PERFORMANCE COMPARISON OF INTRUSION DETECTION SYSTEM USING VARIOUS TECHNIQUES A REVIEW S. Devaraju 1 and S. Ramakrshnan 2 1 Department of Computer Applcatons, Dr. Mahalngam College of Engneerng and Technology, Inda E-mal: deva_sel@yahoo.com 2 Department of Informaton Technology, Dr. Mahalngam College of Engneerng and Technology, Inda E-mal: ram_f77@yahoo.com Abstract Nowadays, the securty has become a crtcal part of any organzaton or ndustry nformaton systems. The Intruson Detecton System s an effectve method to deal wth the new knd of threats such as DoS, Porbe, R2L and U2R. In ths paper, we analyze the varous approaches such as Hdden Sem Markov Model, Condtonal Random Felds and Layered Approach, Bayesan classfcaton, Data Mnng technques, Clusterng Algorthms such as K-Means and Fuzzy c-means, Back Propagaton Neural Network, SOM Neural Network, Rough Set Neural Network Algorthm, Genetc Algorthm, Pattern Matchng, Prncple Component Analyss, Lnear Dscrmnant Analyss, Independent Component Analyss, Multvarate Statstcal Analyss, SOM/PSO algorthm etc. The performance s measured for two dfferent datasets usng varous approaches. The datasets are traned and tested for dentfyng the new attacks that wll affect the hosts or networks. The well known KDD Cup 1999 or DARPA 1999 dataset has been used to mprove the accuracy and performance. The four groups of attacks are dentfed as Probe, DoS, U2R and R2L. The dataset used for tranng set s 494,021 and testng set s 311,028. The am s to mprove the detecton rate and performance of the proposed system. Keywords: Intruson Detecton, Neural Networks, Data Mnng, KDD Cup, DARPA 1. INTRODUCTION An ntruson detecton system (IDS) s a major component of the nformaton securty framework. The man goal of IDS s to develop a system whch can automatcally scan network actvty and detect the attacks. Once an attack s detected, the system admnstrator can decde who can take necessary acton and prevent those attacks. In past years, there were only few ntruders and so the user could manage them easly from the known or unknown attacks, but n recent years the securty s the most serous problem. Because the ntruders ntroduce a new varety of ntrusons n the market, so that the user can t manage the computer systems and networks properly. Intruson detecton attacks can be classfed nto two groups: ) Msuse based or Sgnature based / Known Attacks ) Anomaly based Intruson Detecton / Unknown Attacks The msuse based or sgnature based ntruson detecton system detects the ntruson by comparng the exstng sgnatures n the database. The sgnature based ntrusons are called known attacks. The users detect the ntruson when they match wth the sgnatures log fles. The log fle contans the lst of known attacks whch are detected from the computer system or networks. The anomaly based ntruson detecton s called as unknown attacks and, ths attack s observed from network and thus devates from the normal attacks. The ntruson detecton systems are classfed as Network based, Host based and Web based attacks. The network based attack may be ether msuse based or anomaly based attacks. The network based attacks are caused due to nterconnecton of computer systems. The system communcates wth each other and so the attack s sent from one computer system nto another computer system by the way of routers and swtches. The host based attacks are detected n a sngle computer system and t s easy to prevent the attacks. Ths attack manly occurs when some external devces are connected. The external devces are pen drve, CD, VCD, Floppy, etc. The web based attacks occurs, when systems are connected over the nternet and so, the attacks spread nto dfferent systems through the emal, chattng, downloadng materals etc. The examples of dfferent attacks are denal-of-servce (DoS), Dstrbuted denal-of-servces (DDoS), Worm based attack, port scannng, Flash crowd, Alpha flows, probe, user-toroot (U2R), remote-to-local (R2L) etc. Dfferent approaches and algorthms are used to detect the attack. The most wdely used approaches are: Neural Network based approaches, Statstcal based approaches, Data Mnng based Approaches, Genetc Algorthm based approaches, and Fuzzy Logc based approaches. In ths paper we propose the technques whch can detect network based attacks usng neural network classfcaton. Ths method follows a pattern of normal and ntrusve actvtes, such as DoS, U2R, Probe, R2L and Normal and classfed a set of classfcaton technques based on devaton between current and reference behavor. Neural network s evaluated by dataset KDD99 or DARPA Dataset. We study the varous neural network classfcaton technques to verfy ts feasblty and effectveness. Expermental results show that ths method can mprove the performance, effectveness and reduce the mssng alarm n IDS. The rest of the paper dscusses the dfferent approaches. The secton 2 descrbes the datasets, secton 3 dscusses Network Based Approach and secton 4 descrbes Host Based Approach. Secton 5 descrbes comparatve analyss; Secton VI derves the summares of secton 3 & 4 and secton 7 dscusses the references. The ntruson detecton can be classfed nto three categores and the classfcaton s shown n Fg.1. 802
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, SEPTEMBER 2013, VOLUME: 04, ISSUE: 03 Intruson Detecton System Network Based Host Based Anomaly Based Msuse or Sgnature Based Anomaly Based Msuse or Sgnature Based Batch-Sequental Methods Hdden Sem Markov Model Markov Modulated Adaboost algorthm Condtonal Random Felds and Layered Approach Bayesan classfcaton Correlaton Coeffcent Matrx Herarchcal Gaussan Mxture Model Data Mnng Technques clusterng algorthms such as K-Means and Fuzzy c-means Votng Ensemble System Back Propagaton Neural Network SOM neural network Genetc Algorthm Pattern Matchng Securty Agent Strng Matchng Algorthm Genetc Algorthm Prncple Component Analyss Lnear Dscrmnant Analyss Independent Component Analyss Hdden Markov Model Multvarate Statstcal Analyss Rough Set Neural Network Algorthm BCJR decodng Algorthm Genetc Algorthm based Clusterng Algorthms Fuzzy C-means and Support Vector Machne algorthm (F-CMSVM) Prncple Component Analyss and Self Organzng Maps SOM/PSO algorthm Fg.1. Classfcaton of Intruson Detecton System 2. DATASETS There are two well known data sets used n ths area of ntruson detectons. They are KDDcup99 Dataset and DARPA98 Dataset [1]. 