Академический Документы
Профессиональный Документы
Культура Документы
1.0 INTRODUCTION
institutions at the present time, because all the intruders are trying in many
ways so that they can have successful access to the data network of these
via the Internet is reduced through the use of firewalls, encryption, etc.
either testing the security of the network, using the facility as a launching
etc. Intrusion Detection (ID) is the art of detecting intrusions and taking
network is to help computer systems to prepare and deal with the network
of computer network and network resources to access private data and also
to deploy attacks on systems is the top trending security issue. Hackers and
servers to create loopholes in the systems and to the data stored in the
network. This makes the detection of the hackers difficult in network and on
the other hand an easy passage for them to escape successfully and
unnoticed. Recent studies have shown that users migrating to the network
Distributed Denial of Service (DDoS) attack. Again, the network users may
themselves install and use vulnerable applications in their data centre which
2
system address into the interruption identification forms and improve
different sources within the computer systems and networks and compares
TYPES OF ATTACKS
attackers to find the path of the network when users do not use the encrypted
connection. Attacker grab the information from the network, this kind of
3
2. Denial of service (DoS) Attack: Denial of service attack is a network
attack with intent to prevent the use of the computer and the web services
from the authorized users. In this technique attacker sends inoperative data
on the network in order to generate traffic. Some DoS attacks exploit the
limitations of TCP/IP Protocol, like Ping of death and teardrop. In the ping
of death, the attacker sends IP Packets larger than 64 Kb in size, and this
any information on the web. Attacker uses the public key of the user and
steals private information like credit card number, email addresses etc.
4
5. Sniffer Attack: sniffer is a device or function that capture data packets on
the network and attacker get the important information among them like
hijacking technique that hijacks the domain name server and responds to the
user from a fake server. The user won’t understand that the information it is
getting is not from the real DNS server but from the False Server.
anomalous behaviour and misuse innetwork. This concept has been around
for nearly twenty years but only recently has it seen a dramatic rise
Surveillance, the intrusion detection was born. Since then, several polar
5
information that could be valuable in tracking misuse and understanding of
misuse and specific user events emerged.In 1983, SRI International, and Dr.
new effort into intrusion detection system development. Their goal was to
profiles of users based upon their activities. One yearlater, Dr. Denning
helped to develop the first model for intrusion detection, the Intrusion
Detection ExpertSystem (IDES), which provided the foundation for the IDS
commercial company, Haystack Labs, and released the last generation of the
into the network. Because of these reasons the need for the development of
Every attack ona network can comfortably be placed into one of these
groupings.
machine e.g. apache, smurf, neptune, pingof death, back, mail bomb,
7
b. Remote to User Attacks (R2L): A remote to user attack is an attack in
the hacker startsoff on the system with a normal user account and
1.2 MOTIVATION
attacks, none of the present day stand-alone intrusion detection systems can
meet the high demands for a very high detection rate and an extremely low
false alarm rate. Also, most of the IDSs available in literature show distinct
8
1.3 CLASSIFICATION OF INTRUSION DETECTION
protocols.
violations.
9
1.3.1 DETECTION METHODS
baseline will identify what is "normal" for that network – what sort of
bandwidth is generally used and what protocols are used. It may however,
raise a False Positive alarm for legitimate use of bandwidth if the baselines
control list etc.) and other host activities and states. In HIDS sensors usually
10
5. Perimeter Intrusion detection system: PIDS detects and pin-points the
Using either electronic or more advanced fibre optic cable technology fitted
alarm is triggered.
users, abuse and nefarious use of the shared infrastructure benefits attackers
to exploit vulnerabilities of the virtual network system and use its resource
to deploy attacks in more efficient ways. Such attacks are more effective in
the virtual network system environment since virtual network system users
11
1. To prevent the vulnerable virtual machines from being compromised in
platform in a mult-displinarynetwork.
attacks and gather information about the attacks, capture and inspects
1.8 LIMITATIONS
1. It is not uncommon for the number of real attacks to be far below the
number of false-alarms that the real attacks are often missed and ignored.
12
2. It cannot compensate for weak identification and authentication
4. Due to the nature of NIDS systems, and the need for them to analyse
Invalid data and TCP/IP stack attacks may cause an NIDS to crash.
processes. We must note that the design of NICE does not intend to improve
13
1.10 DEFINITION OF TERMS
system.
or points within the network to monitor traffic to and from all devices on
and matches the traffic that is passed on the subnets to the library of
3. Countermeasure Selection
controller.
