Categories of Intrusion Detection System
The expansion in the web usage has led to the demand of increased security to protect the digital framework from different security attacks. Mainly these attacks on the network allow illegal activities like unauthorized access, activity or file modification and compromise on the main goals of security like authenticity, integrity and availability of network. Basically, the intrusion detection system can be two categories. Host based intrusion detection system and network based intrusion detection system. Tremendous growth in network based services, network security has become one of the most important thing these days. To identify different attacks and to maintain secure network anomaly-based network intrusion detection technique is used to detect the new attacks [1]. Several different techniques are used in anomaly-based such as statistical-based, knowledge-based and machine learning-based. To improve performance there are challenges to use the methods based on existing network data characters. NIDS are installed at key points on the network to check traffic from and to all hosts on the network. This report consists of project background, research questions and requirements of the project.
Network Intrusion Detection System detects invasion in the network by monitoring network traffic regularly as network intrusion is a method to utilize the issues, features in software to gain unauthorized access to the system [2]. Problems like uncommon traffic in a network and variety of attacks in the network can be analysed by intrusion detection system, our project research includes anomaly based network intrusion detection system. Known and Unknown attacks are noticed based on anomalous. To identify the attacks the network intrusion detection systems would familiarize to dynamic network environments with updated versions. In our system wireshark will be used for packet capture and two datasets to identify malware, one dataset with malware and other dataset with the clear data it means with no malware and data mining technique will be adapted. Classification techniques can be will be assessed by using standard evaluation. Snort will be used for further implementation. Statistical techniques can be accessed by length of packet, time etc. The main challenge of the project is adapting machine learning tools.
Below are the research questions identified
- How could Anomaly based Intrusion Detection System can be improved to detect Zero-day malware such as Zeus?
- How to increase IDS accuracy and reduce false alarms?
- What are the challenges might be faced when implementing anomaly based intrusion detection system?
- How the challenges can be overwhelmed?
The project objective is to discover a path to evade the malicious intruder, which are the most dangerous and are all around the world. The intruders have surpassed most of the network devices which are firewall, antivirus and encryption. So, the network intrusion detection and prevention system are being one of the major researchers which are trying to identify the attack and the integrity of the network system for its security. This project will also give a SWOT analysis of the network intrusion detection and prevention system. By increasing the security of the network, the internet will be safe for personal data and other organization like bank etc. So, purpose of our project is to get the concept and its function of network intrusion detection and prevention system and to also the network security by analysing the incoming and outgoing traffic. We can also replicate the problem which are within the system and to eliminate them and to provide security all the time to all the layers.
Anomaly-based Network Intrusion Detection System
As the project is based on detecting the malwares in a network, that are being used to exploit the Operating systems, applications, etc. [3]. To detect the malicious activities carried out by attackers, network traffic needs to be monitored in regular intervals.
All these tests are being simulated in a virtual box version 5 with multiple operating systems are being deployed. The operating systems used to execute the project are Linux and windows. And to detect the suspicious scans that are being performed by the attackers on the main network we use [4] honeypot to capture the attacker details.
To capture the traffic that is directed to the network, we need to have applications that can continuously monitor the traffic, so in this project we are using Wireshark and [5] Snort.
|
Application |
Usage |
|
Virtual box |
To install multiple operating systems and simulate |
|
Wireshark |
To capture traffic |
|
Snort |
For detecting malicious traffic |
|
Honey D |
To capture attacker information |
|
Windows |
Main operating system |
All these applications are deployed in the main operating system to monitor and capture all the traffic that is coming to host through network. And the traffic is monitored regularly to detect the malicious activities using the applications that are mentioned above. Each application performs necessary tasks and records all the details and takes necessary actions to neutralize the attack.
Below are the detailed specifications of software and hardware requirements.