2.1 KDD CUP 1999 DATASET The KDD Cup 1999 dataset has been used for the evaluaton of anomaly detecton methods. The KDD Cup 1999 tranng dataset conssts of approxmately 4,900,000 sngle connectons vectors each of whch contanng 41 features and s labeled as ether normal or an attack, wth exactly one specfc attack type. The datasets contan a total number of 24 tranng attack types and 14 testng attack types. In KDD Cup 1999 dataset has dfferent types of attacks. They are back, buffer_overflow, ftp_wrte, guess_passwd, map, psweep, land, loadmodule, multhop, neptune, nmap, normal, perl, phf, pod, portsweep, rootkt, satan, smurf, spy, teardrop, warezclent, warezmaster. These attacks can be dvded nto 4 groups are denal of servce attacks, attacks from a remote system to a local user, attacks from a local user to root, and survellance or probng attacks. The Table.1 shows the lst of attacks category wse. Table.1. Lst of attacks - category wse DoS R2L U2R Probe back land neptune pod smurf teardrop ftp_wrte guess_passwd map multhop phf spy warezclent warezmaster buffer_overflow loadmodule perl rootkt psweep nmap portsweep satan Denal of Servce (DoS) attacks: deny legtmate requests to a system, e.g. flood User-to-Root (U2R) attacks: unauthorzed access to local super user(root) prvleges, e.g. varous buffer overflow attacks 803
Remote-to-Local (R2L) attacks: unauthorzed access from a remote machne, e.g. guessng password Probng: survellance and other probng, e.g. port scannng. 2.2 DARPA DATASET The DARPA dataset was desgned to work at MIT Lncoln Laboratory to support the 1998 DARPA Intruson Detecton Evaluaton. Ths s a complex project supported by many workers. The 1998 DARPA evaluaton was desgned to fnd the strength and weakness of exstng approaches leadng to large performance mprovements and vald assessments of ntruson detecton systems. The concept was to generate a set of realstc attacks, embed them n normal data, evaluate the false alarm and detecton rates of systems wth these data, and then mprove systems to correct the weaknesses found [2]. Two data sets are the result of the DARPA Intruson Detecton Evaluatons. 1998 DARPA Intruson Detecton Evaluaton Data Sets 1999 DARPA Intruson Detecton Evaluaton Data Sets Ths evaluaton was measured on the probablty of detecton and probablty of false alarm for each system under test. These evaluatons contrbuted sgnfcantly to the ntruson detecton. All the researchers work on the general problem of workstaton and network ntruson detecton. The evaluaton was desgned to be smple, to focus on core technology ssues, and to encourage the wdest possble partcpaton by elmnatng securty and prvacy concerns, and by provdng data types that were used commonly by the majorty of ntruson detecton systems. 3. NETWORK BASED APPROACHES 3.1 ANOMALY BASED APPROACH The network based anomaly s a process of montorng the events occurrng n a network and analyzng them for ntrusons called unknown attacks. These attacks attempt to bypass the securty mechansms of network traffc. Ths attack affects the network when a user wants to access resources over the network [10], [20], and [29]. The followng are the major mprovements n the network based anomaly: Fast and accurate real-tme anomaly detecton Mnmum false alarm rate Improvng the performance When the ntruders ntroduce new type of vruses over the network, the computer systems are affected. If the systems are affected by the vruses then the process s dened, ncreasng the false alarm rate, reducng the performance and effectveness of the system [22]. For these reasons the attacks are presented by followng certan technques: 3.1.1 Batch-Sequental Methods: The batch and sequental methods combne n one unt to develop a multstage detecton algorthm called batch-sequental. The man advantage of Batch-Sequental method s that t retans 804 enough relevant nformaton to detect network ntrusons quckly, whle mantanng the FAR (False Alarm Rate) below a selected level. The batch sequental method s also used to detect the network attacks very quckly and mprove processng sequentally [6]. The method s desgned to detect ncrease or decrease n the expected number of packets that are observed n all possble sets of sze bns. pt M pt Nk, 2 pt, k (1) pt 1 pt 2 Whch n ths partcular form measures the departure of the network traffc from the dstrbuton P 0 under whch the pt pt expectaton E0 smultaneously for all = 1, M pt. N k, 3.1.2 Adaboost Algorthm: The AdaBoost algorthm s a machne learnng algorthm. It can do many pattern recognton problems lke face recognton. Ths algorthm s used to correct the msclassfcatons done by weak classfers. The ntruson detecton system uses the Dataset to dentfy the weak classfer and ths feature can be converted nto strong classfer. Because ths algorthm s very fast n dentfyng the weak classfer compared wth other algorthms. Ths algorthm can be appled nto four modules such as feature extracton, data labelng, desgn of the weak classfers, and constructon of the strong classfer. These features are used for detectng the ntrusons; the set of data s used for tranng the labeled data; and the strong classfer s traned usng the sample data and also obtaned by combnng the weak classfers [8]. 3.1.3 Condtonal Random Felds and Layered Approach: Condtonal models are used to model the condtonal dstrbuton over a set of random varables and ths gves better framework lke Maxent classfers, maxmum entropy Markov models, and CRFs. The tranng data constrans ths condtonal dstrbuton whle ensurng maxmum entropy and unformty. The objectve of usng a layered model s to reduce computaton complexty and the overall tme needed to detect anomalous actvty among the dfferent layers. For example, four layers are grouped nto four attacks n the data set. The dataset used for four types of layers are Probe layer, DoS layer, R2L layer, and U2R layer. Each layer s traned ndependently wth a set of relevant features [9]. Let X be the random varable over data sequence to be labeled and Y the correspondng label sequence. In addton, let G = (V; E) be a graph such that Y = (Y v ) v(v), so that Y s ndexed by the vertces of G. Then, (X, Y) s a CRF, when condtoned on X, the random varables Y v obey the Markov property wth respect to the graph. P(Y v X, Y w, w v) = P(Y v X, Y w, w ~ v), where w ~ v means that w and v are neghbors n G. 3.1.4 Herarchcal Gaussan Mxture Model: It s the process of dentfyng the abnormal packets n the network. There are two phases n the process of Herarchcal Gaussan Mxture Model (HGMM). The frst s the tranng phase that reference templates and second s the detecton phase. The tranng phase trans the sample data provded by the traffc usng statstcal model. The detecton phase s used to detect the abnormal packets that devate from the stored reference [16], [21].
