similarity. The document outlines an optimization algorithm used to cluster documents by maximizing the new similarity measure. It compares the new approach to existing document clustering methods and similarity measures.
This document discusses the use of geogrid reinforcement to improve the stability of waste dumps in surface coal mines. It presents the results of both numerical modeling and physical modeling of waste dumps with and without geogrid reinforcement. The numerical modeling found that factors of safety increased with the addition of geogrid layers, from 0.97 without geogrid to 1.11 with two layers. The physical modeling validated these results, showing increased failure angles (dump stability) with geogrids. Thus, the study demonstrates that geogrid reinforcement can enable the construction of more stable, higher waste dumps in coal mines.
This document summarizes and compares various scheduling algorithms used in cloud computing environments. It begins with an introduction to cloud computing and the need for scheduling algorithms in cloud environments. It then describes several existing scheduling algorithms, including compromised-time-cost scheduling, particle swarm optimization-based heuristic, improved cost-based algorithm, resource-aware scheduling, innovative transaction intensive cost-constraint scheduling, scalable heterogeneous earliest-finish-time algorithm, and multiple QoS constrained scheduling strategy of multi-workflows. These algorithms aim to optimize metrics such as execution time, cost, deadline, load balancing, and quality of service. The document concludes by comparing the different scheduling strategies.
This document discusses the application of synchronized phasor measurement in real-time wide-area monitoring. It provides an overview of phasor and synchrophasor measurement techniques using Fourier transforms. It also discusses power system stability and transient stability. The document demonstrates the monitoring of a multi-machine system using synchronized phasor measurements by simulating various fault conditions and load changes on a 3-machine, 9-bus system and observing the results with a phasor measurement unit to analyze stability.
The document proposes a new VLSI architecture for DSSS signal acquisition that uses Galois sequences. It summarizes that the proposed architecture provides improved signal acquisition at low SNR compared to existing architectures. The key blocks are a Galois sequence generator and QPSK modulation/demodulation. Simulation results on MATLAB and FPGA show the architecture requires low power and complexity while achieving comparatively better low SNR signal acquisition.
This document proposes an algorithm for efficiently computing 2D spatial convolution through image partitioning and short convolution. The algorithm partitions an input image into overlapping 6x6 blocks, which are then further partitioned into non-overlapping 3x3 sub-images. Convolution is computed for each sub-image independently using a variable-length filter, reducing computational complexity compared to FFT-based techniques. The outputs from each sub-image convolution are combined to reconstruct the original block. Simulation results demonstrate the effectiveness of the algorithm for tasks like edge detection and noise reduction through local image filtering.
This document summarizes a study that evaluates the performance of the urban water sector in Surat City, India using a sustainability index approach. A sustainability index was calculated based on social, economic, environmental, and engineering criteria. Data was collected from the Surat Municipal Corporation and experts were interviewed. The results showed that Surat City has a moderate sustainability index of 0.396. The engineering criteria scored lowest at 0.031, indicating room for improvement in that area. The study provides information on weaknesses in the system and approaches to enhance sustainability of urban water management in Surat City.
This document summarizes a research paper about using an algorithm and dynamic voltage restorer (DVR) to mitigate voltage sags in power systems. It begins with an abstract that describes focusing on using a DVR with an algorithm to control static series compensators without time delay using p-q-r coordinate transformation. It then provides background on voltage sags and defines them. The main body describes the structure and operating principle of a DVR system, including using a rectifier, inverter, filter and PWM control. It presents the mathematical model for calculating voltage sags based on source and fault impedances. The conclusion is that the DVR injects the missing voltage to maintain the load voltage during sags.
call for papers, research paper publishing, where to publish research paper, ...
Similar to call for papers, research paper publishing, where to publish research paper, journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJEI, call for papers 2012,journal of science and technolog
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHMIJNSA Journal
Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have
become a needful component in terms of computer and network security. There are various approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion
Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to information evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99
benchmark dataset and obtained reasonable detection rate.
This document discusses securing healthcare networks against cyber attacks. It proposes using intrusion detection systems to continuously monitor networks, firewalls to ensure endpoint devices comply with security policies, and biometrics for identity-based network access control. This would help protect patient privacy by safeguarding electronic health records and enhancing the security of hospital networks. The growing adoption of electronic records and devices in healthcare has increased risks of attacks that could intercept patient data or take over entire hospital networks. Strong network security measures are needed to address these risks.
Information Systems and Networks are subjected to electronic attacks. When
network attacks hit, organizations are thrown into crisis mode. From the IT department to
call centers, to the board room and beyond, all are fraught with danger until the situation is
under control. Traditional methods which are used to overcome these threats (e.g. firewall,
antivirus software, password protection etc.) do not provide complete security to the system.
This encourages the researchers to develop an Intrusion Detection System which is capable
of detecting and responding to such events. This review paper presents a comprehensive
study of Genetic Algorithm (GA) based Intrusion Detection System (IDS). It provides a
brief overview of rule-based IDS, elaborates the implementation issues of Genetic Algorithm
and also presents a comparative analysis of existing studies.
This document discusses network intrusion detection systems (NIDS) and their ability to handle high-speed traffic. It introduces NIDS and their role in monitoring network traffic. The document presents an experiment that tests the open-source NIDS Snort under high-volume traffic. The experiment shows that Snort drops more packets as traffic speed and volume increases, demonstrating a weakness of NIDS in high-speed environments. It suggests using a parallel NIDS technique to help NIDS better handle high-speed network traffic and reduce packet dropping.
A Comprehensive Review On Intrusion Detection System And TechniquesKelly Taylor
This document discusses machine learning techniques for intrusion detection systems (IDS). It provides an overview of the research progress using machine learning to improve intrusion detection in networks. Machine learning and data mining techniques have been widely used to automatically detect network traffic anomalies. The goal is to summarize and compare research contributions of IDS using machine learning, define existing challenges, and discuss anticipated solutions. Commonly used machine learning techniques for IDS are reviewed along with some existing machine learning-based IDS proposed by researchers.