14
4. Virtual Network Systems
5. Attack Graph
stage, multi host attack paths that are crucial to understand threats and
are not necessarily an active attack since normal protocol interactions can
A set of rules governing the format of data sent over the Internet or other
network.
7. Zombie
location.
15
CHAPTER TWO
console.
about the attacks and as well prevent the reoccurrence of the attacks. The
organization, keep track record of existing attacks and their threats and also
16
to prevent an individual from violating security policies. The work was
inspects suspicious cloud traffic. Various materials and methods were used
in order to accomplish the task, which includes the attack graph, virtual
The need to have an appropriate security and privacy solutions designed for
cloud computing and data sharing is what led to the initiation of the idea. To
17
Attackalgorithm (SA) was used to achieve both control of requests and
mugger identification. The use of similar setup for Virtual Machines in the
virtual machines on the network from being compromised is reason for the
reduced the risk of the cloud system from being exploited and misused by
18
internal and external attackers. Cloud users usually have the rights to control
Service Level Agreement (SLA), this it made difficult to fix loop holes
by analyzing traffic on the network for signs of intruder’s activity. The need
systems technique that will prevent susceptible virtual machines from being
and methods such as hacker graph base analytical model with reconfigurable
and Reconfiguration plan were used. NICE it detects and minimizes attacks
19
users, total cloud traffic control is not possible, total interferences problems
Selectionin India reviewed. The aim of the work is to initiate a system that
the cloud users and to set up a protection inside and out interruption
will scan the network for zombies or unauthorized access, to prevent the
cloud server from being compromised and to patch any loopholes that may
be found in the network. The need to keep vulnerable virtual machines from
The framework and security assessments show the proficiency and adequacy
of the proposed arrangement and NICE enhances the usage on cloud servers
their machines.
20
In James et al., (2016), Network Intrusion Detection and Countermeasure
attack, and Discrete Fourier Transform (DFT) were considered. The results
various network nodes in the form of frequency patterns. The system lacks
the work was to build maintenance and control plane for distributed
21
and alleviate attack consequences. The objective of the framework is
server to capture and analyze cloud traffic and a novel attack graph approach
performance evaluation shows that the approach achieves the design security
less intrusive and cost effective manner. The challenge faced ranged from
system to accurately detect the attacks and lower the effect of security
aim of this project is to prevent the vulnerable virtual machines from being
possible attacks, collect information about them and then try to stop their
22
avert these virtual machines from being compromised, brought about a
Selection in Wireless Sensor Network reported. The main aim of the work is
23
behavior and also suggests effective countermeasures, and reconfigurable
with Deceptive Virtual Hosts for Industrial Control Networks reported. The
applications and cloud services. The need to build a system that will monitor
and prevent the vulnerable virtual machines from being compromised in the
cloud server effectively and accurately prompted the idea initiation. Various
24
CHAPTER THREE
RESEARCH METHODOLOGY
3.1 Research Methodology
This study deals with investigation of Network Intrusion Detection and
improving the quality of network usage, and in turn will provide an accurate
patterns.
DATA MINING TOOLS: These are tools that can be used for performing
data mining, these tools includes: MATLAB, Orange, Rapid Miner, WEKA
(SQL Server Data Tools), Apache Mahout among others. For the purpose of
25
WEKA (Waikato Environment for Knowledge Analysis): WEKA tool is an
open source and easily available tool which has a wide range of available
algorithms for data mining tasks. The algorithms can be applied directly to a
dataset. Weka contains all features and methods that support data pre-
attack detection rate and prevent virtual machines from being compromised
in the network.
26
The project framework consists of the following steps - Problem Definition,
deriving results. The project objective was analyzed and the research
constraints. Based on the problem definition, data was collected. The data
from various classifiers were analyzed on the basis of results generated and
also accuracy.
3.2 Constraints
This work thus enables one to apply data mining techniques to analyze large
constraints during the study was that this study is limited to web based
of type, property portal, online shopping sites, search engines, email portals
etc. Rationale for this limitation is due to constraint of research time and
resource availability of empirical data from the network. However, with the
data set obtained, a study of network based investigations was carried out;
27
Hypothesis – Certain attributes pertaining to effect of
network usage.
data mining skills and data communication and networking skills. Thus the
techniques.