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, SEPTEMBER 2013, VOLUME: 04, ISSUE: 03 A Gaussan mxture densty s a weghted sum of M component denstes, as gven by equaton, P x w b x (2) M 1 where, x s a D-dmensonal random vector, b (x), = 1, M, are the component denstes and w, = 1, M, are the mxture weghts. 3.1.5 Votng Ensemble System: The ensemble algorthms can be dvded nto two categores that are constructed as base classfers and votng. The constructng base classfer s used to prepare and buld the nput tranng data for buldng base classfers by perturbng the orgnal tranng data. Votng system s used to combne the base models for better performance [12], [27]. There are dfferent ensembles of classfers usng dfferent features extracted from the KDDCup 99 ntruson detecton dataset, and then these results are put nto the votng system. Each classfer has a weght to denote the contrbutons of the classfer to the votng system. For each class to be dentfed, a weghted sum of base learners can be calculated as, v N 1 Cd wd, d 1 0 otherwse (3) where, N s the number of classfers, = 1, 2... C s the class label, C d s the predcted class label by the d classfer, and w d s the weght of the d classfer. For a gven unknown pattern, the fnal class to be classfed s determned by maxmzng C j 1 arg max V. 3.1.6 Neural Network: j ) Back-Propagaton Neural Network: The Back-Propagaton Algorthm s a supervsed method, whch uses steepest-method to reach global mnma. Ths method nvolves two ways, Forward propagaton and Reverse propagaton to mplement the Intruson Detecton System (IDS) [13], [15], [24], [11]. Forward Propagaton: The output of each node n the successve layers s calculated as, 1 o output of a node (4) W j X 1 e where, W j = weght matrx connectng nodes of the prevous layer wth nodes of next layer j. X = varables of a pattern o = output of a node n the successve layer Reverse Propagaton: The error for the nodes n the output layer s calculated as, output of a node o1 0d o (5) The new weghts between output layer and hdden layer are updated where, w( + 1) = w() + (output layer) o (hdden layer) (6) : s the learnng factor 0 < < 1 805 The tranng of the network s stopped once the desred mean squared error (MSE) s reached as, E(MSE) = E(p) (7) The fnal updated weghts are saved for detecton the ntruson. ) Genetc Algorthm: The genetc algorthm can be appled to solve a varety of optmzaton problem. At every level, the genetc algorthm selects random ndvduals from the current populaton to be parents and uses them produce the chldren for the next generaton shown n Fg.2 [2], [15]. Network packets/ audt data Event generator/ Data acquston/ Data formaton Securty Admnstrator Fg.2. Intruson detecton model on GNN Genetc algorthm can be defned as an eght-tuple: SGA = (C, E, P 0, M,,,, T) (8) where, C represents the chromosome representaton; E represents the ftness functon; P o, the ntal populaton; M, the populaton sze; Φ, the selecton operator; Γ, the crossover operator; Ψ, the mutaton operator and T, the termnal condtons. ) SVM and GA: The Support Vector Machne and GA are used n the optmum selecton of prncpal components whch are used for classfcaton. These methods are capable of achevng mnmum amount of features and maxmum amount of detecton rates [30]. v) Fuzzy Clusterng Neural Network: The Fuzzy clusterng neural network uses a hybrd framework experment over the NSL dataset to test the stablty and relablty of the technque. The hybrd approach performs better detecton especally for lower frequency of over NSL datataset compared to orgnal KDD dataset, due to the removal of redundancy and ncomplete elements n the orgnal dataset [38]. v) Fuzzy rule-based systems: Three fuzzy rulebased classfers detect ntrusons n a network. Results are then compared wth other machne learnng technques lke decson trees, support vector machnes and lnear genetc programmng. Emprcal results clearly show that soft computng approach could play a major role for ntruson detecton and mprove the effcency [48]. 3.2 MISUSE/SIGNATURE BASED APPROACH The msuse detecton systems rely on the defntons of msuse patterns.e., the descrptons of attacks or unauthorzed actons. The sgnature attacks are known attacks, whch affect the network f the attacks match the database. 3.2.1 Sgnature IDS Methodology: GNN Intruson detecton predcton Warnng Ths IDS system follows the sgnature based methodology for ascertanng attacks. The sgnature based system wll montor
packets on the network and match wth a database of malcous threats and sgnatures [17]. Pre ntruson actvtes prepare the network for ntruson. These nclude port scannng to fnd a way to get nto the network and IP spoofng to dsguse the dentty of the attacker or ntruder. Sgnature-based IDSs operate analogously to vrus scanners,.e. by searchng a database of sgnatures for a known dentty or sgnature for each specfc ntruson event. 3.2.2 Genetc Algorthm: The GA detects the network based msuse attacks. There are three basc genetc operators appled to each ndvdual wth certan probabltes lke selecton, cross over, and mutaton and fnd the effectveness of the system [18], [23], [33]. Analyzng the dataset, rules wll be generated n the rule set. These rules wll be n the form of an f then format as follows, f {condton} then {act}. (9) Snce the GA has to use such rules to detect ntrusons, such rules n the rule set wll be codfed to the GA format. Each rule wll be represented n a GA format. The GA s used n the ftness functon. The ftness functon F determnes whether a rule s good or bad. F s calculated for each rule usng the support confdence framework. Support = A and B / N Confdence = A and B / A Ftness = t1 * support + t2 * confdence (10) where, N s the total number of records, A stands for the number of network connectons matchng the condton A, A and B s the number of records that matches the rule and t1 and t2 are the thresholds to balance the two terms. 