Hardware Requirements
|
Hardware |
Requirements |
|
Computer |
8 GB RAM 200 GB Hard disks I5 processor |
Software Requirements
|
Application |
Version |
|
Virtual box |
Version 5.2 |
|
Wireshark |
Version 2.2.11 |
|
Snort |
Version 3.0 |
|
Honey D |
Linux |
|
Windows |
Version 8.1 |
Project plan and preliminary design
Table of weekly activities
|
Week # |
Activity |
|
Week -1 |
Attended first class of MN691 and formed as a group of 4 members with supervisor. Done some research on the project selected with the help of supervisor as he explained the basics of project. Contacted industry client and mailed the details of our project to get approval from him. |
|
Week-2 |
Got approval from industry client with a signature on industry agreement form and he has assigned some task to us to research on few IEEE documents and did research on collecting malware data and how to test the project. Also, done some research on software which satisfies our requirements. |
|
Week-3 |
Discussion with supervisor about the mathematical standard evaluation, how the actual malware and predict malware accuracy is calculated. Each group member is assigned by a task to write a 1000-line document on the research topic given by supervisor. |
|
Week-4 |
Received Feedback on the task which has assigned last week. Started working on literature review and attended one webinar session which is happened in Sydney campus. |
|
Week-5 |
We have worked on assignment by sharing the task among each other and finished before the due date. Started extending the document on Zeus topic and installing them into system to verify. We have attended industrial workshop-which is based on resume preparation, basic industry requirement etc. |
|
Week-6 |
Started working on oral presentation document by dividing the tasks into Introduction, Project Scope, Implementation Steps, Types of NIDS, Advantages and Disadvantages, conclusion, References among group members and attended industrial workshop-2, industrial worksjop-2 is regarding the methodologies followed in company like agile, waterfall etc. |
|
Week-7 |
Continued working on oral presentation document and modified the document according too the supervisor comments. |
|
Week-8 |
Started working on assignment-2. and changes in assignment-1 as per the unit lecturer comments like adding literature review of each group member, references etc. |
|
Week-9 |
Started working on assignment-2 according to the requirements like doing Gantt chart, project methodologies etc. Need to do research on the practical scenario of the intrusion detection system. |
|
Week-10 |
Need to divide the tasks to complete final report and oral presentation document |
|
Week-11 |
Concentration on the research methodologies which are going to be used in the next stage of the project. |
|
Week-12 |
Need to work on group report and individual report to complete the documents according to the timeline and need to complete the document for group presentations and preparation for the same. |
Roles & responsibilities of each team member
|
Week # |
Vinod |
Solomon |
Venkata Rakesh |
Shilpa |
|
Week -1 |
Took initiative to discuss with supervisor before the start of the unit and selected the project and contacted with industry client to discuss about the project. |
Part of discussion meetings to select the project and did some research on project. |
Attended the team discussions and took research work of project |
Part of team discussions and worked on what to research about the project and shared among the team members about analysis and requirements. |
|
Week-2 |
Studied the document “Real time intrusion detection and prevention system” which was assigned by industry client. |
Research on the document “Network intrusion detection system using attack behaviour classification” |
Research on “CANN: An intrusion detection system based on combining cluster centers and nearest neighbours” |
Research on “A deep learning approach for network intrusion detection system” |
|
Week-3 |
Did research on “Command and Control” |
Worked on “zero-day malware and online banking issues”. |
Did research on “Zeus-King of Botnet” |
Research on “DDoS Attacks” |
|
Week-4 |
Started working on literature review on “Command and Control” and research on snort and installing zeus. |
Started working on literature review on “zero-day malware and online banking issues” and research on snort and installing zeus. |
Started working on literature review on “Zeus-King of Botnet” and research on snort and installing zeus. |
Started working on literature review on “DDoS Attacks” and research on zeus malware to write a document about it which is assigned by supervisor. |
|
Week-5 |
Worked on gathering project requirement analysis and specification as part of assignment-1 |
Worked on writing background and project objective as part of assignment-1 |
Wrote Introduction as part of assignment-1 |
Worked on Project domain and research questions, and combined all team members work to fulfil the assignment-1. |
|
Week-6 |
Topic-Implementation of NIDS. |
Topic-Introduction and Project Scope |
Topic-Advantages/Disadvantages/Conclusion |
Topic-Types of NIDS and research on different types. |
|
Week 7 |
Research on signature based detection system. |
Research on Anomaly based detection system. |
Research on Intrusion detection using data mining. |
Research on 4 signature and anomaly based detection system. |
|
Week 8 |
Literature review on botnet topic. |
Literature review on network intrusion detection system in online banking. |
Literature review on king botnet zeus. |
Literature review on DDos attack. |
|
Week 9 |
Worked on signure based project methodology and gathering requirements, budgets with references. |
Worked on anomaly based methodology and project diagram. |
Worked on the intrusion detection system methodologies based on data mining and combining all the references. |
Worked on signature and anomaly project methodology, table of weekly activities, Gantt chart and combined all the team members work as a document to fulfil the assignment. |
|
Week 10 |
Will be working on project design and methodology. |
Will be working on methodology. |
Will be working on methodology conclusion and references. |
Will be working on research questions and collar abating all team members work |
|
Week 11 |
Research on next stage of project methodology |
Research on next stage of project methodology. |
Research on next stage of project methodology. |
Research on next stage of project methodology. |
|
Week 12 |
Will be working on final report and oral presentation. |
Will be working on final report and oral presentation |
Will be working on final report and oral presentation |
Will be working on final report and oral presentation |
As the project is based on intrusion detection the following methodologies on signature and anomaly based detections with some advanced techniques such as data mining, have been chosed for the further implementation.