A Performance Analysis of Chasing Intruders by Implementing Mobile AgentsCSCJournals
This document summarizes a research paper that proposes using mobile agents to improve intrusion detection systems. The paper presents an architecture for an intrusion detection system that uses mobile agents to autonomously collect intrusion-related information from systems on a network. Information collector agents gather data, while chasing agents work to trace the path of intrusions and locate their origin. The paper evaluates this approach and discusses how mobile agents can enhance intrusion detection through their mobility and autonomous functionality.
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...ijsptm
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to
rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus
or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection
System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data
created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for
anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack
signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with
the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System
called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in
detecting abnormal content in the traffic data during information passing from one node to another and
also detects known attack signature and unknown attack. This approach is tested by running the artificial
network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
Network Intrusion Detection And Countermeasure Selection In Virtual Network (...ClaraZara1
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in detecting abnormal content in the traffic data during information passing from one node to another and also detects known attack signature and unknown attack. This approach is tested by running the artificial network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
A Modular Approach To Intrusion Detection in Homogenous Wireless NetworkIOSR Journals
This document discusses a modular approach to intrusion detection in homogeneous wireless networks. It begins by introducing wireless networks and the need for intrusion detection systems (IDS) due to security vulnerabilities. It then discusses different types of IDS, including signature-based detection that identifies known attacks, and anomaly-based detection that identifies deviations from normal behavior but can result in high false positives. The document proposes a modular approach combining advantages of signature-based and anomaly-based detection for high detection rates and low false positives. Requirements for IDS in wireless networks are also outlined.
Secure intrusion detection and countermeasure selection in virtual system usi...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
This document discusses an enhanced method for intrusion detection using the KDD Cup 99 dataset. It aims to improve the accuracy of the dataset by analyzing the contribution of different attack classes to metrics like true positive rate and precision. The study examines these evaluation metrics for an intrusion detection system to identify which attack classes most impact recall and precision. The goal is to help improve the quality of the KDD Cup 99 dataset to achieve higher accuracy with lower false positives.
An Extensive Survey of Intrusion Detection SystemsIRJET Journal
This document summarizes an extensive survey of intrusion detection systems. It discusses the general architecture of IDS, including host-based and network-based systems. It describes different types of attacks (e.g. DoS, probing, user-to-root) and defenses. It analyzes previous work applying data mining techniques like machine learning to improve detection rates and reduce false alarms. A key problem is the massive number of false alarms that overburden security managers; the document aims to investigate solutions to lower the false alarm rate so that real threats are not missed.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
This document proposes an intrusion detection system using customized rules for the Snort tool to improve security. The system uses Wireshark to scan network traffic for anomalies, Snort to detect attacks using customized rulesets for faster response times, and Wazuh and Splunk to analyze log files. Rules are created using the Snorpy tool and added to Snort to monitor for specific attacks like ICMP ping impersonation and authentication attempts. When attacks are attempted, the system successfully detects them and logs the alerts. The integration of these tools provides low-cost intrusion detection capabilities with automated threat identification and faster response compared to existing Snort configurations.
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detectionijsrd.com
In today's interconnected world, one of pervasive issue is how to protect system from intrusion based security attacks. It is an important issue to detect the intrusion attacks for the security of network communication.Denial of Service (DoS) attacks is evolving continuously. These attacks make network resources unavailable for legitimate users which results in massive loss of data, resources and money.Significance of Intrusion detection system (IDS) in computer network security well proven. Intrusion Detection Systems (IDSs) have become an efficient defense tool against network attacks since they allow network administrator to detect policy violations. Mining approach can play very important role in developing intrusion detection system. Classification is identified as an important technique of data mining. This paper evaluates performance of well known classification algorithms for attack classification. The key ideas are to use data mining techniques efficiently for intrusion attack classification. To implement and measure the performance of our system we used the KDD99 benchmark dataset and obtained reasonable detection rate.
An Intrusion Detection based on Data mining technique and its intended import...Editor IJMTER
Intrusion detection is a pivotal and essential requirement of today’s era. There are two
major side of Intrusion detection namely, Host based intrusion detection as well as network based
intrusion detection. In Host based intrusion detection system, it monitors the information arrive at the
particular machine or node. While in network based intrusion system, it monitor and analyze whole
traffic of network. Data mining introduce latest technology and methods to handle and categorize
types of attacks using different classification algorithm and matching the patterns of malicious
behavior. Due to the use of this data mining technology, developers extract and analyze the types of
attack in the network.
In addition to this there are two major approach of intrusion detection. First, anomaly based approach,
in which attacks are found with high false alarm rate. However, in signature based approach, false
alarm rate is low with lack of processing of novel attacks. Most of the researchers do their research
based on signature intrusion with the purpose to increase detection rate. Major advantage of this
system, IDS does not require biased assessment and able to identify massive pattern of attacks.
Moreover, capacity to handle large connection records of network. In this paper we try to discover
the features of intrusion detection based on data mining technique.
A technical review and comparative analysis of machine learning techniques fo...IJECEIAES
Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyber attacks at the network-level and the host-level in a timely and automatic manner. However, Traditional Intrusion Detection Systems (IDS), based on traditional machine learning methods, lacks reliability and accuracy. Instead of the traditional machine learning used in previous researches, we think deep learning has the potential to perform better in extracting features of massive data considering the massive cyber traffic in real life. Generally Mobile Ad Hoc Networks have given the low physical security for mobile devices, because of the properties such as node mobility, lack of centralized management and limited bandwidth. To tackle these security issues, traditional cryptography schemes can-not completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying Deep learning methods techniques in IDS are capable of adapting the dynamic environments of MANETs and enables the system to make decisions on intrusion while continuing to learn about their mobile environment. An IDS in MANET is a sensoring mechanism that monitors nodes and network activities in order to detect malicious actions and malicious attempt performed by Intruders. Recently, multiple deep learning approaches have been proposed to enhance the performance of intrusion detection system. In this paper, we made a systematic comparison of three models, Inceprtion architecture convolutional neural network (Inception-CNN), Bidirectional long short-term memory (BLSTM) and deep belief network (DBN) on the deep learning-based intrusion detection systems, using the NSL-KDD dataset containing information about intrusion and regular network connections, the goal is to provide basic guidance on the choice of deep learning models in MANET.