3.2.3 Feature Reducton Technques: To enhance the learnng capabltes and reduce the computatonal ntensty of compettve learnng neural network classfers, dfferent dmenson reducton technques have been used. These nclude: Prncpal Component Analyss, Lnear Dscrmnant Analyss and Independent Component Analyss. ) Prncpal Component Analyss: Prncpal Component Analyss uses dmensonalty reducton technques for data analyss and compresson. Ths technque dentfes the smlartes and dfferences between the patterns [19], [26]. Gven the data, f each datum has N features represented for nstance by X 11 X 12 X 1N, X 21 X 22.X 2N, the data set can be represented by a matrx X n m. The average observaton s defned as, 1 n μ n X 1 The devaton from the average s defned as, (11) = X µ (12) ) Lnear Dscrmnant Analyss: LDA s an optmal transformaton matrx. LDA can be used to dscrmnate between the dfferent classes. The analyss requres the data to have approprate class labels and mathematcally formulate the optmzaton procedure [19]. The analyss requres the data to have approprate class labels. In order to mathematcally formulate the optmzaton procedure, N j 1 x j x. (13) N j 1 To compute the mean vector and the covarance matrx for each class and for the complete data set, J j1 N j N (14) where, N denotes the total number of tranng tokens and N j stands for the number of tranng tokens n class j. Naturally, the number of classes s j. ) Independent Component Analyss: ICA s a redundant feature, whch s used to determne the performance or accuracy of the classfer. The ICA fnds the rrelevant nformaton. The ICA s used to reduce the dmensonalty of the data so that a classfer can handle large volume of data [19]. The ndependent component analyss s expressed as the technque for dervng one partcular W, y = Wx. The general learnng technque to fnd a sutable W s, W = (I (y)yt)w (15) where, (y) s a nonlnear functon of the output vector y. 3.2.4 Recurrent Neural Network: Recurrent Neural Network model used wth four groups of nput features has been proposed as msuse-based IDS and the expermental results have shown that the reduced-sze neural classfer has mproved classfcaton rates, especally for R2L attack [31]. 3.2.5 GNP and Fuzzy: A novel fuzzy class-assocaton rule mnng method based on genetc network programmng (GNP) method s used for detectng network ntrusons. The Expermental results show that the proposed method provdes compettvely hgh detecton rates compared wth other machne-learnng technques and GNP wth crsp data mnng [32]. 3.2.6 Fuzzy Decson Tree: The Fuzzy decson tree uses Mutual Correlaton for feature selecton and Fuzzy Decson Tree classfer s used for detecton and dagnoss of attacks. The Expermental results of the 10% KDD Cup 99 benchmark network ntruson detecton dataset demonstrate that the proposed learnng algorthms acheve good accuracy, hgh true postve rate (TPR) and reduce false postve rate (FP) sgnfcantly [41], [42], [46]. 3.2.7 Fuzzy Systems and Ant Colony Optmzaton: The fuzzy system wth an Ant Colony Optmzaton procedure s used to generate hgh-qualty fuzzy-classfcaton rules. Hybrd learnng approach s appled to network securty and valdated usng the DARPA KDD-Cup99 benchmark data set. The results ndcate that the proposed hybrd approach acheves better classfcaton accuraces when comparson to several tradtonal and new technques, [47]. 806
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, SEPTEMBER 2013, VOLUME: 04, ISSUE: 03 3.2.8 C5 Decson Tree: The mult-layer ntruson detecton model s used to acheve hgh effcency and mprove the detecton rate known and unknown attacks and classfcaton rate accuracy by tranng the hybrd model on the known ntruson data. The expermental results show that the proposed mult-layer model usng C5 decson tree acheves hgher classfcaton rate accuracy, and less false alarm rate [39], [40]. 3.2.9 Genetc Algorthm and Fuzzy Logc: The GA and Fuzzy logc focus on current development efforts and the soluton of the problem of Intruson Detecton System to offer a realworld vew of ntruson detecton. The fuzzy membershp value and fuzzy membershp functon are two dfferent technques used because the surface value s not always counted from the ground level. So, fuzzy sets can classfy effcent rule sets and reduce the false alarm rate [43], [44], [45]. 4. HOST BASED APPROACHES 4.1 ANOMALY BASED The host based anomaly s a process of montorng the events occurrng n a host and analyzng them for ntrusons. These attacks are attempts to bypass the securty mechansms. The anomaly based systems can detect known and unknown (.e., new) attacks as long as the attack behavor devates suffcently from the normal behavor. The followng are the challenges for the host based anomaly: Speed Performance Accuracy Adaptablty 4.1.1 Hdden Markov Model: The Hdden Markov Model (HMM) s used for system-callbased anomaly ntruson detecton. Experments based on a publc database demonstrate that ths data preprocessng approach can reduce tranng tme. A smple and effcent HMM anomaly ntruson algorthm s proposed as follows. where, Assume that an HMM model parameter s, = {A, B, } (16) A = {a j } represents the probablty of beng n state j at tme t + 1, gven that the state at tme t B = {b j (k) } represents the probablty of observng symbol v k at state j = { } s the probablty of beng at state at tme t = 1. Three popular publc databases have been used to test the HMM algorthm n detectng anomaly ntrusons. The experment demonstrate that up to 50 percent of the tranng cost savng can be acheved for a large data set wthout notceable degradaton of ntruson detecton performance. 