Dataset information was collected from those projects which are developed
After framing the objectives, the next stage was data collection. The data
that was collected came from various sources. Also the data was very large.
More than 1000 data packets were collected with different attribute.
However, at this point it was necessary to determine the sample for the
population of the data. If too large, the results may not be consistent. If too
small, it may again not give proper and accurate results. For the purpose of
TCP/IP & HTTP, network security protocols such as HTTPS & SFTP and
network management protocols like SNMP & ICMP, as well as analysis and
performance prediction.
Dataset Attribute
spkts varchar(5) Yes NULL
dpkts varchar(5) Yes NULL
sbytes varchar(6) Yes NULL
dbytes varchar(6) Yes NULL
rate varchar(4) Yes NULL
sttl varchar(4) Yes NULL
dttl varchar(4) Yes NULL
sload varchar(5) Yes NULL
dload varchar(5) Yes NULL
sloss varchar(5) Yes NULL
dloss varchar(5) Yes NULL
sinpkt varchar(6) Yes NULL
dinpkt varchar(6) Yes NULL
sjit varchar(4) Yes NULL
djit varchar(4) Yes NULL
swin varchar(4) Yes NULL
stcpb varchar(5) Yes NULL
dtcpb varchar(5) Yes NULL
dwin varchar(4) Yes NULL
tcprtt varchar(6) Yes NULL
synack varchar(6) Yes NULL
ackdat varchar(6) Yes NULL
smean varchar(5) Yes NULL
dmean varchar(5) Yes NULL
trans_depth varchar(11) Yes NULL
response_body_len varchar(17) Yes NULL
ct_srv_src varchar(10) Yes NULL
ct_state_ttl varchar(12) Yes NULL
ct_dst_ltm varchar(10) Yes NULL
ct_src_dport_ltm varchar(16) Yes NULL
ct_dst_sport_ltm varchar(16) Yes NULL
29
ct_dst_src_ltm varchar(14) Yes NULL
is_ftp_login varchar(12) Yes NULL
ct_ftp_cmd varchar(10) Yes NULL
ct_flw_http_mthd varchar(16) Yes NULL
ct_src_ltm varchar(10) Yes NULL
ct_srv_dst varchar(10) Yes NULL
is_sm_ips_ports varchar(15) Yes NULL
g_output varchar(8) Yes NULL
The above mentioned data attributes were taken into consideration during
Therefore, many were removed deliberately and few were removed for
unbiased conclusions.
The data has come from various sources as shown in data collection. After
the sample was selected, it was very necessary to integrate and normalize
Data pre-processing is the most crucial aspect in data mining. More than 30
30
attributes can be easily trimmed. This study has used Entropy Based
and unclear dataset. Entropy Based Discretization reduces the attributes and
also helps in improving the accuracy. Sampling of data set should be such as
to represent the entire data properly and removing only the redundant tuples.
The approach for data pre-processing has been shown in Figure 3.2. As
shown in figure 3.2 it has been done in two phases. Firstly, unimportant and
insignificant attributes have been removed. This step is also called column
Identifying and eligibility attributes were not considered for the project
since the project work focused on finding those technical factors which
and normalized. Some were further removed since they were ranked very
column reduction was done. The final list of attributes that were taken for
data analysis is as shown in Table 3.2 above. The column reduction was
31
done through two methods i.e. Information Gain and Gain ratio in Weka
Therefore, they are also called splitting rules in forming decision trees.
The most important attribute comes as root and subsequently other attributes
can be used for data preprocessing too for column reduction i.e. reducing
unimportant attributes.
Two methods were taken for achieving the task. They were information gain
same concept. Also Gain Ratio which is used in CART (Classification and
discretization reduces data size effectively. It can be used for row reduction
32
Let D be the dataset. Let there be m class labels or output classes denoted
a) Information Gain
the splitting attribute for node N. The attribute which minimizes the
information needed to split the tuples and reflects the least randomness is
chosen.
Info (D) = − ∑𝑚
𝑖=1 𝑃𝑖 𝐿𝑜𝑔2(𝑃𝑖)
Info (D) = − ∑𝑚
𝑖=1 𝑃𝑖 𝐿𝑜𝑔2(𝑃𝑖) ................ equ (3.1)
Where class labels have m distinct class values.Ci,Dis the set of tuples of
class Ci in D. let D and Ci, D denote the number of tuples in D and Ci, D. In
33
equation (3.1), pi is the probability that a tuple in D belongs to C i and is
D whose outcome is aj. These partitions are also the branches from node N.