Augment Method for Intrusion Detection around KDD Cup 99 DatasetIRJET Journal
This document discusses augmenting methods for intrusion detection using the KDD Cup 99 dataset. It aims to improve detection accuracy and reduce false positives. The key points are:
- It analyzes detection precision and true positive rate (recall) for different attack classes in the KDD Cup 99 dataset to help improve dataset accuracy.
- Experimental results show the contribution of each attack class to recall and precision, which can help optimize the dataset to achieve highest accuracy with lowest false positives.
- The goal is to enhance testing of detection models and improve data quality to advance offline intrusion detection capabilities.
Similar to call for papers, research paper publishing, where to publish research paper, journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJEI, call for papers 2012,journal of science and technolog (20)
This document discusses the impact of data mining on business intelligence. It begins by defining business intelligence as using new technologies to quickly respond to changes in the business environment. Data mining is an important part of the business intelligence lifecycle, which includes determining requirements, collecting and analyzing data, generating reports, and measuring performance. Data mining allows businesses to access real-time, accurate data from multiple sources to improve decision making. Using business intelligence and data mining techniques can help businesses become more efficient and make better decisions to increase profits and customer satisfaction. The expected results of applying business intelligence include improved decision making through accurate, timely information to support organizational goals and strategic plans.
This document presents a novel technique for solving the transcendental equations of selective harmonics elimination pulse width modulation (SHEPWM) inverters based on the secant method. The proposed algorithm uses the secant method to simplify the numerical solution of the nonlinear equations and solve them faster compared to other methods. Simulation results validate that the proposed method accurately estimates the switching angles to eliminate specific harmonics from the output voltage waveform and achieves near sinusoidal output current for various modulation indices and numbers of harmonics eliminated.
This document summarizes a research paper that designed and implemented a dual tone multi-frequency (DTMF) based GSM-controlled car security system. The system uses a DTMF decoder and GSM module to allow a car to be remotely controlled and secured from a mobile phone. It works by sending DTMF tones from the phone through calls to the GSM module in the car. The decoder interprets the tones and a microcontroller executes commands to disable the ignition or control other devices. The system was created to improve car security and accessibility through remote monitoring and control with DTMF and GSM technology.
This document presents an algorithm for imperceptibly embedding a DNA-encoded watermark into a color image for authentication purposes. It applies a multi-resolution discrete wavelet transform to decompose the image. The watermark, encoded into DNA nucleotides, is then embedded into the third-level wavelet coefficients through a quantization process. Specifically, the watermark nucleotides are complemented and used to quantize coefficients in the middle frequency band, modifying the coefficients. The watermarked image is reconstructed through inverse wavelet transform. Extraction reverses these steps to recover the watermark without the original image. The algorithm aims to balance imperceptibility and robustness through this wavelet-based, blind watermarking scheme.
1) The document analyzes the dynamic saturation point of a deep-water channel in Shanghai port based on actual traffic data and a ship domain model.
2) A dynamic channel transit capacity model is established that considers factors like channel width, ship density, speed, and reductions due to traffic conditions.
3) Based on AIS data from the channel, the average traffic flow is calculated to be 15.7 ships per hour, resulting in a dynamic saturation of 32.5%, or 43.3% accounting for uneven day/night traffic volumes.
The document summarizes research on the use of earth air tunnels and wind towers as passive solar techniques. Key findings include:
- Earth air tunnels circulate air through underground pipes to take advantage of the stable temperature 4 meters below ground for cooling in summer and heating in winter. Testing showed the technique can reduce ambient temperatures by up to 14 degrees Celsius.
- Wind towers circulate air through tall shafts to cool air entering buildings at night and provide downward airflow of cooled air during the day.
- Experimental testing of an earth air tunnel system over multiple months found maximum temperature reductions of 33% in spring and minimum reductions of 15% in summer.
The document compares the mechanical and physical properties of low density polyethylene (LDPE) thin films and sheets reinforced with graphene nanoparticles. LDPE/graphene thin films were produced via solution casting, while sheets were made by compression molding. Testing showed that the thin films had enhanced tensile strength, lower melt flow index, and higher thermal stability compared to sheets. The tensile strength of thin films increased by up to 160% with 1% graphene, while sheets increased by 70%. Melt flow index decreased more for thin films, indicating higher viscosity. Thin films also showed greater improvement in glass transition temperature. These results demonstrate that processing technique affects the properties of LDPE/graphene nanocomposites.
The document describes improvements made to a friction testing machine. A stepper motor and PLC control system were added to automatically vary the load on friction pairs, replacing the manual method. Tests using the improved machine found that the friction coefficient decreases as the load increases, and that abrasive and adhesive wear increased with higher loads. The improved machine allows more accurate and convenient testing of friction pairs under varying load conditions.
This document summarizes a research article that investigates the steady, two-dimensional Falkner-Skan boundary layer flow over a stationary wedge with momentum and thermal slip boundary conditions. The flow considers a temperature-dependent thermal conductivity in the presence of a porous medium and viscous dissipation. Governing partial differential equations are non-dimensionalized and transformed into ordinary differential equations using similarity transformations. The equations are highly nonlinear and cannot be solved analytically, so a numerical solver is used. Numerical results are presented for the skin friction coefficient, local Nusselt number, velocity and temperature profiles for varying parameters like the Falkner-Skan parameter and Eckert number.
An improvised white board compass was designed and developed to enhance the teaching of geometrical construction concepts in basic technology courses. The compass allows teachers to visually demonstrate geometric concepts and constructions on a white board in an engaging, hands-on manner. It supports constructivist learning principles by enabling students to observe and emulate the teacher. The design process utilized design and development research methodology to test educational theories and validate the practical application of the compass. The improvised compass was found to effectively engage students and improve their performance in learning geometric constructions.