4.1.2 Multvarate Statstcal Analyss: The multvarate statstcal analyses of audt trals use for detecton of host-based ntruson. There are two types of statstcal analyss used; T 2 test and X 2 test. Both tests are used to evaluate the performance [4]. test: It s used to analyze audt trals of actvtes n an nformaton system and detect host based ntrusons nto the nformaton system that leave trals n the audt data. Let X = (X 1, X 2,., X p ) denote an observaton of p measures on a process or system at tme. Usng a data sample of sze n, the sample mean vector X and the sample covarance matrx S are usually used to estmate µ and, where, T 2 T 2 ' 1 X X S X X (17) A large value of T 2 ndcates a large devaton of the observaton X from the n-control populaton. X 2 test: The X 2 test performs well n ntruson detecton, when tested on a small set of computer audt data contanng sessons of both normal and ntrusve actvtes. The X 2 test sgnals of all the ntruson sessons and produces no false alarms on the normal sessons. The P varable to measure and X j denotes the observaton of the j th (1 j p) varable at a partcular tme, the X 2 test statstc s gven by the equaton, X 2 p j1 X j X X j 2 j 4.1.3 Rough Set Neural Network Algorthm: (18) The Rough Set theory algorthm used to flter out superfluous, redundant nformaton and a traned artfcal neural network dentfes any knd of new attacks [16], [28]. Knowledge s represented by means of a table called an Informaton System gven by S = <U, A, V, f>; where, U = {x 1, x 2,, x n } s a fnte set of objects of the unverse (n s the number of objects); A s a non empty fnte set of features, A = {a 1, a 2,, a m }; V = aa V a and V a s a doman of feature a; f:u A A s a total functon such that f(x, a) V a for each a A, x U. If the features n A can be dvded nto condton set C and decson feature set D;.e. A = C D and C D = Φ. The nformaton system A s called decson system or decson table. 4.2 MISUSE OR SIGNATURE BASED APPROACH The host-based system s a program that operates on a system and receves applcaton or operatng system audt logs. These programs are hghly useful for detectng nsde attack. If the user attempts unauthorzed actvty, host-based systems usually detect and collect the nformaton quckly. 4.2.1 Genetc Algorthm based Clusterng Algorthms: The clusterng algorthm detects the sgnature based ntruson detecton. The ftness calculaton process conssts of two phases. In the frst phase, the clusters are formed accordng to the centres encoded n the chromosome under consderaton. Ths s done by assgnng each pont X. = l, 2,, n, to one of the clusters C j wth centre Z j such as, x z j x z p, p 1,2,... k and p j (19) Then the new centrods are calculated accordng to, 1 z x j, 1,2,..., K n x j C (20) 807
where, z s the new centrod and nj s the number of ponts n the cluster. After calculatng new cluster centrods, cluster metrcs must be computed for each cluster. It s the sum of the Eucldean dstances of the ponts from ther proper cluster centres [3], [34], [35]. 4.2.2 Artfcal Immune Network: The Artfcal Immune Network s a dynamc unsupervsed learnng method whch conssts of a set of cells called antbodes nterconnected by lnks wth certan strengths. These networked antbodes represent the network nternal mages of nput patterns contaned n the envronment n whch t s exposed. The author clams that, Artfcal Immune Network s robust n detectng novel attacks [36]. 4.2.3 Fuzzy C-means and Support Vector Machne algorthm: Fuzzy C-means algorthm (FCM) s an effcent cluster algorthm whch requres the number of clusters to be known beforehand for automatc clusterng number determnaton. FCM ams to decde to what degree the sample data are afflated to the cluster and to classfy n sample data, X = {X X R D ( = 1, 2,,n)} nto k categores so as to compute the clusterng central of each group C = {C j C j R D (j = 1,2, k)}. Fuzzy support vector machne algorthm (SVM) has been used n ntruson detecton for automatc clusterng number determnaton. Here are marked samples (X 1, y 1 ), (X 2, y 2 ),, (X n, y n ). X R D belongs to one of two classes, y {-1,1} s category mark. The man purpose of SVM s to construct a separatng hyperplane to separate the dfferent samples so as to maxmze the margn class. Then the optmzng queston s shown below [25]. 4.2.4 Fuzzy Rules: Ths paper proposes a refned dfferental evoluton search algorthm to generate fuzzy rules detects ntrusve behavors. In ths algorthm the global populaton s dvded nto subpopulatons, each s assgned a dstnct processor and each subpopulaton conssts of the same class fuzzy rules. These rules evolve ndependently and also demonstrate wth well-known KDD Cup 1999 Dataset [37]. 