However, when splitting takes place it contains tuples from other classes
too. Therefore, the partitions are generally impure. At this point, there is the
need of information or also called entropy about the classification. Info A(D)
the partitioning by A.
𝐷𝑗
Info ∑𝑣𝑗=1 A (D) = (Dj) ---------- (equ 3.2)
𝐷
𝑚
Info − ∑𝑖=1 𝑃𝑖 𝐿𝑜𝑔2(𝑃𝑖) where Info (Dj) = -(equ3.3)
Where pi is the probability that a tuple in D belongs to C i having attribute
value j.
The attribute with highest gain is chosen as the splitting criteria at node N.
34
Information also gives the importance of attributes and therefore is a good
b) Gain Ratio
having that particular outcome or class label with respect to total number of
𝐺𝑎𝑖𝑛 (𝐴)
Gain Ratio (A) = --------------- (equ 3.6)
𝑆𝑝𝑙𝑖𝑡𝐼𝑛𝑓𝑜(𝐴)
is Histogram Analysis; in this method values are partitioned such that each
35
Information gain in Weka tool gave an attribute ranking. There after the
Thereby column reduction was achieved. This trims the data considerably
for analysis.
Data mining has got a big collection of methods for mining knowledge. It
Considering the data type for this study, it was most appropriate to apply
supervised learning method since the output class labels were available as
seen in the data. Therefore, in this study the main focus was on
3.5.1 Classification
Bayesian classification and decision trees are used since decision trees are
easy to interpret and understand and it also gives rules which acts as the
36
test on an attribute and each leaf holds the class label. The most popular
decision trees are ID3 (Iterative Dichotomiser 3), CART (Classification and
many cases the model is chosen on the basis of detection theory to try to
prediction using historical data. Predictive models have the specific aim of
37
classes are determined by examining the data by expert or many experts of
that domain.
likelihood of a property given the set of data as input also called evidence.
probabilities are descriptive and are then used to predict the class
membership for a target tuple with certain values of the attributes. Therefore
Naive bayes has been used in many real time experiments for prediction.
uncertainty. It reveals the patterns in the data which illustrate the high
probability factors or also called reasons. It has been used for predicting
bugs (Fenton et al., 2008). It has also been used for finding the location of
38
fault in an electric power delivery system based on the database provided.
The bayesian network could classify the fault and non-fault depending on
The Bayesian decision making refers to choosing the most likely class,
explained below:
probability p(Ci) and P (X/Ci) which denotes the prior probability that the
probability of obtaining attribute values X given the sample is from Ci. Our
D: Set of tuples
Each Tuple is an ‘d’ dimensional attribute vector
X: (x1, x2, x3,….xd)
Let there be ‘k’ Classes: C1,C2,C3…Ck
39
If there are d attributes or features and k classes, then probability of the
𝑷(𝑪𝒊)𝑷(𝒙𝟏|𝑪𝒊)……..𝑷(𝑿𝒅|𝑪𝒊)
P (Ci|x1,....,xd) = ...... (equ 3.9)
∑𝒌
𝒋=𝟏 𝑷(𝑪𝒋)𝑷( 𝒙𝟏|𝑪𝒋)……..𝑷(𝑿𝒅|𝑪𝒋)
40
derived equation assuming class independence is given by equation 3.11
and 3.12
Here, X is the vector related to the project personnel having d attributes with
values x1, x2,--xd. Also output classes are: C1- good, C2- average and C3-
Firstly, the experiment was conducted using a small dataset and using Bayes
tool kit was used to continue the experiments and validate the result of
bayes classification.
The algorithm used for classification in this project is ID3 and CART.
Under the "Test options", the 10-fold cross-validation is selected for the
model. The model is generated in the form of decision tree as shown in the
41
following chapter. These predictive models provide analytical way for
performance analysis.