The document describes the design of an energy meter that calculates energy using a one second logic for improved accuracy. The meter samples voltage and current values using an ADC synchronized to the line frequency via PLL. It calculates active and reactive power by averaging the sampled values over each second. The accumulated active power for each second is multiplied by one second to calculate energy, which is accumulated and converted to kWh. Test results showed the meter achieved an error of 0.3%, within the acceptable limit for class 1 meters. Considering energy over longer durations like one second helps reduce percentage error in the calculation.
This document presents a two-stage method for solving fuzzy transportation problems where the costs, supplies, and demands are represented by symmetric trapezoidal fuzzy numbers. In the first stage, the problem is solved to satisfy minimum demand requirements. Remaining supplies are then distributed in the second stage to further minimize costs. A numerical example demonstrates using robust ranking techniques to convert the fuzzy problem into a crisp one, which is then solved using a zero suffix method. The total optimal costs from both stages provide the solution to the original fuzzy transportation problem.
1) The document proposes using an Adaptive Neuro-Fuzzy Inference System (ANFIS) controller for a Distributed Power Flow Controller (DPFC) to improve voltage regulation and power quality in a transmission system.
2) A DPFC is placed at a load bus in an IEEE 4 bus system and its performance is compared using a PI controller and ANFIS controller.
3) Simulation results show the ANFIS controller provides faster convergence and better voltage profile maintenance during voltage sags and swells compared to the PI controller.
The document describes an improved particle swarm optimization algorithm to solve vehicle routing problems. It introduces concepts of leptons and hadrons to particles in the algorithm. Leptons interact weakly based on individual and neighborhood best positions, while hadrons (local best particles) undergo strong interactions by colliding with the global best particle. When stagnation occurs, particle decay is used to increase diversity. Simulations show the improved algorithm avoids premature convergence and finds better solutions compared to the basic particle swarm optimization.
This document presents a method for analyzing photoplethysmographic (PPG) signals using correlative analysis. The method involves calculating the autocorrelation function of the PPG signal, extracting the envelope of the autocorrelation function using a low pass filter, and approximating the envelope by determining attenuation coefficients. Ten PPG signals were collected from volunteers and analyzed using this method. The attenuation coefficients were found to have similar values around 0.46, providing a potentially useful parameter for medical diagnosis.
This document describes the simulation and design of a process to recover monoethylene glycol (MEG) from effluent waste streams of a petrochemical company in Iran. Aspen Plus simulation software was used to model the process, which involves separating water, salts, and various glycols (MEG, DEG, TEG, TTEG) using a series of distillation columns. Sensitivity analyses were performed to optimize column parameters such as pressure, reflux ratio, and boilup ratio. The results showed that MEG, DEG, TEG, and TTEG could be recovered at rates of 5.01, 2.039, 0.062, and 0.089 kg/hr, respectively.
This document presents a numerical analysis of fluid flow and heat transfer characteristics of ventilated disc brake rotors using computational fluid dynamics (CFD). Two types of rotor configurations are considered: circular pillared (CP) and diamond pillared radial vane (DP). A 20° sector of each rotor is modeled and meshed. Governing equations for mass, momentum, and energy are solved using ANSYS CFX. Boundary conditions include 900K and 1500K isothermal rotor walls for different speeds. Results show the DP rotor has 70% higher mass flow and 24% higher heat dissipation than the CP rotor. Velocity and pressure distributions are more uniform for the DP rotor at higher speeds, ensuring more uniform cooling. The
This document describes the design and testing of an automated cocoa drying house prototype in Trinidad and Tobago. The prototype included automated features like a retractable roof, automatic heaters, and remote control. It aims to address issues with the traditional manual sun drying process, which is time-consuming and relies on human monitoring of changing weather conditions. Initial testing with farmers showed interest in the automated system as a potential solution.
This document presents the design of a telemedical system for remote monitoring of cardiac insufficiency. The system includes an electrocardiography (ECG) device that collects and digitizes ECG signals. The ECG signals undergo digital signal processing including autocorrelation analysis. Graphical interfaces allow patients and doctors to view ECG data and attenuation coefficients derived from autocorrelation analysis. Data is transmitted between parties using TCP/IP protocol. The system aims to facilitate remote monitoring of cardiac patients to reduce hospitalizations through early detection of health changes.
The document summarizes a polygon oscillating piston engine invention. The engine uses multiple pistons arranged around the sides of a polygon within cylinders. As the pistons oscillate, they compress and combust air-fuel mixtures to produce power. This design achieves a very high power-to-weight ratio of up to 2 hp per pound. Engineering analysis and design of a prototype 6-sided engine is presented, showing it can produce 168 hp from a 353 cubic feet per minute air flow at 12,960 rpm. The invention overcomes issues with prior oscillating piston designs by keeping the pistons moving in straight lines within cylinders using conventional piston rings.