5. COMPARATIVE ANALYSIS The comparatve analyss descrbes the Network Based Anomaly, Msuse/Sgnature wth Network and Host Based Anomaly. The Table.2 descrbes the varous technques used to fnd the detecton rate whch s used to measure the performance of the host or network. Table.2 shows four groups of attacks such as Probe, DoS, U2R and R2L. The Probe attack detecton rate acheved the mnmum of 0.83% and maxmum of 99.95%. The DoS attack detecton rate acheved the mnmum of 0.88% and maxmum of 99.99%. The U2R attack detecton rate acheved the mnmum of 0.01% and maxmum of 99.96%. The R2L attack detecton rate acheved the mnmum of 0.22% and maxmum of 99.97%. The KDD Cup Dataset represents the tranng set s 494,021 and testng set s 311,028. The man am of the proposed system s to mprove the detecton rate and reduce the false alarm rate. The number of samples selected for tranng set and testng set for detectng the attacks and the detecton rates compared s shown n Table.2. Ref. No. Technques used Features Normal % Table.2. Comparson of Detecton Rates n varous classfers Probe % DoS % U2R % R2L % [8] AdaBoost-Algorthm 41 - - - - - [9] Layered Condtonal Random Felds Overall Results % 90.04-90.88 % No. of samples for Tranng Set No. of samples for Test Set 494,021 311,029 21-98.6% 97.4% 86.3% 29.6% - 494,020 311,029 [16] Gmx 41 98.97% 93.03% 88.24% 22.8% 9.6% - 494,020 [16] RBF 41 99.07% 91.31% 75.10% 7.01% 5.6% - [16] SOM 41 93.98 % 64.30% 96.10% 21.49% 11.7% - [16] Bnary Tree 41 96.43 % 77.94% 96.45% 13.59% 0.44% - [16] ART 41 97.19 % 98.48% 97.09% 17.98% 11.3% - [16] LAMSTAR 41 99.69 % 98.48% 99.21% 28.94% 41.2% - [16] HGMM 41 88.14 % 99.33% 99.78% 96.01% 82.66% - [12] votng+j48+rule 41 - - - - - 97.47% [12] votng+adaboost+j48 41 - - - - - 97.38% - - Full Dataset 311,029 10 fold cross valdaton 808
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, SEPTEMBER 2013, VOLUME: 04, ISSUE: 03 [16] [16] Rough Set Neural Network Algorthm Rough Set Neural Network Algorthm [18] Genetc Algorthm 41 93.8% - 41 - - - - - 90% 6128 sets 7 - - - - - 83% - Smurf - 67.3% - WarezM aster - 76.6% [19] Gmx 13 99.0 % 93.0% 88.3% 18.4% 10.5% - [19] RBF 13 98.9 % 88.9% 75.1% 4.38% 5.40% - [19] Bnary Tree 13 96.8 % 74.4% 96.4% 12.7% 0.44% - [19] LAMSTAR 13 99.7 % 98.9% 99.2% 30.3% 41.2% - [19] SOM 13 93.8 % 61.2% 96.1% 21.5% 10.9% - [19] ART 13 97.0 % 95.3% 97.0% 18.0% 11.0% - 257 sets - - - Full tree for testng [25] SVM 41 19.48% 1.34% 73.90% 0.07% 5.20% 100.00% 24,701 15,551 [26] Gmx 41 98.97 % 93.03% 88.24% 22.8 % 9.6% - 494,020 [26] RBF 41 99.07 % 91.31% 75.10% 7.01% 5.6% - [26] SOM 41 93.98 % 64.30% 96.10% 21.49% 11.70% - [26] Bnary Tree 41 96.43 % 77.94% 96.45% 13.59% 0.44% - [26] ART 41 97.19 % 98.48% 97.09% 17.98% 11.29% - [26] LAMSTAR 41 99.69 % 98.48% 99.21% 28.94% 41.20% - - - - 311,029 [27] Ensemble Model 41 99.27% 99.88% 98.26% 99.96% 99.79% - 5,092 6,890 [29] [29] Self Adaptve Bayesan Algorthm 12 Self Adaptve Bayesan Algorthm 17 99.97% 99.91% 99.99% 99,36% 99.53% - 494,020 311,028 99.96% 99.95% 99.98% 99.46% 99.69% - 494,020 311,028 [35] Genetc Algorthm 41 69.5% 71.1% 99.4% 18.9% 5.4% - 494,021 311,029 [38] [38] Fuzzy Clusterng Neural Network Fuzzy Clusterng Neural Network usng NSL Dataset 41 99.5% 88% 97.9% 87.9 46.8-18,285 311,089 41 98.2% 94.1% 99.1% 89 78-18,285 311,089 [42] PSO based Fuzzy System 41-76.66 98.49 16.22 12.17 93.7 494,020 311,029 [46] [47] lngustc hedged fuzzy- XCS classfer Evolutonary Fuzzy Systems and Ant Colony Optmzaton 41 99.45 83.32 97.12 13.16 8.4 91.81 494,020 311,029 41 96 86.25 98.83 72.8 33.45-752 311,029 [48] Fuzzy rule-based systems 41 100 99.93 99.96 94.11 99.98-5,092 6,890 809
6. SUMMARY The Multvarate Statstcal Analyss methods are used to determne the anomaly detecton and compared wth the performance of the system [4]. The Hdden Markov Model s used to mplement and determne the system on call based anomaly ntruson detecton [5]. The Adaptve Sequental and Batch-Sequental Change-Pont Detecton Methods are used for detectng the attacks n the network traffc. Ths method uses the network smulator and reallfe testng for detectng the attacks [6]. The model-free based approach usng Markov modulated process manly nvolves detectng the anomaly based attacks over the network [7]. The Adaboost Based Algorthm wth decson rules provdes both categorcal and contnuous features. Ths algorthm manly focuses on four modules: feature extracton, data labelng, desgn of the weak classfers, and constructon of the strong classfer. [8]. Condtonal Random Felds and Layered Approach are addressed by the two ssues of Accuracy and Effcency. Ths approach uses KDD cup 99 ntruson detecton data set for detectng the attacks [9]. The Herarchcal Gaussan Mxture Model detects network based attacks as anomales usng statstcal classfcaton technques. Ths model s evaluated by well known KDD99 dataset. Sx classfcaton technques are used to verty the feasblty and effectveness by reducng the mssng alarm and accuracy of the attack n Intruson Detecton System [16]. The clusterng algorthms such as K-Means and Fuzzy c-means n data mnng concepts are used for network ntruson detecton and KDD Cup 99 data set s used for demonstraton whch performs both accuracy and computaton tme [14]. The system analyzes the performance of some data classfers n a heterogeneous envronment usng votng ensemble system. The system s used to detect anomaly based network ntrusons and demonstrated usng KDD Cup 1999 benchmark dataset, whch gves better result n detectng anomaly ntruson detecton compared wth other technques [12]. The neural network s used to detect anomaly ntrusons. Every day the system admnstrator checks the user s sessons. In case f there s no match n ther normal pattern, the nvestgaton can be launched. The NNID model mplemented n a UNIX envronment keep the log fles when the commands executed to detect ntrusons n a network computer system [13]. The genetc neural network combnes the good global searchng ablty of genetc algorthm wth the accurate local searchng feature of Back Propagaton networks to optmze the ntal weghts of neural networks. The result shows