42
CHAPTER FOUR
4.1 Introduction
possible states. The buckets themselves are treated as ordered and discrete
values. You discretize both numeric and string values.There are various
For our data discretization, clustering analysis technique was used. Below is
43
Dataset
tr g
res ct ct ct_ ct_ ct is ct ct ct is_
s D s d T s a a ct ct_ _
s d s d s d s d s d po _ _ src dst _d _f _f _ _ sm
b b r sd i i s ds dc y c ns _s flw o
p p l l l l t t mm nse sr d _d _s st tp tp sr sr _i
y y at t n n j j w wp n k _ ta _ht u
k k o o oo c c e e _b v st po po _s _l _ c v ps
t t t tt p p i i i i r a d d te tp_ t
t t a a s s p p a a od _ _l rt_ rt_ rc o c _l _ _p
e e el l k k ttn nt c a e _t mt p
s s d d s s b b n n y_l sr t lt lt _lt gi m t d ort
s s t t t k t pt tl hd u
en c m m m m n d m st s
h t
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 1 0 1
1 1 1 0 0 01 0 0 1 1 0 1 111 1 0 1 1 1 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 1 0 1 0 0 1 1 0 0 0 1 0 1 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 1 0 0 1 0 1 0 0 0 0 0 0 0 0 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 1 0 0 0 1 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1 0 0 0 1 0 0 0
0 0 0 0 0 11 0 0 0 0 0 1 101 1 1 1 1 1 1 1 0 1 0 1 1 0 0 0 0 0 0 0 0 0 1 0
0 0 0 0 0 11 0 0 0 0 0 1 101 1 1 1 1 1 1 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 0 0 0
0 0 0 0 0 11 0 0 0 0 0 1 101 1 1 1 1 1 1 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 01 0 0 0 0 0 0 001 0 1 1 1 0 1 0 1 1 0 0 1 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0 0 0
44
tr g
res ct ct ct_ ct_ ct is ct ct ct is_
s D s d T s a a ct ct_ _
s d s d s d s d s d po _ _ src dst _d _f _f _ _ sm
b b r sd i i s ds dc y c ns _s flw o
p p l l l l t t mm nse sr d _d _s st tp tp sr sr _i
y y at t n n j j w wp n k _ ta _ht u
k k o o oo c c e e _b v st po po _s _l _ c v ps
t t t tt p p i i i i r a d d te tp_ t
t t a a s s p p a a od _ _l rt_ rt_ rc o c _l _ _p
e e el l k k ttn nt c a e _t mt p
s s d d s s b b n n y_l sr t lt lt _lt gi m t d ort
s s t t t k t pt tl hd u
en c m m m m n d m st s
h t
0 0 0 0 0 11 0 0 0 0 0 0 001 1 1 1 1 1 1 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 0 0
0 0 0 0 0 11 0 0 0 0 0 0 001 0 1 1 1 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 11 0 0 0 0 0 1 101 1 1 1 1 1 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0 0 1
1 1 0 1 0 01 0 0 0 1 0 0 011 0 1 1 1 1 1 0 1 1 0 0 1 0 0 0 0 0 0 1 0 0 0 1
0 0 0 0 0 11 0 0 0 0 0 0 001 1 0 1 1 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1
1 1 1 0 0 11 0 0 1 0 0 0 001 0 1 1 1 1 1 1 0 1 0 0 1 0 0 0 0 0 0 1 0 0 0 1
0 0 0 0 1 10 1 0 0 0 0 0 000 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 0 0 0 1 0 0 1
value of the attribute, which is the entropy of the distribution before the split
minus the entropy of the distribution after it. The largest information gain is
information in bits;
− ∑ 𝑃𝑖 𝐿𝑜𝑔2 𝑃𝑖
𝑖=1
45
entropy(p1,p2,…,pn)=−p1log(p1)−p2log(p2)−⋯−pnlog(pn)
entropy(p1,p2,…,pn)=−p1log(p1)−p2log(p2)−⋯−pnlog(pn)
InformationGain Formula
Gain (SA) = H (S) =
|𝑆𝑉 |
∑ 𝐻(𝑆𝑣 )
|𝑆|
𝑣∈(𝐴)
46
In order to access the gain ratio information the process button is click and
The above interface describes the three different attributes, which are; Info
(D), Split Info and Gain Ratio. These attributes evaluates different packets in
47
Fig. 4: Evaluation on training set on Weka
Summary
48
Root relative squared error 94.7293 %
Confusion Matrix
TP Rate FP Rate Precision Recall F-Measure MCC ROC Area PRC Area Class
Weighted Avg. 0.820 0.560 0.798 0.820 0.805 0.308 0.773 0.845
a b<-- classified as
76 6 | a = yes
12 6 | b = No
The above interface shows the visualize classification error, which is based
49
Fig.6:Margin Curve
The margin curve generates points illustrating the prediction margin. The
curve is defined as the difference between the probability predicted for the
actual class and the highest probability predicted for the other classes. The
margin curve increases the margin on the training data and gives a better
4.4 NIDPS’sPerformanceanalysis-mode(sniffermode)
Here,SnortNIDPShasbeenconfigured toanalysisorSniffermode.The
following metrics
wererecorded:thenumberofpacketsreceivedofthetotalpacketssent;thenumber
50
ofpackets
analyzedofthetotalpacketsreceived;thenumberofpacketsdroppedofthetotalpa
resultsaregiven inthefollowingsections.
