Network Intrusion Detection

System

By Yumnam Surajkanta
Under the guidance of
Umakanta Majhi
Network Attack
In computer and computer networks an attack is any
attempt to destroy, expose, alter, disable, steal or gain
unauthorized access to or make unauthorized use of
an asset.[Wikepedia]

Attack on computer network can also be defined as any

attempt which compromise the following property of
the system.
 integrity
 confidentiality
 availability
Classification of Intrusion attack
Probe – Scanning for system vulnerabilities .
DOS – Making service unavailable to
legitimate user.
Remote to user – Unauthorized user gaining
access to system.
User to Root – Under privileged user
executing
privileged command without authorization.
Probe
Network scan can be classified as
 Horizontal scan – Discovering hosts in a
network.
i.e nmap 192.162.25.1/24
 Vertical scan- Discovering open services
running on a particular host. i.e telnet.
 Centralized scan – Scan is conducted only from
one machine.
 Distributed scan – Several systems
collaborated in conducting the scan .
TCP 3 way handshake connection

80
ACK
SY SYN
RST
ACK
N

Connection
Normal to closed
Connection
port
PROBE
Denial Of Service
Attacker disable a server or network by
flooding the system with request preventing
legitimate user from accessing the system.
 Centralized DOS attack .
 Distributed DOS attack.
Some of the types of DOS attack are
 Smurf attack.
 HTTP flood.
 SYN flood .
 UDP flood.
 Smurf Attack

Router

Victim
Packet With spoof address
of victim

Attacker
Intrusion Detection System

An intrusion detection system (IDS) is a

device or software application that
monitors network or system activities for
malicious activities or policy violations
and produces reports to a management
station.
Example :-snort.
Intrusion Detection System
How it is different from firewall.
 Firewall actively block unused port and
prevent
suspicious program from accessing network.
 IDS monitor the activities of both the users and
program. It alert the system manager if users
activities are not matching the normal
behavior.
IDS is not a replacement for firewall instead
IDS complement the function of firewall.
Classification of IDS
IDS adopts different technique for detecting
intrusion . It can be broadly classify into two
family based on their detection capability.
 Anomaly based Intrusion Detection
System.
 Misuse based Intrusion Detection System.

Both of them can be further classified depending on

the type of technique they employed.
Anomaly Based IDS
 Anomaly based IDS built a model of normal
network activity using historical data and
reports any activity which falls outside of the
model.
 It can detect attack which was previously
unknown.
Misuse Based IDS
 Misused Based IDS built model of the normal
activity as well as models of all the known
attack which it is going to detect.
 It can identify the type of attack.
 Less error .
 It cannot detect unknown attack.
Normal
Data

Anomaly
Data

Anomaly Base IDS

Prob
e
Normal
data
DOS

Worm Misuse Based

IDS
IDS Classification
IDS can be further classified on the type of data it
used to build model.
 Host based IDS :
 It monitor only one system.
 It has access to network data ,system logs ,
audit file.
 It can detect attacks which are not easily
identifiable from network data such as
password guess , buffer overflow.
 Since it has to process large amount of data it
can’t generate alert in real time.
IDS Classification
Network Based IDS
 It protect the whole network.
 It examine all the packets transmitted in the
network.
 It can detect intrusion before the attack affect
the
target.
 It don’t have access to log files.
 Related Paper
Paper Catego Method author
ry
SNORT—LIGHT WEIGHT Signatur Looks for specific Martin
INTRUSION DETECTION e Based pattern in packet Roesch
FOR NETWORKS[1] IDS header or payload
matching the attack
signature
Packet Header Anomaly Anomaly Learn the normal range Matthew V.
Detection for Identifying score of the packet header Mahoney
Hostile Network Traffic[2] Based values. and Philip K.
IDS Calculate the anomaly Chan
value of header value
in testing data.
Unsupervised Network Clusteri Identifying clusters and Pedro
Anomaly ng outliers in multiple low- Casas, Johan
Detection using Sub- based dimensional spaces Mazel,
Space Outliers Ranking[4] IDS Philippe
Owezarski
Slow Port Scanning Thresho Use number of error in . Mehiar
Detection[6] ld connection to detect Dabbagh,
 Contd.
A New Approach for Classifier Classifier learns N. Sarnsuwan, C.
Internet Worm base Worm behavior Charnsripinyo
Detection and IDS Of worm and and N.
Classification[7] normal traffic. Wattanapongsak
Then used the orn
trained model to
classify network
traffic
Practical real-time Classifier Trained classifier Phurivit
intrusion detection based using DOS, probe, Sangkatsanee ,
using machine IDS normal traffic and Naruemon
learning compare Wattanapongsak
approaches[8] performance of orn , Chalermpol
different Charnsripinyo
classifiers.