fast learnng speed and hgh-accuracy categores [15], [18]. A Rough Set Neural Network Algorthm reduces a number of computer resources requred to detect an attack from host based. The KDDCup 99 dataset s used to test the data and gven the better and robust result [16]. The sgnature based ntruson detecton system s used to montor the packets from the network and ths packet has been compared wth sgnature database. VC++ software s used for mplementaton [17]. The feature reducton technques such as Independent Component Analyss, Lnear Dscrmnant Analyss and Prncpal Component Analyss reduce the computatonal ntensty. KDD Cup 99 dataset s used to reduce computaton tme and mprove the accuracy of the systems [19]. In ths paper, varous methods for Intruson Detecton System are revewed. The host based or network based attacks comprses the nformaton to protect the data or nformaton from unauthorzed users. The man objectve of the system s to detect the new ntruder. The ntruson detecton system has been developed usng varous methods and technques, these are used to fnd the new threats over the hosts or networks. The dataset has been used for tranng and testng the dfferent types of attacks usng varous technques. The overall performance and accuracy of the system can be mproved a lot. REFERENCES [1] KDD Cup 1999 Intruson Detecton Data avalable n the followng lnk, http://kdd.cs.uc.edu/databases/kddcup99/kddcup99.html. [2] DARPA Intruson Detecton Data Sets avalable n the followng lnk, http://www.ll.mt.edu/msson/communcatons/st/corpora/ deval/data/ndex.html. [3] Had Bahrbeg, Ahmad Habbzad Navn, Amr Azm Alast Ahrab, Mr Kamal Mma and Amr Mollanejad, A New System to Evaluate GA-based Clusterng Algorthms n Intruson Detecton Alert Management System, Second World Congress on Nature and Bologcally Inspred Computng, pp. 115-120, 2010. [4] Nong Ye, Syed Masum Emran, Qang Chen and Sean Vlbert, Multvarate Statstcal Analyss of Audt Trals for Host-Based Intruson Detecton, IEEE Transactons on Computers, Vol. 51, No. 7, pp. 810-820, 2002. [5] Jankun Hu, Xnghuo Yu, D. Qu and Hsao-Hwa Chen, A Smple and Effcent Hdden Markov Model Scheme for Host-Based Anomaly Intruson Detecton, IEEE Network, Vol. 23, No. 1, pp. 42 47, 2009. [6] Tartakovsky A. G, Rozovsk B. L, Blazek R.B and Hongjoong Km, A Novel Approach to Detecton of Intrusons n Computer Networks va Adaptve Sequental and Batch-Sequental Change-Pont Detecton Methods, IEEE Transactons on Sgnal Processng, Vol. 54, No. 9, pp. 3372 3382, 2006. [7] Ioanns Ch. Paschalds and Georgos Smaragdaks, Spato-Temporal Network Anomaly Detecton by Assessng Devatons of Emprcal measures, IEEE/ACM Transactons on Networkng, Vol. 17, No. 3, pp. 685 697, 2009. [8] Wemng Hu, We Hu and Maybank S, AdaBoost-Based Algorthm for Network Intruson Detecton, IEEE Transactons on Systems, Man, and Cybernetcs, Part B: Cybernetcs, Vol. 38, No. 2, pp. 577 583, 2008. [9] Gupta K. K, Nath B and Kotagr R, Layered Approach Usng Condtonal Random Felds for Intruson Detecton, IEEE Transactons on Dependable and Secure Computng, Vol. 7, No. 1, pp. 35 49, 2010. 810
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, SEPTEMBER 2013, VOLUME: 04, ISSUE: 03 [10] M. Mehd, S. Zar, A. Anou and M. Bensebt, A Bayesan Networks n Intruson Detecton Systems, Journal of Computer Scence, Vol. 3, No. 5, pp. 259-265, 2007. [11] E. Anbalagan, C. Puttamadappa, E. Mohan, B. Jayaraman and Srnvasarao Madane, Datamnng and Intruson Detecton Usng Back-Propagaton Algorthm for Intruson Detecton, Internatonal Journal of Soft Computng, Vol. 3, No. 4, pp. 264-270, 2008. [12] Mrutyunjaya Panda and Manas Ranjan Patra, Ensemble Votng System for Anomaly Based Network Intruson Detecton, Internatonal Journal of Recent Trends n Engneerng, Vol. 2, No. 5, pp. 8 13, 2009. [13] Jake Ryan, Meng-Jang Ln and Rsto Mkkulanen, Intruson Detecton wth Neural Networks, Advances n Neural Informaton Processng Systems, pp. 943-949, 1998. [14] Mrutyunjaya Panda and Manas Ranjan Patra, Some Clusterng Algorthms to Enhance the Performance of the Network Intruson Detecton System, Journal of Theoretcal and Appled Informaton Technology, Vol. 4, No. 8, pp. 795 801, 2008. [15] Hua Jang and Junhu Ruan, The Applcaton of Genetc Neural Network n Network Intruson Detecton, Journal of Computers, Vol. 4, No. 12, pp. 1223 1230, 2009. [16] Neveen I. Ghal, Feature Selecton for Effectve Anomaly- Based Intruson Detecton, Internatonal Journal of Computer Scence and Network Securty, Vol. 9, No. 3, pp. 285 289, 2009. [17] Meera Gandh and S.K. Srvatsa, Detectng and preventng attacks usng network ntruson detecton systems, Internatonal Journal of Computer Scence and Securty, Vol. 2, No. 1, pp. 49 60, 2008. [18] S. Selvakan and R.S. Rajesh, Genetc Algorthm for framng rules for Intruson Detecton, Internatonal Journal of Computer Scence and Network Securty, Vol. 7, No. 11, pp. 285 290, 2007. [19] V. Venkatachalam and S. Selvan, Performance Comparson of Intruson Detecton System Classfers Usng Varous Feature Reducton Technques, Internatonal Journal of Smulaton, Vol. 9, No. 1, pp. 30 39, 2008. [20] Sang-Jun Han and Sung-Bae Cho, Evolutonary Neural Networks for Anomaly Detecton Based on the Behavor of a Program, IEEE Transactons on Systems, Man, and Cybernetcs, Part B: Cybernetcs, Vol. 36, No. 3, pp. 559-570, 2006. [21] Suseela T. Sarasamma, Qumng A. Zhu, and Jule Huff, Herarchcal Kohonenen Net for Anomaly Detecton n Network Securty, IEEE Transactons on Systems, Man, and Cybernetcs, Part B: Cybernetcs, Vol. 35, No. 2, pp. 302-312, 2005. [22] D He and Henry Leung, Network Intruson