Академический Документы
Профессиональный Документы
Культура Документы
ABSTRACT
Intrusion Detection Systems are gaining more
territory in the field of secure networks bringing new
ideas and concepts as the intrusion detection process
keep surfacing. The aim of this research is to look
into packet header anomaly detection system (PHAD)
time-based model and introduce a new model into
PHAD time-based model such that when a novel value
r is observed, the probability that the novel value
will occur exactly once during the testing session will
be r/2. The 1999 DARPA intrusion detection system
evaluation data set was used to train and analyze the
performances of this model. On the 1999 Defense
Advanced Research Projects Agency (DARPA)
evaluation data sets, the introduced PHAD time-based
model detected 31 novel attacks at a threshold of 1000
false alarm rate after training the model for 300secs.
Keywords: Network Security, Intrusion detection
system, Anomaly detection Model.
INTRODUCTION
RELATED WORKS
Network anomaly detection system like Nextgeneration Intrusion Detection Expert System (NIDES)
is a statistical model that learns normal network traffic
and flags any deviations from this model. NIDES use a
frequency-based model in which the probability of an
event is estimated by its average frequency during
training. The model is based on the distribution of
source and destination IP addresses and ports per
transaction. NIDES models ports and addresses, and
www.ijsret.org
1143
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
2.2
PHAD
PHAD is an anomaly detection system that learns
the normal ranges of values for each packet header
field at the data link (Ethernet), network layer (Internet
Protocol(IP)),
and
transport/control
layers
(Transmission Control Protocol (TCP), User Datagram
Protocol (UDP), Internet Control Message Control
(ICMP)) [12]. PHAD as two distinct features from
other conventional network-based anomaly detection
systems; firstly it models protocols rather than the user
behaviors. This allows PHAD to detect two of the four
attack categories described by Kendall (1998) [16].
Secondly, it uses a time-based model, which assumes
that network statistics can change rapidly in a short
period of time. When a series of recurring anomaly is
detected, PHAD flags only the first anomaly it detects
as an alert. This feature helps in regulating the flood of
alarms that would otherwise be caused by spurt of
anomalous events [17]. PHAD uses only syntactic
knowledge to parse the header into fields, and then
figures out which fields are important ; it models
Ethernet, IP, TCP, UDP and ICMP packet header fields
without making distinction between the incoming and
outgoing traffic [18]. PHAD examines 33 packet
header fields, which correspond to packet header fields
with 1 to 4 bytes. Fields smaller than 8 bits (such as the
TCP flags) are grouped into a single byte field while,
fields that are larger than 4 bytes (such as the 6 byte
Ethernet addresses) are split. The attributes are as
follows: Ethernet header, IP header, TCP header, UDP
header and ICMP header [16].
2.1
Data Source
The experiments were performed using the 1999
DARPA Intrusion Detection Evaluation off-line data
sets at Massachusetts Institute of Technology, Lincoln
Lab (http://www.ll.mit.edu/IST/ideval/). This data were
used to configure the models and train free parameters.
The week three attack-free inside sniffer data, which
contains 7 days of traffic (consist of 2.5GB tcpdump
files), was downloaded to train the packet header
anomaly detection system. Furthermore to test the
anomaly detection system, week 4 and 5 inside sniffer
data sets were also downloaded which contains 201
attacks. Although, week 4 day 2 data was missing, thus
reducing the number of available attacks in the data
sets to 183. The inside sniffer traffic was chosen to be
used for these experiment because the inside data
contains evidence of attacks from both inside and
outside the network [12].
www.ijsret.org
1144
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
www.ijsret.org
1145
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
EVALUATION PROGRAM
EXPERIMENTAL SET-UP
PHAD
Time model
.Sim file
DARPA Week 4
& 5 inside sniffer
network traffic
Eval Program
www.ijsret.org
1146
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
EXPERIMENTAL RESULT
Marx
0/2
Poor
1/7
W2
0/3
6/44
1/6
2/11
2/10
10/72 1/21
7/38
3/29
0/43 0/9
0/0
0/0
3/17
2/18
0/2
4/17
4/15
1/18
0/6
0/12
0/13
All
Probe
Data New Stealthy
------------ ------- ------W45 31/201 6/37
2/16 11/62
5/36
IT
27/177 4/34
0/7
7/52
3/30
OT
21/151 5/32
0/11 4/38
2/23
BSM 3/38
0/1
1/6
1/8
1/6
NT
6/33
1/3
1/4
4/26
0/0
FS
28/189 6/37
0/11 9/54
5/34
Pascal 7/55
2/8
1/6
1/11
1/9
Hume 8/48
2/7
1/5
4/31
0/2
Zeno 5/22
1/7
0/1
0/2
0/6
DOS
R2L
U2R
-------
-------
------
16/65
5/56
3/37
16/60
5/54
2/27
11/44
3/46
2/26
1/12
0/10
1/11
----
2/7
1/10
2/12
15/62
5/56
2/31
3/20
0/12
1/11
3/15
1/12
2/13
4/9
0/3
0/3
www.ijsret.org
1147
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
TCP
Urgent
pointer
UDP
Checksum
TCP
Option
TCP
Checksum
6.2
Categories of Attacks Detected
Table 4, list of the attacks being detected in the 1999
Lincoln Labs IDS Evaluation data in categories,
according to Kendal (1998) [13] taxonomy of these
attacks.
Table 4: Categories of attacks detected in 1999 Lincoln
Labs IDS Evaluation data
1148
Probe
queso(1)
Attacks
Crashiis(1),snmpget(2),portsweep(1)
ntinfoscan(1),queso(1),geusstelnet.
casesen(1),ncftp(2),ntfsdos(1),
secret(1), warezclient(1)
teardrop(3),pod(3)
dosnuke(1),portsweep(1),ps(1)
smurf(1)
dosnuke(2),insidesniffer(1)
DoS
crashiis(1)
U2R
R2L
casesen guesstelnet(1)
(1)
insidersniffer(2) dosnuke(3)
ntfsdos(1)
ncftp(2)
ntinfoscan(1)
mailbomb(1)
ps(1)
snmpget(2)
portsweep(2)
processtable(1)
teardrop(3)
pod(3)
smurf(1)
udpstorm(2)
warezclient(1)
Table 5: Percentage of attack categories that
contributed to the detection
udpstorm(2)
Attack
Total no of
Categories Attacks
Probes
6
DOS
16
U2R
3
R2L
5
mailbomb(1),processtable(1)
insidesniffer(1)
%
Contribution
20
53.33
10
16.67
www.ijsret.org
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
www.ijsret.org
1149
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
of Psc=tn/r Psc=tn/2r
994
995
995
995
995
995
1506
1503
1503
1503
1503
1503
www.ijsret.org
1150
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
CONCLUSION
www.ijsret.org
1151
International Journal of Scientific Research Engineering & Technology (IJSRET), ISSN 2278 0882
Volume 3, Issue 8, November 2014
1152