A Centralized Classifier Propose a Ekgapark

Management based framework for IDS Wonghirunsomb
Framework of IDS which can at, Teewalee
Network based function as Asawaniwed,
Intrusion Detection standalone IDS or Vassapon
and Prevention collaborative IDS. Hanchana,
Misuse Detection using Machine Learning
Algorithm
 Network based IDS .
 Detect threat in real time .
 Support large number of classifiers .
 Light weight .
 Modular
 Portable
Training Mode
 Deployed Mode

Detection Mode
Capturing Packets
There are several Packet capturing tools
 Wire Shark
 TCPDump
 Training Data are collected by running
wireshark in promiscuous mode.
Sniffer Program
Sniffer

Some of the free packet capturing

libraries are
Libcap (available for Unix system)
Wincap (available for windows)
Jpcap(Portable java library)
While running in active detection
mode , our program uses jpcap
library to capture packets from
Features selection
 Accuracy of the classifiers depend on the
selected features.
 Number of features should be minimum as
large number of features affect the efficiency
of the classifier adversely.
 Features set should not contain redundant
information.
Preprocessing
Packet
s

Records
 Extract information from TCP’s header ,
UDP’s header , ICMP’s header and IP’s
header.
 Generate set of features .
 Aggregate packets information into record.
Features
Training classifier
• Generating normal training data
 Collect attack free data
 Preprocessed the data.
 Generate features set.
 Labeled the data as normal.

• Generating attack training data

 Simulate network attack using tool like nmap
 Collect ,preprocessed the data
 Generate features and labeled the record
accordingly to the type of attack.
• Train classifier using both normal and attack
data.
Feature File
@relation Test

@attribute sourceIP numeric

.
.
@attribute destinationIP numeric
@attribute class {portScan,dos,r2l,l2r,normal}
@data
2,2,3,3,6,5,0,0,0,0,5,normal
1,1,1,1,2,0,1,0,0,0,0,normal
2,2,757,757,761,760,0,0,380,380,380,portScan
2,2,780,780,783,782,0,0,391,391,391,portScan
References
1. SNORT—LIGHT WEIGHT INTRUSION DETECTION FOR NETWORKS,
Proceedings of LISA '99: 13th Systems Administration
Conference ,Seattle, Washington, USA, November 7–12, 1999.
2. PHAD: Packet Header Anomaly Detection for Identifying Hostile Network
Traffic , Matthew V. Mahoney and Philip K. Chan, Florida Institute of
Technology Technical Report CS-2001-04
3. Network Anomalies Detection Using Statistical Technique : A Chi- Square
approach,
IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 2,
No 3, March 2012
4. UNADA: Unsupervised Network Anomaly Detection using Sub-Space
Outliers Ranking, Pedro Casas, Johan Mazel, Philippe Owezarski,
5. Advanced probabilistic approach for network intrusion forecasting and
detection,
Expert Systems with Applications 40 (2013) 315–322
6. Slow Port Scanning Detection, Information Assurance and Security (IAS),
2011 7th International Conference Mehiar Dabbagh, Ali J. Ghandour,
Kassem Fawaz, Wassim El Hajj, Hazem Hajj
7. A New Approach for Internet Worm Detection and Classification,
Networked Computing (INC), 2010 6th International Conference, N.
Sarnsuwan, C. Charnsripinyo and N. Wattanapongsakorn
References
8. Practical real-time intrusion detection using machine learning
approaches, Computer Communications 34 (2011) 2227–2235,
Phurivit Sangkatsanee , Naruemon Wattanapongsakorn ,
Chalermpol Charnsripinyo
9. A Centralized Management Framework of Network based
Intrusion Detection and Prevention System, 2013 10th
International Joint Conference on Computer Science and Software
Engineering (JCSSE), Ekgapark Wonghirunsombat, Teewalee
Asawaniwed, Vassapon Hanchana,Naruemon Wattanapongsakorn,
Sanan Srakaew, Chalermpol Charnsripinyo