More from International Journal of Engineering Inventions www.ijeijournal.com (20)
call for papers, research paper publishing, where to publish research paper, journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJEI, call for papers 2012,journal of science and technolog
1. International Journal of Engineering Inventions
ISSN: 2278-7461, www.ijeijournal.com
Volume 1, Issue 4 (September2012) PP: 68-76
Integrated Conditional Random Fields with the Layered
Approach for Intrusion Detection
K Ranganath1, Shaik Shafia2
1
Computer Science and Engineering Department Hyderabad Institute of Technology And Management
Management R.R.Dist
2
Hyderabad Institute of Technology And Computer Science and Engineering Department R.R.Dist
Abstract— Both Conditional Random Fields (CRFs) and Layered Approach have some things in common. They can be
used for solving two issues of Accuracy and Efficiency. They solely do have certain disadvantages and advantages which
almost completely disappear by combining both concepts. Intrusion detection (ID) is a type of security management
system for computers and networks. An ID system gathers and analyzes information from various areas within a
computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the
organization) and misuse (attacks from within the organization).The CRFs can effectively model such relationships
among different features of an observation resulting in higher attack detection accuracy. Another advantage of using
CRFs is that every element in the sequence is labelled such that the probability of the entire labelling is maximized, i.e.,
all the features in the observation collectively determine the final labels. Hence, even if some data is missing, the
observation sequence can still be labelled with less number of features. A layered model is to reduce computation and the
overall time required to detect anomalous events. The time required to detect an intrusive event is significant and can be
reduced by eliminating the communication overhead among different layers. To improve the speed of operation of the
system. Hence, we implement the LIDS and select a small set of features for every layer rather than using all the 41
features. This results in significant performance improvement during both the training and the testing of the system. This
project presents high attack detection accuracy can be achieved by using CRFs and high efficiency by implementing the
Layered Approach. Finally, we show that our system is robust and is able to handle noisy data without compromising
performance
Keywords— CERT, CRF, Intrusion, Session
I. INTRODUCTION
In this project we address three significant issues which severely restrict the utility of anomaly and hybrid
Intrusion Detection systems in present networks and applications. The three issues are; limited attack detection coverage,
large number of false alarms and inefficiency in operation. Present anomaly and hybrid intrusion detection systems have
limited attack detection capability, suffer from a large number of false alarms and cannot be deployed in high speed
networks and applications without dropping audit patterns. Hence, most existing intrusion detection systems such as the
USTAT, IDIOT, EMERALD, Snort and others are developed using knowledge engineering approaches where domain
experts can build focused and optimized pattern matching models [1]. Though such systems result in very few false alarms
[2], they are specific in attack detection and often tend to be incomplete. As a result their effectiveness is limited. We, thus,
address these shortcomings and develop better anomaly and hybrid intrusion detection systems which are accurate in attack
detection, efficient in operation and have wide attack detection coverage.
The objective of an intrusion detection system is to provide data security and ensure continuity of services
provided by a network [3]. Present networks provide critical services which are necessary for businesses to perform
optimally and are, thus, a target of attacks which aim to bring down the services provided by the network. Additionally, with
more and more data becoming available in digital format and more applications being developed to access this data, the data
and applications are also a victim of attackers who exploit these applications to gain access to data. With the deployment of
more sophisticated security tools, in order to protect the data and services, the attackers often come up with newer and more
advanced methods to defeat the installed security systems [4], [5].According to the Internet Systems Consortium (ISC)
survey, the number of hosts on the Internet exceeded 550,000,000 in July 2008 [6]. Earlier, a project in 2002, estimated the
size of the Internet to be 532,897 TB [7]. Increasing dependence of businesses on the services over the Configuration errors
and vulnerabilities in software are exploited by the attackers who launch powerful attacks such as the Denial of Service
(DoS) [8] and Information attacks [9].
According to the Computer Emergency Response Team (CERT), the number of vulnerabilities in software has
been increasing and many of them exist in highly deployed software [10].Considering that it is near to impossible to build
‘perfect’ software, it becomes critical to build effective intrusion detection systems which can detect attacks reliably. The
prospect of obtaining valuable information, as a result of a successful attack, subside the threat of legal convictions. The
problem becomes more profound since authorized users can misuse their privileges and attackers can masquerade as
authentic users by exploiting vulnerable applications. Given the diverse type of attacks (DoS, Probing, Remote to Local,
User to Root and others), it is a challenge for any intrusion detection system to detect a wide variety of attacks with very few
false alarms in real time environment. Ideally, the system must detect all intrusions with no false alarms. The challenge is,
68
2. Integrated Conditional Random Fields with the Layered Approach for Intrusion Detection
thus, to build a system which has broad attack detection coverage and at the same time which results in very few false
alarms. The system must also be efficient enough to handle large amount of audit data without affecting performance at the
deployed environment. However, this is in no way a solution for securing today’s highly networked computing environment
and, hence, the need to develop better intrusion detection systems
II. BACKGROUND
Detection Intrusion in networks and applications has become one of the most critical tasks to prevent their misuse
by attackers. Intrusion detection started in 1980’s and since then a number of approaches have been introduced to build
intrusion detection systems [1]. However, intrusion detection is still at its infancy and naive attackers can launch powerful
attacks which can bring down an entire network [5]. To identify the shortcoming of different approaches for intrusion
detection, we explore the related research in intrusion detection. We describe the problem of intrusion detection in detail and
analyse various well known methods for intrusion detection with respect to two critical requirements viz. accuracy of attack
detection and efficiency of system operation. We observe that present methods for intrusion detection suffer from a number
of drawbacks which significantly affect their attack detection capability. Hence, we introduce conditional random fields for
effective intrusion detection and motivate our approach for building intrusion detection systems which can operate
efficiently and which can detect a wide variety of attacks with relatively higher accuracy, both at the network and at the
application level.
A. Intrusion Detection and Intrusion Detection System
The intrusion detection systems are a critical component in the network security arsenal. Security is often
implemented as a multi layer infrastructure and different approaches for providing security can be categorized into the
following six areas
Attack Deterrence – Attack deterrence refers to persuading an attacker not to launch an attack by increasing the perceived
risk of negative consequences for the attacker. Having a strong legal system may be helpful in attack deterrence. However,
it requires strong evidence against the attacker in case an attack was launched.
Attack Prevention – Attack prevention aims to prevent an attack by blocking it before an attack can reach the target.
However, it is very difficult to prevent all attacks. This is because, to prevent an attack, the system requires complete
knowledge of all possible attacks as well as the complete knowledge of all the allowed normal activities which is not always
available. An example of attack prevention system is a firewall.
Attack Deflection – Attack deflection refers to tricking an attacker by making the attacker believe that the attack was
successful though, in reality, the attacker was trapped by the system and deliberately made to reveal the attack.
Attack Avoidance – Attack avoidance aims to make the resource unusable by an attacker even though the attacker is able to
illegitimately access that resource. An example of security mechanism for attack avoidance is the use of cryptography.