Detecton Usng CFAR Abrupt-Change Detectors, IEEE Transactons on Instrumentaton and Measurement, Vol. 57, No. 3, pp. 490-497, 2008. [23] Dong Song, Malcolm I. Heywood and A. Nur Zncr- Heywood, Tranng Genetc Programmng on Half a Mllon Patterns: An Example from Anomaly Detecton, IEEE Transactons on Evolutonary Computaton, Vol. 9, No. 3, pp. 225-239, 2005. [24] Naeem Selya and Tagh M. Khoshgoftaar, Actve Learnng wth Neural Networks for Intruson Detecton, IEEE Internatonal conference on Informaton Reuse and Integraton, pp. 49-54, 2010. [25] Rung-Chng Chen, Ka-Fan Cheng, Yng-Hao Chen and Cha-Fen Hseh, Usng Rough Set and Support Vector Machne for Network Intruson Detecton, Internatonal Journal of Network Securty & Its Applcatons, Vol. 1, No. 1, pp. 1-13, 2009. [26] V. Venkatachalam and S. Selvan, Intruson Detecton usng an Improved Compettve Learnng Lamstar Neural Network, Internatonal Journal of Computer Scence and Network Securty, Vol. 7, No. 2, pp. 255-263, 2007. [27] Anazda Zanal, Mohd Azan Maarof and St Maryam Shamsuddn, Ensemble Classfers for Network Intruson Detecton System, Journal of Informaton Assurance and Securty, Specal Issue on Intruson and Malware Detecton, Vol. 4, No. 3, pp. 217-225, 2009. [28] Mansour Shekhan and Amr Al Sha'ban, Fast Neural Intruson Detecton System Based on Hdden Weght Optmzaton Algorthm and Feature Selecton, World Appled Scences Journal 7 (Specal Issue of Computer & IT), pp. 45-53, 2009. [29] Dewan Md. Fard and Mohammad Zahdur Rahman, Anomaly Network Intruson Detecton Based on Improved Self Adaptve Bayesan Algorthm, Journal of Computers, Vol. 5, No. 1, pp. 23-31, 2010. [30] Iftkhar Ahmad, Azween Abdullah, Abdullah Alghamd and Muhammad Hussan, Optmzed ntruson detecton mechansm usng soft computng technques, Telecommuncaton Systems, Vol. 52, No. 4, pp. 2187-2195, 2013. [31] Mansour Shekhan, Zahra Jadd and Al Farrokh, Intruson detecton usng reduced-sze RNN based on feature groupng, Neural Computng & Applcatons, Vol. 21, No. 6, pp. 1185-1190, 2012. [32] Shngo Mabu, C Chen, Nannan Lu, Kaoru Shmada and Kotaro Hrasawa, An Intruson-Detecton Model Based on Fuzzy Class-Assocaton-Rule Mnng Usng Genetc Network Programmng, IEEE Transactons on Systems, Man, and Cybernetcs, Part C: Applcatons and Revews, Vol. 41, No. 1, pp. 130-139, 2011. [33] S. Selvakan Kandeeban and R.S. Rajesh, A Genetc Algorthm Based elucdaton for mprovng Intruson Detecton through condensed feature set by KDD 99 data set, Informaton and Knowledge Management, Vol. 1, No. 1, pp. 1-9, 2011. [34] A. M. Chandrashekhar and K. Raghuveer, Performance evaluaton of data clusterng technques usng KDD Cup- 99 Intruson detecton data set, Internatonal Journal of Informaton & Network Securty, Vol. 1, No. 4, pp. 294-305, 2012. [35] Mohammad Sazzadul Hoque, Md. Abdul Mukt and Md. Abu Naser Bkas, An Implementaton of Intruson 811
Detecton System Usng Genetc Algorthm, Internatonal Journal of Network Securty & Its Applcatons, Vol. 4, No. 2, pp. 109-120, 2012. [36] Murad Abdo Rassam and Mohd. Azan Maarof, Artfcal Immune Network Clusterng Approach for Anomaly Intruson Detecton, Journal of Advances n Informaton Technology, Vol. 3, No. 3, pp. 147-154, 2012. [37] T. Amalraj Vctore and M. Sakthvel, A Refned Dfferental Evoluton Algorthm Based Fuzzy Classfer for Intruson Detecton, European Journal of Scentfc Research, Vol. 65, No. 2, pp. 246-259, 2011. [38] Dahla Asyqn Ahmad Zanaddn and Zurna Mohd Hanap, Hybrd of Fuzzy Clusterng Neural NetworkoOver NSL Dataset for Intruson Detecton System, Journal of Computer Scence, Vol. 9, No. 3, pp. 391-403, 2013. [39] Sherf M. Badr, Implementaton of Intellgent Mult-Layer Intruson Detecton Systems (IMLIDS), Internatonal Journal of Computer Applcatons, Vol. 61, No. 4, pp. 41-49, 2013. [40] Sherf M. Badr, Adaptve Layered Approach usng C5.0 Decson Tree for Intruson Detecton Systems (ALIDS), Internatonal Journal of Computer Applcatons, Vol. 66, No. 22, pp. 18-22, 2013. [41] Thuzar Hlang, Feature Selecton and Fuzzy Decson Tree for Network Intruson Detecton, Internatonal Journal of Informatcs and Communcaton Technology, Vol. 1, No. 2, pp. 109-118, 2012. [42] Amn Enpour, Intellgent Intruson Detecton n Computer Networks Usng Fuzzy Systems, Global Journal of Computer Scence and Technology, Neural & Artfcal Intellgence, Vol. 12, No. 11, pp. 19-29, 2012. [43] Mostaque Md. Morshedur Hassan, Current Studes on Intruson Detecton System, Genetc Algorthm and Fuzzy Logc, Internatonal Journal of Dstrbuted and Parallel Systems, Vol. 4, No. 2, pp. 35-47, 2013. [44] Thakare S. P and Al M. S, Network Intruson Detecton System & Fuzzy Logc, BIOINFO Securty Informatcs, Vol. 2, No. 1, pp. 23-27, 2012. [45] Swat Dhopte and N. Z. Tarapore, Desgn of Intruson Detecton System usng Fuzzy Class-Assocaton Rule Mnng based on Genetc Algorthm, Internatonal Journal of Computer Applcatons, Vol. 53, No. 14, pp. 20-27, 2012. [46] Javer G. Marín-Blázquez and Gregoro Martínez Pérez, Intruson detecton usng a lngustc hedged fuzzy-xcs classfer system, Soft Computng A Fuson of Foundatons, Methodologes and Applcatons Specal Issue on Evolutonary and Metaheurstcs based Data Mnng, Vol. 13, No. 3, pp. 273 290. [47] Mohammad Sanee Abadeh and Jafar Habb, A Hybrdzaton of Evolutonary Fuzzy Systems and Ant Colony Optmzaton for Intruson Detecton, The ISC Internatonal Journal of Informaton Securty, Vol. 2, No. 1, pp. 33-46, 2010. [48] Ajth Abraham, Rav Jan, Johnson Thomas and Sang Yong Han, D-SCIDS: Dstrbuted soft computng ntruson detecton system, Journal of Network and Computer Applcatons, Vol. 30, No. 1, pp. 81-98, 2007. 812