The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

Transcription

1 The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack Asnita Hashim, University of Technology MARA, Malaysia April 14-15, 2011

2 The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack Problem Statement Objective Related works Project Architecture Results Conclusion

3 Problem Statement Limitation of signature-based IDS is failure to identify novel attacks, and sometimes even minor variations of known patterns (Laskov, 2007). Anomaly detection has an advantage over signature-based detection in that a new attack for which a signature does not exist can be detected if it falls out of the normal traffic patterns. Limitation of anomaly detection is it suffer high false detection rate. Therefore there is a need to combine both algorithms which is signature based and anomaly based in order to improve the detection of new malicious packet and reduce excessive false alarm rate (rthcutt, 2010) PAGE 3

4 Objective To integrate Snort with K-means clustering algorithm in order to improve the detection of new malicious packet and reduce excessive false alarm rate. PAGE 4

5 IDS Techniques Signature based Anomaly based Anomaly Statistical based Snort Knowledge based Machine learning based Bayesian Network Markov Model Genetic Algorithm Neural Network Clustering Algorithm Fuzzy Logic K-means Algorithm PAGE 5

6 Related works Title and Author Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episode (Hwang et al, 2007) Network-based hybrid IDS and honeysystems as Active Reaction Schemes (Teodoro et al, 2007) Research and Implementation on Snort-based Hybrid Intrusion Detection System (Ding et al, 2009) A Hybrid Intrusion Detection System Design for Computer Network Security (Aydin et al, 2009) Design of A Snort-based hybrid Intrusion Detection System (Gomez et al, 2009) Contribution Developed a weighted signature generation scheme to integrate anomaly detection system(ads) with Snort by extracting signatures from anomalies detected. Proposed Markov model, an anomaly-based detection combined with Snort, a signaturebased one, thus producing in a hybrid detection system Combination of SNORT and ADS used was called the frequency episode rule algorithm. Developed the hybrid IDS by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort. Presents a new anomaly pre-processor using statistical-based algorithm that extends the functionality of Snort IDS, making it a hybrid IDS. PAGE 6

7 Algorithm in Clustering Algorithm K-Means Algorithm Start Number of cluster K _ Centroid Distance object to centroids object move group + End Grouping based on minimum distance PAGE 7

8 Process flow diagram Start Input: Network Packet Signature-based Snort (Signature Detection) Attack? Packet Drop Anomaly-based NO Perform K-means Clustering algorithm Detect attack Output: Create New Rule NO End PAGE 8

9 Cluster process for network Packet Input: rmal Packet from Snort Anomaly-based Perform K-means Algorithm Analysis Result Smallest Cluster Analysis based on this cluster, which contains the smallest number of packet to determine whether it is normal or not Output : new attack PAGE 9

10 Experiment Experiment Name Number of cluster Experiment-1 5 Experiment-2 9 Experiment-3 13 Experiment-4 17 Experiment-5 21 Experiment-6 25 PAGE 10

11 Results Experiment Name Experiment-1 (.of cluster = 5) Experiment-2 (.of cluster = 9) Experiment-3 (.of cluster = 13) Experiment-4 (.of cluster = 17) Experiment-5 (.of cluster = 21) Experiment-6 (.of cluster = 25) Cluster no. with smallest no. of packet Packet Series. False alarm True alarm 0 (2 packets) (1 packet) (1 packet) (1 packet) 16 (1 packet) 3 (1 packet) 6 (1 packet) 7 (1 packet) 8 (1 packet) 3 (1 packet) 9 (1 packet) 17 (1 packet) 24 (1 packet) PAGE 11

12 Results Experiment Name Experiment-1 (.of cluster = 5) Experiment-2 (.of cluster = 9) Experiment-3 (.of cluster = 13) Experiment-4 (.of cluster = 17) Experiment-5 (.of cluster = 21) Experiment-6 (.of cluster = 25) Cluster no. with smallest no. of packet Packet Series. False alarm True alarm 0 (2 packets) (1 packet) (1 packet) (1 packet) 16 (1 packet) 3 (1 packet) 6 (1 packet) 7 (1 packet) 8 (1 packet) 3 (1 packet) 9 (1 packet) 17 (1 packet) 24 (1 packet) PAGE 12

13 Conclusion The research objective is to integrate Snort with K-means algorithm and detect new attack using these proposed IDS. Six sets of experiment were conducted using different number of cluster and the result for each set of experiment was compared to determine the optimum cluster number. During result analysis, two new attacks were discovered, and the optimum cluster number for this experiment is 17 clusters which have the highest attack detection and no false positive alarm. Based on the results, the objective of this research which is to detect new attack has been successfully obtained This finding will encourage generation of new theory, concepts and idea catalyze new discovery and innovative invention for knowledge enhances. PAGE 13 Kaspersky Lab PowerPoint Template April 24, 2011

14 Thank You