Attack Detection – Attack detection refers to detecting an attack while the attack is still in progress or to detect an attack
which has already occurred in the past. Detecting an attack is significant for two reasons; first the system must recover from
the damage caused by the attack and second, it allows the system to take measures to prevent similar attacks in future.
Attack Reaction and Recovery – Once an attack is detected, the system must react to an attack and perform the recovery
mechanisms as defined in the security policy. Tools available to perform attack detection followed by reaction and recovery
are known as the intrusion detection systems. However, the difference between intrusion prevention and intrusion detection
is slowly diminishing as the present intrusion detection systems increasingly focus on real time attack detection and blocking
an attack before it reaches the target. Such systems are better known as the Intrusion Prevention Systems.
B. Principles and Assumptions in Intrusion Detection
The principle states that for a system which is not under attack, the following three conditions hold true:
Actions of users conform to statistically predictable patterns.
Actions of users do not include sequences which violate the security policy.
Actions of every process correspond to a set of specifications which describe what the process is allowed to do.
Systems under attack do not meet at least one of the three conditions. Further, intrusion detection is based upon some
assumptions which are true regardless of the approach adopted by the intrusion detection system. These assumptions are:
There exists a security policy which defines the normal and (or) the abnormal usage of every resource.
The patterns generated during the abnormal system usage are different from the patterns generated during the
normal usage of the system; i.e., the abnormal and normal usage of a system results in different system behavior.
This difference in behavior can be used to detect intrusions.
C. Components of Intrusion Detection Systems
An intrusion detection system typically consists of three sub systems or components:
Data Preprocessor – Data preprocessor is responsible for collecting and providing the audit data (in a specified form) that
will be used by the next component (analyser) to make a decision. Data preprocessor is, thus, concerned with collecting the
data from the desired source and converting it into a format that is comprehensible by the analyser Data used for detecting
intrusions range from user access patterns to network packet level features (such as the source and destination IP addresses,
type of packets and rate of occurrence of packets) to application and system level behaviour (such as the sequence of system
calls generated by a process.) We refer to this data as the audit patterns.
Analyzer (Intrusion Detector) – The analyser or the intrusion detector is the core component which analyses the audit
patterns to detect attacks. This is a critical component and one of the most researched. Various pattern matching, machine
69
3. Integrated Conditional Random Fields with the Layered Approach for Intrusion Detection
learning, data mining and statistical techniques can be used as intrusion detectors. The capability of the analyser to detect an
attack often determines the strength of the overall system.
Response Engine – The response engine controls the reaction mechanism and determines how to respond when the analyzer
detects an attack. The system may decide either to raise an alert without taking any action against the source or may decide to
block the source for a predefined period of time. Such an action depends upon the predefined security policy of the network.
The authors define the Common Intrusion Detection Framework (CIDF) which recognizes a common architecture for
intrusion detection systems. The CIDF defines four components that are common to any intrusion detection system. The four
components are; Event generators (E-boxes), event Analyzers (A-boxes), event Databases (D-boxes) and the Response units
(R-boxes). The additional component, called the D-boxes, is optional and can be used for later analysis.
D. Challenges and Requirements for Intrusion Detection Systems
The purpose of an intrusion detection system is to detect attacks. However, it is equally important to detect attacks
at an early stage in order to minimize their impact. The major challenges and requirements for building intrusion detection
systems are:
The system must be able to detect attacks reliably without giving false alarms. It is very important that the false
alarm rate is low as in a live network with large amount of traffic, the number of false alarms may exceed the
total number of attacks detected correctly thereby decreasing the confidence in the attack detection capability of the
system. Ideally, the system must detect all intrusions with no false alarms, i.e. it can detect a wide variety of
attacks and at the same time which results in very few false alarms.
The system must be able to handle large amount of data without affecting performance and without dropping data,
i.e. the rate at which the audit patterns are processed and decision is made must be greater than or equal to the rate
of arrival of new audit patterns. In addition, the system must be capable of operating in real time by initiating a
response mechanism once an attack is detected.
A system which can link an alert generated by the intrusion detector to the actual security incident is desirable.
Such a system would help in quick analysis of the attack and may also provide effective response to intrusion as
opposed to a system which offers no after attack analysis. Hence, it is not only necessary to detect an attack, but it
is also important to identify the type of attack.
It is desirable to develop a system which is resistant to attacks since, a system that can be exploited during an
attack may not be able to detect attacks reliably.
III. IMPLEMENTATION
Ever increasing network bandwidth poses a significant challenge to build efficient network intrusion detection
systems which can detect a wide variety of attacks with acceptable reliability. In order to operate in high traffic environment,
present network intrusion detection systems are often signature based. As a result, anomaly and hybrid intrusion detection
systems must be used to detect novel attacks. However, such systems are inefficient and suffer from a large false alarm rate.
To ameliorate these drawbacks, we first develop better hybrid intrusion detection methods which are not based on attack
signatures and which can detect a wide variety of attacks with very few false alarms. Given the network audit patterns where
every connection between two hosts is presented in a summarized form with 41 features, our objective is to detect most of
the anomalous connections while generating very few false alarms. In our experiments, we used the KDD 1999 data set.
Conventional methods, such as decision trees and naive Bays, are known to perform well in such an environment; however,
they assume observation features to be independent. We propose to use conditional random fields which can capture the
correlations among different features in the data
The KDD 1999 data set represents multiple features, a total of 41, for every session in relational form with only
one label for the entire record. However, we represent the audit data in the form of a sequence and assign label to every
feature in the sequence using the first order Markov assumption instead of assigning a single label to the entire observation.
Though, this increases complexity, it also improves the attack detection accuracy. Figure 3.1 represents how conditional
random fields can be used for detecting network intrusions.
