The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack



Similar documents
CSCE 465 Computer & Network Security

Role of Anomaly IDS in Network

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Intrusion Detection. Jeffrey J.P. Tsai. Imperial College Press. A Machine Learning Approach. Zhenwei Yu. University of Illinois, Chicago, USA

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

CHAPTER 1 INTRODUCTION

How To Prevent Network Attacks

Development of a Network Intrusion Detection System

SURVEY OF INTRUSION DETECTION SYSTEM

Performance Evaluation of Intrusion Detection Systems

Applying Data Mining of Fuzzy Association Rules to Network Intrusion Detection

A Survey on Intrusion Detection System with Data Mining Techniques

System Specification. Author: CMU Team

Intrusion Detection Using Data Mining Along Fuzzy Logic and Genetic Algorithms

Detection. Perspective. Network Anomaly. Bhattacharyya. Jugal. A Machine Learning »C) Dhruba Kumar. Kumar KaKta. CRC Press J Taylor & Francis Croup

Network Intrusion Detection Systems

Advancement in Virtualization Based Intrusion Detection System in Cloud Environment

Intrusion Detection for Mobile Ad Hoc Networks

Two State Intrusion Detection System Against DDos Attack in Wireless Network

Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool

KEITH LEHNERT AND ERIC FRIEDRICH

Survey of Data Mining Approach using IDS

A survey on Data Mining based Intrusion Detection Systems

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

HYBRID INTRUSION DETECTION FOR CLUSTER BASED WIRELESS SENSOR NETWORK

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Detecting Anomaly IDS in Network using Bayesian Network

Intrusion Detection Systems. Overview. Evolution of IDSs. Oussama El-Rawas. History and Concepts of IDSs

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Taxonomy of Intrusion Detection System

Comparative Study of Data Mining and Machine Learning Approach for Anomaly Detection

Detecting 0-day attacks with Learning Intrusion Detection System

An Overview of Intrusion Detection System (IDS) along with its Commonly Used Techniques and Classifications

Honey Bee Intelligent Model for Network Zero Day Attack Detection

International Journal of Innovative Research in Advanced Engineering (IJIRAE) ISSN: Volume 1 Issue 11 (November 2014)

International Journal of Computer Science Trends and Technology (IJCST) Volume 3 Issue 3, May-June 2015

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

CSCI 4250/6250 Fall 2015 Computer and Networks Security

FUZZY DATA MINING AND GENETIC ALGORITHMS APPLIED TO INTRUSION DETECTION

A Review on Network Intrusion Detection System Using Open Source Snort

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Web Application Security

City Research Online. Permanent City Research Online URL:

A SURVEY ON GENETIC ALGORITHM FOR INTRUSION DETECTION SYSTEM

Novel DoS/DDoS Attack Detection and Signature Generation

General Terms. Keywords 1. INTRODUCTION 2. RELATED WORKS

Hybrid Intrusion Detection System Model using Clustering, Classification and Decision Table

The Base Rate Fallacy and its Implications for the Difficulty of Intrusion Detection

Conclusions and Future Directions

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

Hybrid Model For Intrusion Detection System Chapke Prajkta P., Raut A. B.

Adaptive Anomaly Detection for Network Security

Intruders and viruses. 8: Network Security 8-1

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

A new Approach for Intrusion Detection in Computer Networks Using Data Mining Technique

Anomaly-based Intrusion Detection in Software as a Service

ARTIFICIAL INTELLIGENCE (CSCU9YE) LECTURE 6: MACHINE LEARNING 2: UNSUPERVISED LEARNING (CLUSTERING)

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

An Intelligent Firewall to Detect Novel Attacks

Attack Evaluation and Mitigation Framework

Using Artificial Intelligence in Intrusion Detection Systems

Measuring Intrusion Detection Capability: An Information-Theoretic Approach

An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation

Data Mining for Network Intrusion Detection

Intrusion Detection in AlienVault

Network Based Intrusion Detection Using Honey pot Deception

IDPS: An Integrated Intrusion Handling Model for Cloud Computing Environment

System for Denial-of-Service Attack Detection Based On Triangle Area Generation

Intrusion Detection System (IDS)

DNIDS: A Dependable Network Intrusion Detection System Using the CSI-KNN Algorithm

How To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme

Data Mining + Business Intelligence. Integration, Design and Implementation

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

False Positives Reduction Techniques in Intrusion Detection Systems-A Review

A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING

STUDY OF IMPLEMENTATION OF INTRUSION DETECTION SYSTEM (IDS) VIA DIFFERENT APPROACHS

USING GENETIC ALGORITHM IN NETWORK SECURITY

Module II. Internet Security. Chapter 7. Intrusion Detection. Web Security: Theory & Applications. School of Software, Sun Yat-sen University

Online Network Traffic Security Inspection Using MMT Tool

Overview - Snort Intrusion Detection System in Cloud Environment

Intrusion Detection Systems

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Fuzzy Network Profiling for Intrusion Detection

