NOVEL APPROACH FOR NETWORK INTRUSION DETECTION A.B. Babatope N.A. Azeez
INTRODUCTION Information that is not properly secured has the tendency of being vulnerable to intrusions and threats. Security measures ensure information maintains its integrity. Intrusion Detection Security (IDS) is one of the methods of securing computer networks and systems as it detects the attacks before gaining access to the system.
AIM AND OBJECTIVES The aim of this project is to develop an IDS using Genetic algorithm approach which is better for detecting unusual events and threats within a computer network Objectives include; To analyse the different Artificial Intelligence algorithms used in Intrusion Detection systems To develop an Intrusion Detection System that detects more threats to computer networks and less likely to produce errors.
CONTRIBUTIONS Based on the result gotten, it was discovered the intrusive attacks were more frequent on the Class A set of IP addresses. It was also discovered that the probe category of attacks were most frequent across the system.
LITERATURE REVIEW According to Scarfone and Mell (2007) “Intrusion detection is the process of monitoring the events occurring in a computer system or network and analysing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies or standard security practices.”
LITERATURE REVIEW The following are types of network attacks; Denial of service Remote to User Attacks (R2L) User to Root Attacks (U2R) Probing
RELATED WORKS TITLE APPROACH STRENGTH WEAKNESS The Design and Implementation of Intrusion Detection System based on Data Mining Technology (Zhou & Zhao, 2013) Data Mining Adaptive ability Not time efficient Implementation of an Intrusion Detection System (Ourida, 2012) Intrusion sensor (Snortt) It takes less time to implement. Security issues
RELATED WORKS Chittur (2001) carried out an experiment to analyse the effectiveness of using Genetic algorithm for computer network intrusion detection system. The KDD 99 dataset was used to train the system so as to generate rules that were used during the test phase.
RELATED WORKS Li (2004) also reported an IDS using genetic algorithm to detect anomalous network intrusion. Both quantitative and categorical features of network data were used to obtain classification rules for the system. This work was focused on the TCP/IP network protocols.
GENETIC ALGORITHM Genetic algorithm is a problem solving method that was coined from the biological gene operators. The decision variables of search problem are encoded as strings of alphabets. The strings are the Chromosomes, the alphabets are the Genes and the value of the gene is called the Allele
GENETIC ALGORITHM During the evolution, different operators are used to process the chromosomes during each generation. The operators include; Selection (or Reproduction) Crossover (or Recombination) Mutation
GENETIC ALGORITHM Selection – is the phase where population individuals with better fitness are selected, otherwise it gets damaged. Crossover – is a process where each pair of individuals selects randomly participates in exchanging their parents with each other, until a total new population has been generated. Mutation – this involves diversifying the population due to repeated use of crossover operators.
GENETIC ALGORITHM Random generation of initial chromosomes Fitness = Set w1 = 0.2, w2 = 0.8, T = 0.5, Max Generations = 100 If Fitness > T Set N = total number of record in training set Select fitted chromosomes into new selection pool Set generation counter = 0 End if For each chromosome in population For each chromosome in new pool/population Set A = 0, AB = 0 Select chromosome for breeding For each record in dataset set Apply crossover and mutation to new offspring If record matches chromosome Place newly created chromosome into population AB = AB + 1 End for Each End If Kill old pool, new pool now current pool If record matches only condition part Increment generation Counter by 1 A = A + 1 If generation Counter < Max Generation then Goto line v End for Each record End for Each chromosome
LINKING GA WITH INTRUSION DETECTION Genetic algorithm is linked with intrusion detection by using the GA to classify the different network connections that the system comes across. Each network connection is represented as a chromosome by the genetic algorithm. The attributes of each network connection is represented as genes in the chromosome.
LINKING GA WITH INTRUSION DETECTION The system acts on each network connection as a chromosome. Therefore, the GA makes it possible for the intrusion detection system to differentiate the different types of network connections.
FITNESS FUNCTION It is defined as a function which scales the value individual relative to the rest of population. It computes the best possible solutions from the amount of candidates located in the population. It is used to determine the most fit set of chromosomes in respect to other chromosomes present, that will be used for recombination in the next generation.
FITNESS FUNCTION Algorithm I: Fitness Function Algorithm
Figure 1: Genetic Algorithm architecture SYSTEM DESIGN Figure 1: Genetic Algorithm architecture
Table 1: Chromosome representation SYSTEM DESIGN Table 1: Chromosome representation Attribute Name Number of Genes Format Duration 3 H:M:S Protocol 1 Numeric Source port Destination port Source IP 4 a.b.c.d Destination IP Attack name String
IMPLEMENTATION The software was developed using the Microsoft Visual studio; an integrated Development Environment (IDE) with the in-built programming language C#. The system was developed as a console program On initialisation of the software, random chromosomes are generated and the system locates the dataset file and reads the file. The system continues to iterate the results for each generation until the number of generation is reached.