Figure3.1: Conditional Random Fields for Intrusion Detection
In the figure, observation features ‘duration’, ‘protocol’, ‘service’, ‘flag’ and ‘source bytes’ are used to
discriminate between attack and normal events. The features take some possible value for every connection which are then
used to determine the most likely sequence of labels < attack, attack, attack, attack, attack > or < normal, normal, normal,
normal, normal >. Custom feature functions can be defined which describe the relationships among different features in the
observation. During training, feature weights are learnt and during testing, features are evaluated for the given observation
which is then labeled accordingly. It is evident from the figure that every input feature is connected to every label which
indicates that all the features in an observation determine the final labeling of the entire sequence. Thus, a conditional
70
4. Integrated Conditional Random Fields with the Layered Approach for Intrusion Detection
random field can model dependencies among different features in an observation. Present intrusion detection systems do not
consider such relationships. They either consider only one feature, as in case of system call modeling, or assume
independence among different features in an observation, as in case of a naive Bays classifier.
We also note that in the KDD 1999 data set, attacks can be represented in four classes; Probe, DoS, R2L and U2R. In order
to consider this as a two class classification problem, the attacks belonging to all the four attack classes can be relabeled as
attack and mixed with the audit patterns belonging to the normal class to build a single model which can be trained to detect
any kind of attack. The problem can also be considered as a five class classification problem, where a single system is
trained with five classes (normal, Probe, DoS, R2L and U2R) instead of two. As we will see from our experimental result,
considering every attack class separately not only improves the attack detection accuracy but also helps to improve the
overall system performance when integrated with the layered framework. Furthermore, it also helps to identify the class of
an attack once it is detected at a particular layer in the layered framework. However, a drawback of this implementation is
that it requires domain knowledge to perform feature selection for every layer.
E. Description of our Framework
We present our unified logging framework in Figure 3.2 which can be used for building effective application
intrusion detection system
.
Figure 3.2: Framework for Building Application Intrusion Detection System
In our framework, we define two modules; session control module and logs unification module, in addition to an
intrusion detection system which is used to detect malicious data accesses in an application. The logs unification module
provides input audit patterns to the intrusion detection system and the response generated by the intrusion detection system is
passed on to the session control module which can initiate appropriate intrusion response mechanisms. In our framework,
every request first passes through the session control which is described next.
Session Control Module
The prime objective of an intrusion detection system is to detect attacks reliably. However, it must also ensure that
once an attack is detected, appropriate intrusion response mechanisms are activated in order to mitigate their impact and
prevent similar attacks in future. The session control module serves dual purpose in our framework. First, it is responsible for
establishing new sessions and for checking the session id for previously established sessions. For this, it maintains a list of
valid sessions which are allowed to access the application. Every request to access the application is checked for a valid
session id at the session control and anomalous requests can be blocked depending upon the installed security policy.
Second, the session control also accepts input from the intrusion detection system. As a result, it is capable of acting as an
intrusion response system. If a request is evaluated to be anomalous by the intrusion detection system, the response from the
application can be blocked at the session control before data is made visible to the user, thereby preventing malicious data
accesses in real time.
The session control can either be implemented as a part of the application or can also be implemented as a separate
entity. Once the session id is evaluated for a request, the request is sent to the application where it is processed. The web
server logs every request. All corresponding data accesses are also logged. The two logs are then combined by the logs
unification module to generate unified log which is described next.
Logs Unification Module
Analyzing the web assesses logs and the data access logs in isolation are not sufficient to detect application level
attacks. Hence, we propose using unified log which can better detect attacks as compared to independent analysis of the two
logs. The logs unification module is used to generate the unified log. The unified log incorporates features from both the
web access logs and the corresponding data access logs. Using the unified log, thus, helps to capture the user application
interaction and the application data interactions. Hence, we first process the data access logs and represent them using simple
statistics such as ‘the number of queries invoked by a single web request’ and ‘the time taken to process them’ rather than
analyzing every data access individually. We then use the session id, present in both, the application access logs and the
associated data access logs, to uniquely map the extracted statistics (obtained from the data access logs) to the corresponding
web requests in order to generate a unified log. Figure 3.3, represents how the web access logs and the corresponding data
access logs can be uniquely mapped to generate a unified log. In the figure, f1, f2, f3...fn and g1’,g2’,…gm’ represent the
features of web access logs and the features extracted from the reduced data access logs respectively.
71
5. Integrated Conditional Random Fields with the Layered Approach for Intrusion Detection
Figure 3.3: Representation of a Single Event in the Unified log
From Figure 3.3, we observe that a single web request may result in more than one data accesses which depend
upon the logic encoded into the application. Once the web access logs and the corresponding data access logs are available,
the next step involves the reduction of data access logs by extracting simple statistics as discussed before. The session id can,
then, be used to uniquely combine the two logs to generate the unified log.
Issues in Implementation
Experimental results show that our approach based on conditional random fields can be used to build effective
application intrusion detection systems. However, before deployment, it is critical to resolve issues such as the availability of
the training data and suitability of our approach for a variety of applications. We now discuss various methods which can be
employed to resolve such issues.
Availability of Training Data
Though our system is application independent and can be used to detect malicious data access in a variety of
applications, it must be trained before the system can be deployed online to detect attacks. This requires training data which
is specific to the application. To obtain such data may be difficult However; training data can be made available as early as
during the application testing phase when the application is tested to identify errors. Logs generated during the application
testing phase can be used for training the intrusion detection system. However, this requires security aware software
engineering practices which must ensure that necessary measures are taken to provide training data during the application
development phase, which can be used to train effective application intrusion detection systems.
Suitability of Our Approach for a Variety of Applications
As we already discussed, our framework is generic and can be deployed for a variety of applications. It is
particularly suited to applications which follow the three tier architecture which have application and data independence.
Furthermore, our framework can be easily extended and deployed in the Service Oriented Architecture. Our proposed
framework can be considered as a special case for the service oriented architecture which defines only one service. The
challenge is to identify such correlations automatically and this provides an interesting direction for future work.
IV. RESULTS
The Programs Developed has been validated by testing them with variety of inputs. Here we can see the outputs
for different inputs which are given as input to the Intrusion Detection system.
