IDS by Using Data Mining Based on Class-Association-Rule Mining and Genetic Network Programming

Now a day’s security is considered as major topics in networks, since the network has increasing widely day by day. Therefore, intrusion detection systems have paid more awareness, as it has an ability to identify intrusion accesses effectively. All these systems can spot the attacks and behave by trigger different errors .The proposed system includes a data mining method with fuzzy logic and class-association rule mining method which is based on genetic algorithm [1]. As the use of fuzzy logic, the recommend system can able to show the different type of features and also able to keep away from the different problems that are arising in to the suggested system approach. By using Genetic algorithm it is possible to find many rules and regulations and that are use to anomaly detection systems an association-rule-mining is very important technique that is used to find valuable rules and these rules are used by different users, instead of to find all the rules meeting the criteria that are useful for detection. Different results that are experimented with KDD99 [9] Cup database realise that the proposed approach gives more detection rates as compared to crisp data mining. DOI: 10.17762/ijritcc2321-8169.15063

A Comparative Study on Machine Learning Algorithms for Network Defense

Network security specialists use machine learning algorithms to detect computer network attacks and prevent unauthorized access to their networks. Traditionally, signature and anomaly detection techniques have been used for network defense. However, detection techniques must adapt to keep pace with continuously changing security attacks. Therefore, machine learning algorithms always learn from experience and are appropriate tools for this adaptation. In this paper, ten machine learning algorithms were trained with the KDD99 dataset with labels, then they were tested with different dataset without labels. The researchers investigate the speed and the efficiency of these machine learning algorithms in terms of several selected benchmarks such as time to build models, kappa statistic, root mean squared error, accuracy by attack class, and percentage of correctly classified instances of the classifier algorithms

Proportion frequency occurrence count with bat algorithm (FOCBA) for rule optimization and mining of proportion equivalence fuzzy constraint class association rules (PEFCARs)

Fuzzy Class Association Rules (FCARs) play an important role in decision support systems and have thus been extensively studied. Mining the important rules in FCARs becomes very difficult task, so Enhanced Equivalence Fuzzy Class Rule tree (EEFCR-tree) algorithm is proposed in this work. However, a major weakness of FCARs Miner is that when the number of constrained rules in a given class dominates the total constrained rules; its performance becomes slower than the normal method. To solve this problem this paper proposes a Proportion of Constraint Class Estimation (PPCE) algorithm for mining Enhanced Proportion Equivalence Fuzzy Constraint Class Association Rules (EPEFCARs) in order to save memory usage, run time and accuracy. Then, Proportion Frequency Occurrence count with Bat Algorithm (PFOCBA) is proposed for pruning rules which much satisfying the class constraints. Finally, an efficient algorithm is proposed for mining PEFCARs rules. Experimental results show that the proposed EPEFCR-tree algorithm is more efficient than Enhanced Equivalence Fuzzy Class Rule tree (EEFCR-tree), Novel Equivalence Fuzzy Class Rule tree (NECR-tree) Miner results are measured in terms of run time, accuracy and memory usage. Experiments show that the proposed method is faster than existing methods

Online Adaboost-based parameterized methods for dynamic distributed network intrusion detection

Current network intrusion detection systems lack adaptability to the frequently changing network environments. Furthermore, intrusion detection in the new distributed archi- tectures is now a major requirement. In this paper, we propose two online Adaboost-based intrusion detection algorithms. In the first algorithm, a traditional online Adaboost process is used where decision stumps are used as weak classifiers. In the second algorithm, an improved online Adaboost process is proposed, and online Gaussian mixture models (GMMs) are used as weak classifiers. We further propose a distributed intrusion detection framework, in which a local parameterized detection model is constructed in each node using the online Adaboost algorithm. A global detection model is constructed in each node by combining the local parametric models using a small number of samples in the node. This combination is achieved using an algorithm based on particle swarm optimization (PSO) and support vector ma- chines. The global model in each node is used to detect intrusions. Experimental results show that the improved online Adaboost process with GMMs obtains a higher detection rate and a lower false alarm rate than the traditional online Adaboost process that uses decision stumps. Both the algorithms outperform existing intrusion detection algorithms. It is also shown that our PSO, and SVM-based algorithm effectively combines the local detection models into the global model in each node; the global model in a node can handle the intrusion types that are found in other nodes, without sharing the samples of these intrusion types

Uma Revisão Sobre as Publicações de Sistemas de Detecção de Intrusão

O crescente registro de incidentes de segurança em redes de computadores tem motivado o desenvolvimento de estudos em detecção de intrusão, as principais técnicas de identificação de uma intrusão são baseadas em anomalias e assinaturas. Atualmente, a comunidade acadêmica explora preferencialmente pesquisas em redes baseadas em anomalias, entretanto, não existe um modelo comum de desenvolvimento destas propostas de modo que muitos autores descrevem, implementam e validam seus sistemas do modo heterogêneo. Neste artigo foi realizado uma pesquisa que investigou a produção científica de 112 publicações relacionadas a sistemas de detecção de intrusão. Alguns dos critérios utilizados para avaliação destes artigos foram fator de impacto, características de detecção utilizadas e a base de dados implementado. Os resultados obtidos demonstram que ocorreu um aumento da compreensão deste tema, entretanto futuros estudos serão necessários para explorar a validade dos novos métodos de avaliação em detecção de intrusão.