Figure 2: Initialisation of the program IMPLEMENTATION Figure 2: Initialisation of the program
Table 2: The result of the intrusion detection system IMPLEMENTATION DURATION PROTOCOL SOURCE PORT DESTINATION PORT SOURCE IP DESTINATION IP ATTACK NAME 0:0:53 ftp-data 38127 1985 65.127.-1.203 243.192.194.177 rcp -1:1:0 Auth 26586 55979 20.154.30.-1 51.70.111.254 rsh 0:0:-1 Rsh 62512 26370 160.72.57.42 135.-1.237.4 Phf -1 242.41.151.123 239.18.88.223 Guess 62728 http 12106 104.65.17.124 -1.191.-1.244 Port-scan 0:0:39 Table 2: The result of the intrusion detection system
DARPA DATASET The Defense Advanced Research Projects Agency (DARPA) dataset was created in 1998 out of the need to evaluate intrusion detection systems by the Lincoln Laboratory of MIT. It was first made to the public in February 1998. There are three classes of attacks are present in the dataset namely; Probe (Portscan) R2L (phf, guess) U2R (rlogin, rsh, rcp)
Table 3: Distribution of the intrusive connections in the dataset DARPA DATASET The following show the distribution of the types of network connections present in the dataset file; Table 3: Distribution of the intrusive connections in the dataset Probe R2L U2R Portscan – 30 Phf – 1 Guess – 4 rlogin – 1 rsh – 2 rcp – 1 30 5 4
Figure 3: Graphical distribution of the network connections DARPA DATASET Figure 3: Graphical distribution of the network connections
ANALYSIS OF RESULTS Three set of results were selected to be analysed for findings and notes. Each set of result consists of 50 records. The first analysis was the classification of the source and destination IP addresses. The second analysis is the relationship between the protocol and the type of intrusion
Table 4: Classification of IP addresses of the first set of results ANALYSIS OF RESULTS First run Table 4: Classification of IP addresses of the first set of results Source IP Destination IP Class A 20 50 Class B 30 Class C Class D Class E
ANALYSIS OF RESULTS Figure 4: Graphical classification of the IP addresses of the first set of results
ANALYSIS OF RESULTS Protocols Attack names Phf Port Scan Rcp rlogin Table 5: Distribution of intrusion attacks to the Protocols for the first set of results Protocols Attack names Phf Port Scan Rcp rlogin rsh ftp ftp-data 2 3 1 6 http 4 14 20 Rsh 8 Smtp 5 12 telnet 26
ANALYSIS OF RESULTS Figure 5: Graphical representation of the distribution of attacks to protocols for the first set of results
Table 6: Classification of IP addresses of the second set of results ANALYSIS OF RESULTS Second run Table 6: Classification of IP addresses of the second set of results Source IP Destination IP Class A 19 39 Class B 11 Class C Class D Class E 31
ANALYSIS OF RESULTS Figure 6: Graphical classification of the IP addresses of the second set of results
ANALYSIS OF RESULTS Protocols Attack names Phf Port Scan Rcp rlogin Table 7: Distribution of intrusion attacks to the Protocols for the second set of results Protocols Attack names Phf Port Scan Rcp rlogin rsh ftp 2 4 6 ftp-data 11 21 32 http Rsh 8 12 Smtp telnet 29
ANALYSIS OF RESULTS Figure 7: Graphical representation of the distribution of attacks to protocols for the second set of results
Table 8: Classification of IP addresses of the third set of results ANALYSIS OF RESULTS Third run Table 8: Classification of IP addresses of the third set of results Source IP Destination IP Class A 21 50 Class B 8 Class C Class D Class E
ANALYSIS OF RESULTS Figure 8: Graphical classification of the IP addresses of the third set of results
ANALYSIS OF RESULTS Protocols Attack names Phf Port Scan Rcp rlogin Table 9: Distribution of intrusion attacks to the Protocols for the third set of results Protocols Attack names Phf Port Scan Rcp rlogin rsh ftp ftp-data http Rsh 1 8 16 25 Smtp telnet 9 15 2 17 31
ANALYSIS OF RESULTS Figure 9: Graphical representation of the distribution of attacks to protocols for the third set of results
Table 10: Classification of IP addresses of the fourth set of results ANALYSIS OF RESULTS Four run Table 10: Classification of IP addresses of the fourth set of results Source IP Destination IP Class A 46 44 Class B 4 Class C Class D Class E 6
ANALYSIS OF RESULTS Figure 10: Graphical classification of the IP addresses of the fourth set of results
ANALYSIS OF RESULTS Protocols Attack names Phf Port Scan Rcp rlogin Table 11: Distribution of intrusion attacks to the Protocols for the fourth set of results Protocols Attack names Phf Port Scan Rcp rlogin rsh ftp ftp-data http 4 5 9 Rsh 1 2 Smtp 30 39 telnet 14 36
ANALYSIS OF RESULTS Figure 11: Graphical representation of the distribution of attacks to protocols for the fourth set of results
FUTURE WORK Genetic algorithm as an approach towards Intrusion Detection system needs to continually improved on, and the classification rules continually need to be enhanced in order for the system to classify connections correctly.
CONCLUSION Securing information against attacks is a process that continuous research needs to be made on as new threats come up in order to be up to date and minimise risk and cost.
REFERENCES Chittur, A., 2001. Model Generation for an Intrusion Detection System Using Genetic Algorithms. Hoque, M.S., Mukit, A. & Bikas, A.N., 2012. An Implementation of Intrusion Detection System using Genetic Algorithm. International Journal of Network Security & Its Applications (IJNSA), Vol. 4, No. 2, March 2012. Li, W., 2004. Using Genetic Algorithm for Network Intrusion Detection. Mississippi State University, Mississippi State, MS 39762. Sastry, K., Goldberg, D., Kendall, G., 2005. Genetic Algorithms. Scarfone, K. & Mell, P., 2007. Guide to Intrusion Detection and Prevention Systems (IDPS). National Institute of Standards and Technology NIST special publication 800-94.
THANK YOU