Attribute Graph
20
15
10
0
43
61
1
4
7
10
13
16
19
22
25
28
31
34
37
40
46
49
52
55
58
64
67
70
73
76
79
82
85
88
91
94
97
100
spkts dpkts sbytes dbytes rate
sttl dttl sload dload sloss
dloss sinpkt dinpkt sjit djit
swin stcpb dtcpb dwin tcprtt
synack ackdat smean dmean trans_depth
response_body_len ct_srv_src ct_state_ttl ct_dst_ltm ct_src_dport_ltm
ct_dst_sport_ltm ct_dst_src_ltm is_ftp_login ct_ftp_cmd ct_flw_http_mthd
ct_src_ltm ct_srv_dst is_sm_ips_ports
51
Figure 8: Dataset Table Sample
The above figure shows the discretized dataset used as a sample in the
Weka environment.
Uses the confusion matrix plot to understand how the currently selected
click Confusion Matrix. The confusion matrix helps you identify the areas
When you open the plot, the rows show the true class, and the columns show
the predicted class. The diagonal cells show where the true class and
predicted class match. If these cells are green and display high percentages,
52
the classifier has performed well and classified observations of this true class
correctly.
The default view shows summaries per true class in the last two columns on
the right.
Using thedataset, the top row shows all true positive class with true class
prediction. The columns show the predicted classes. In the top row, 83% of
the cars from France are correctly classified, so 15% is the true positive rate
for correctly classified points in this class, shown in the green cell in
per predicted class (instead of true class) to investigate false discovery rates.
To see results per predicted class, under Plot, select the Positive Predictive
Values False Discovery Rates option. The confusion matrix now shows
summary rows underneath the table. Positive predictive values are shown in
green for the correctly predicted points in each class, and false discovery
rates are shown below in red for the incorrectly predicted points in each
class.
53
If you decide there are too many misclassified points in the classes of
better model.
54
CHAPTER FIVE
SUMMARY, CONCLUSION AND RECOMMENDATION
5.0 SUMMARY
benefits in terms of low cost and accessibility of data. Ensuring the security
network often store sensitive information with network storage providers but
evaluation demonstrates the feasibility of NICE and shows that the proposed
solution can significantly reduce the risk of the network system from being
5.1 CONCLUSION
in the virtual networking environment. NICE uses the attack graph model to
55
conduct attack detection and prediction. It investigates how to use the
attacks. NICE utilizes the attack graph model to conduct attack detection and
prediction.
1. NICE will improve the attack detection probability and improve the
2. NICE employs a novel attack graph approach for attack detection and
countermeasures.
5.2 RECOMMENDATION
network and monitors activity. Such a system places very little overhead on
the network because it only watches your network traffic and sends alerts if
it detects anything abnormal within the network and as well counter attack
devices that are virtually undetectable by hackers but they are not perfect.
56
The NICE framework can be used in any organization, institutions,
This can be used not only for monitoring but also for controlling any
administrator.
57
REFERENCES
Ayesha, A. (2015). Network Intrusion Detection and Countermeasure Selection:
James, D., Maxwell, C., and Griffith S. (2016). Network Intrusion Detection and
Issue.3.
58
Pinki, K., and Avni, K. (2016). Network Intrusion Detection and Countermeasure
Pure and Applied Mathematics, Volume 117, No. 19, ISSN: 1314-3395.
3.
Tejashree, A., Raksha, S., Gayatri, D., and Monika, V. (2015). Secure Network
Vikram, K., Anitha, B., Padmavathi, G., and Sravani, D. (2016). Network Intrusion
59
Vipin, S., and Himanshu, A. (2015).Network Intrusion Detection using Feature
60