Improving intrusion detection systems using data mining techniques

Recent surveys and studies have shown that cyber-attacks have caused a lot of damage to organisations, governments, and individuals around the world. Although developments are constantly occurring in the computer security field, cyber-attacks still cause damage as they are developed and evolved by hackers. This research looked at some industrial challenges in the intrusion detection area. The research identified two main challenges; the first one is that signature-based intrusion detection systems such as SNORT lack the capability of detecting attacks with new signatures without human intervention. The other challenge is related to multi-stage attack detection, it has been found that signature-based is not efficient in this area. The novelty in this research is presented through developing methodologies tackling the mentioned challenges. The first challenge was handled by developing a multi-layer classification methodology. The first layer is based on decision tree, while the second layer is a hybrid module that uses two data mining techniques; neural network, and fuzzy logic. The second layer will try to detect new attacks in case the first one fails to detect. This system detects attacks with new signatures, and then updates the SNORT signature holder automatically, without any human intervention. The obtained results have shown that a high detection rate has been obtained with attacks having new signatures. However, it has been found that the false positive rate needs to be lowered. The second challenge was approached by evaluating IP information using fuzzy logic. This approach looks at the identity of participants in the traffic, rather than the sequence and contents of the traffic. The results have shown that this approach can help in predicting attacks at very early stages in some scenarios. However, it has been found that combining this approach with a different approach that looks at the sequence and contents of the traffic, such as event- correlation, will achieve a better performance than each approach individually

Developing an Advanced IPv6 Evasion Attack Detection Framework

Internet Protocol Version 6 (IPv6) is the most recent generation of Internet protocol. The transition from the current Internet Version 4 (IPv4) to IPv6 raised new issues and the most crucial issue is security vulnerabilities. Most vulnerabilities are common between IPv4 and IPv6, e.g. Evasion attack, Distributed Denial of Service (DDOS) and Fragmentation attack. According to the IPv6 RFC (Request for Comment) recommendations, there are potential attacks against various Operating Systems. Discrepancies between the behaviour of several Operating Systems can lead to Intrusion Detection System (IDS) evasion, Firewall evasion, Operating System fingerprint, Network Mapping, DoS/DDoS attack and Remote code execution attack. We investigated some of the security issues on IPv6 by reviewing existing solutions and methods and performed tests on two open source Network Intrusion Detection Systems (NIDSs) which are Snort and Suricata against some of IPv6 evasions and attack methods. The results show that both NIDSs are unable to detect most of the methods that are used to evade detection. This thesis presents a detection framework specifically developed for IPv6 network to detect evasion, insertion and DoS attacks when using IPv6 Extension Headers and Fragmentation. We implemented the proposed theoretical solution into a proposed framework for evaluation tests. To develop the framework, “dpkt” module is employed to capture and decode the packet. During the development phase, a bug on the module used to parse/decode packets has been found and a patch provided for the module to decode the IPv6 packet correctly. The standard unpack function included in the “ip6” section of the “dpkt” package follows extension headers which means following its parsing, one has no access to all the extension headers in their original order. By defining, a new field called all_extension_headers and adding each header to it before it is moved along allows us to have access to all the extension headers while keeping the original parse speed of the framework virtually untouched. The extra memory footprint from this is also negligible as it will be a linear fraction of the size of the whole set of packet. By decoding the packet, extracting data from packet and evaluating the data with user-defined value, the proposed framework is able to detect IPv6 Evasion, Insertion and DoS attacks. The proposed framework consists of four layers. The first layer captures the network traffic and passes it to second layer for packet decoding which is the most important part of the detection process. It is because, if NIDS could not decode and extract the packet content, it would not be able to pass correct information into the Detection Engine process for detection. Once the packet has been decoded by the decoding process, the decoded packet will be sent to the third layer which is the brain of the proposed solution to make a decision by evaluating the information with the defined value to see whether the packet is threatened or not. This layer is called the Detection Engine. Once the packet(s) has been examined by detection processes, the result will be sent to output layer. If the packet matches with a type or signature that system admin chose, it raises an alarm and automatically logs all details of the packet and saves it for system admin for further investigation. We evaluated the proposed framework and its subsequent process via numerous experiments. The results of these conclude that the proposed framework, called NOPO framework, is able to offer better detection in terms of accuracy, with a more accurate packet decoding process, and reduced resources usage compared to both exciting NIDs