Figure 4.1: RMI Registry window
72
6. Integrated Conditional Random Fields with the Layered Approach for Intrusion Detection
This form shows RMI Registry, by using which we can invoke one machine can be invoked by other method of the
object running inside other machine
Figure 4.2 Intrusion Detection System Windows.
This form shows the main screen of the Intrusion Detection System
Figure 4.3: Authorized Person Login System Window This form shows the main screen of the Authorized Person Login
System
Figure 4.4: Home Page of actual Intrusion Detection System Window
This form shows the main screen of the Authorized Person Login System and Intrusion Detection System
Figure 4.5(a): password mismatch window
73
7. Integrated Conditional Random Fields with the Layered Approach for Intrusion Detection
Figure 4.5(b): IDS detecting unauthorized user window
This Forms shows Intrusion is detected when the user enter the flaw credentials
Figure 4.6: Unauthorized user detection window
This Form shows what type of operation unauthorized user performed and what type of actions taken by the Intrusion
Detection System performed
Figure 4.7: Authorized user IDS window
This form shows valid user Information for IDS
Figure 4.8: Authorized user retrieving system properties window
74
8. Integrated Conditional Random Fields with the Layered Approach for Intrusion Detection
This Form shows retrieving the system properties by the authorized user
Figure 4.9: Process level intruder detection window
This form shows if authorized user trying to retrieve the processes level information then IDS detected and gives the alert
information as dialog box
Figure 4.10(a): how to send data window
Figure 4.10(b): how to add file window
Figure 4.11: Transmission status window
75
9. Integrated Conditional Random Fields with the Layered Approach for Intrusion Detection
This form shows no. of packets are transferred, size of the packets and process status
V. CONCLUSION
We explored the suitability of conditional random fields for building robust and efficient intrusion detection
systems which can operate, both, at the network and at the application level. In particular, we introduced novel frameworks
and developed models which address three critical issues that severely affect the large scale deployment of present anomaly
VI. FUTURE ENHANCEMENT
The critical nature of the task of detecting intrusions in networks and applications leaves no mar- gin for errors.
The effective cost of a successful intrusion overshadows the cost of developing intrusion detection systems and hence, it
becomes critical to identify the best possible approach for developing better intrusion detection systems. Every network and
application is custom designed and it becomes extremely difficult to develop a single solution which can work for every
network and application. In this thesis, we proposed novel frameworks and developed methods which perform better than
previously known approaches. However, in order to improve the overall performance of our system we used the domain
knowledge for selecting better features for training our models. This is justified because of the critical nature of the task of
intrusion detection. Using domain knowledge to develop better systems is not a significant disadvantage; however,
developing completely automatic systems presents an interesting direction for future research. From our experiments, it is
evident that our systems performed efficiently. However, developing faster implementations of conditional random fields
particularly for the domain of intrusion detection requires further investigation.
REFERENCES
1. Stefan Axelsson. Research in Intrusion-Detection Systems: A Survey. Technical Report 98-17, Department of
Computer Engineering, Chalmers University of Technology, 1998.
2. SANS Institute - Intrusion Detection FAQ. Last accessed: Novmeber 30, 2008. http:
//www.sans.org/resources/idfaq/.
3. Kotagiri Ramamohanarao, Kapil Kumar Gupta, Tao Peng, and Christopher Leckie. The Curse of Ease of Access
to the Internet. In Proceedings of the 3rd International Confer- ence on Information Systems Security (ICISS),
pages 234–249. Lecture Notes in Computer Science, Springer Verlag, Vol (4812), 2007.
4. Overview of Attack Trends, 2002. Last accessed: November 30, 2008. http://www.
cert.org/archive/pdf/attack_trends.pdf.
5. Kapil Kumar Gupta, Baikunth Nath, Kotagiri Ramamohanarao, and Ashraf Kazi. Attacking Confidentiality: An
Agent Based Approach. In Proceedings of IEEE International Conference on Intelligence and Security Informatics,
pages 285–296. Lecture Notes in Computer Science, Springer Verlag, Vol (3975), 2006.
6. The ISC Domain Survey. Last accessed: Novmeber 30, 2008. https://www.isc. org/solutions/survey/.
7. Peter Lyman, Hal R. Varian, Peter Charles, Nathan Good, Laheem Lamar Jordan, Joyojeet Pal, and
Kirsten Swearingen. How much Information. Last accessed: Novmeber 30, 2008.
http://www2.sims.berkeley.edu/research/ projects/how-much-info-2003.
8. Tao Peng, Christopher Leckie, and Kotagiri Ramamohanarao. Survey of Network-Based Defense Mechanisms
Countering the DoS and DDoS Problems. ACM Computing Surveys,39(1):3, 2007. ACM.
9. Animesh Patcha and Jung-Min Park. An Overview of Anomaly Detection Techniques: Existing Solutions and
Latest Technological Trends. Computer Networks, 51(12): 3448–3470, 2007.
10. CERT/CC Statistics. Last accessed: Novmeber 30, 2008. http://www.cert.org/
AUTHORS
Mr.K.Ranganath, Graduated in Computer
Science and Engineering from Osmania University Hyderabad, India, in 2006 and M.Tech in Software
Engineering from Jawaharlal Nehru Technological University, Hyderabad, A.P., India in 2010. He is
working presently as Assistant Professor in Department of C.S.E in Hyderabad Institute of Technology
and Management (HITAM), R.R.Dist, INDIA, A.P. He has 4 years of Experience. His research interests
include Network security and Data Mining.
Ms.Shaik Shafia, Graduated in Computer
Science and Engineering from JNTU Hyderabad, India, in 2006 and M.Tech in Computer Science
from Jawaharlal Nehru Technological University, Hyderabad, A.P., India in 2011. she is working
presently as Assistant Professor in Department of C.S.E in Hyderabad Institute of Technology And
Management (HITAM), R.R.Dist, INDIA, A.P. She has 6 years of Experience. Her research interests
include Secure Computing
76