Transcription:

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack Asnita Hashim, University of Technology MARA, Malaysia April 14-15, 2011

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack Problem Statement Objective Related works Project Architecture Results Conclusion

Problem Statement Limitation of signature-based IDS is failure to identify novel attacks, and sometimes even minor variations of known patterns (Laskov, 2007). Anomaly detection has an advantage over signature-based detection in that a new attack for which a signature does not exist can be detected if it falls out of the normal traffic patterns. Limitation of anomaly detection is it suffer high false detection rate. Therefore there is a need to combine both algorithms which is signature based and anomaly based in order to improve the detection of new malicious packet and reduce excessive false alarm rate (rthcutt, 2010) PAGE 3

Objective To integrate Snort with K-means clustering algorithm in order to improve the detection of new malicious packet and reduce excessive false alarm rate. PAGE 4

IDS Techniques Signature based Anomaly based Anomaly Statistical based Snort Knowledge based Machine learning based Bayesian Network Markov Model Genetic Algorithm Neural Network Clustering Algorithm Fuzzy Logic K-means Algorithm PAGE 5

Related works Title and Author Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episode (Hwang et al, 2007) Network-based hybrid IDS and honeysystems as Active Reaction Schemes (Teodoro et al, 2007) Research and Implementation on Snort-based Hybrid Intrusion Detection System (Ding et al, 2009) A Hybrid Intrusion Detection System Design for Computer Network Security (Aydin et al, 2009) Design of A Snort-based hybrid Intrusion Detection System (Gomez et al, 2009) Contribution Developed a weighted signature generation scheme to integrate anomaly detection system(ads) with Snort by extracting signatures from anomalies detected. Proposed Markov model, an anomaly-based detection combined with Snort, a signaturebased one, thus producing in a hybrid detection system Combination of SNORT and ADS used was called the frequency episode rule algorithm. Developed the hybrid IDS by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort. Presents a new anomaly pre-processor using statistical-based algorithm that extends the functionality of Snort IDS, making it a hybrid IDS. PAGE 6

Algorithm in Clustering Algorithm K-Means Algorithm Start Number of cluster K _ Centroid Distance object to centroids object move group + End Grouping based on minimum distance PAGE 7

Process flow diagram Start Input: Network Packet Signature-based Snort (Signature Detection) Attack? Packet Drop Anomaly-based NO Perform K-means Clustering algorithm Detect attack Output: Create New Rule NO End PAGE 8

Cluster process for network Packet Input: rmal Packet from Snort Anomaly-based Perform K-means Algorithm Analysis Result Smallest Cluster Analysis based on this cluster, which contains the smallest number of packet to determine whether it is normal or not Output : new attack PAGE 9

Experiment Experiment Name Number of cluster Experiment-1 5 Experiment-2 9 Experiment-3 13 Experiment-4 17 Experiment-5 21 Experiment-6 25 PAGE 10

Results Experiment Name Experiment-1 (.of cluster = 5) Experiment-2 (.of cluster = 9) Experiment-3 (.of cluster = 13) Experiment-4 (.of cluster = 17) Experiment-5 (.of cluster = 21) Experiment-6 (.of cluster = 25) Cluster no. with smallest no. of packet Packet Series. False alarm True alarm 0 (2 packets) 666 670 4 (1 packet) 670 9 (1 packet) 670 15 (1 packet) 16 (1 packet) 3 (1 packet) 6 (1 packet) 7 (1 packet) 8 (1 packet) 3 (1 packet) 9 (1 packet) 17 (1 packet) 24 (1 packet) 668 670 573 655 668 670 568 598 668 670 PAGE 11

Results Experiment Name Experiment-1 (.of cluster = 5) Experiment-2 (.of cluster = 9) Experiment-3 (.of cluster = 13) Experiment-4 (.of cluster = 17) Experiment-5 (.of cluster = 21) Experiment-6 (.of cluster = 25) Cluster no. with smallest no. of packet Packet Series. False alarm True alarm 0 (2 packets) 666 670 4 (1 packet) 670 9 (1 packet) 670 15 (1 packet) 16 (1 packet) 3 (1 packet) 6 (1 packet) 7 (1 packet) 8 (1 packet) 3 (1 packet) 9 (1 packet) 17 (1 packet) 24 (1 packet) 668 670 573 655 668 670 568 598 668 670 PAGE 12

Conclusion The research objective is to integrate Snort with K-means algorithm and detect new attack using these proposed IDS. Six sets of experiment were conducted using different number of cluster and the result for each set of experiment was compared to determine the optimum cluster number. During result analysis, two new attacks were discovered, and the optimum cluster number for this experiment is 17 clusters which have the highest attack detection and no false positive alarm. Based on the results, the objective of this research which is to detect new attack has been successfully obtained This finding will encourage generation of new theory, concepts and idea catalyze new discovery and innovative invention for knowledge enhances. PAGE 13 Kaspersky Lab PowerPoint Template April 24, 2011

Thank You

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information