Signature Based Detection System (Methodology-1 by Vinod Allam)
Signature based detection system depends on the attacks that has happened before, the attack will be analysed, researched and stored as a signature for the future attacks. IDS will be programmed in a way that they interpret the packets that are scanned by the Wireshark and then using snort and few signatures it detects the malicious packets and then ignores the packets. As shown in figure 2 when a packet enters the network, wireshark scans the packet and sends to the next level which is snort and detection algorithms where the packet is analysed using signature based detection techniques and then in case the packet is malicious it stores the signature of malicious packet and drops it.
It shows one of the network intrusion detection system which is based on data mining. This intrusion detection system accepts the data from flow tools like wireshark which captures the packet data. Collected data is sent to detection system which analyses the data files in batch mode, before passing to system data is filtered in filtering section which eliminates the network traffic. The primary step of MNIDS(Minnesota intusion detection system) is to acquire main features that are used, based on that feature system summarizes the time windows. After the feature construction, known attacks are removed for further analysis. Once the known attacks are separated from the data an external technique is used to find the score of each connection [6]. This detection technique outlines the network connections based on rank. Human analyst delivers response after analysing all summaries whether to create a new rule which might be used for attack detection or not.
Implementation of Anomaly-based NIDS
Intrusion Detection System Using Data Mining Process (Methodology-3 by Venkata Rakesh Nunna)
As shown in the figure 6, the process of data mining will be used for the process of malware detection. The historical data and the current data are collected from different sources and stored in a database. The data is cleaned and pre-processed for the initiation of the data mining process [7]. The rules to be used for the data mining process is then applied to the cleaned dataset. The rules are of two types: misuse of rule and anomaly rule. In the misuse rule, process the misuse is detected and then matched with the data set. If the misuse satisfies then the response is received. If no match is found the data goes to the anomaly detection process. If the data is matched then a response is generated and the cycle ends [8]. If no match is found in the anomaly detection means that both the process has failed then the pointer is transferred to the audit record dataset. The pointer then goes to the data mining rule of the flowchart and is termed as normal data.
The normal data collection is done and saved data in the collection component. With the help of this date we use specific modelling methods which create the normal data collected as normal system profile behaviours. This data profile will help to detect the abnormality pattern in the network which will call any alarm for any intrusion in the system.
This is a general anomaly user’s normally behaviours model is data captured in for a long time and understood its behaviours over a period. Some of this activity are missed if the process of are also considered as a normal behaviour. Anomaly detection system cannot detect a stealthy attack as it can be missed during the process and can attack on large number inside a normal behaviour. But we can write some parameters toward the detection system which can help in decreasing the rate of false alarm and make it more effective [9].
This section provides software and hardware requirement for the project.
Software requirements
|
Application |
Cost |
|
Virtual box |
Open source |
|
Wireshark |
Open source |
|
Snort-(Subscription Cost) |
399 USD [36] |
|
Honey D |
Open source |
|
Windows |
119 USD [37] |
Hardware Requirements
|
Hardware |
Cost |
|
2 Computers Specifications: 8GB RAM 200GB Hard Disk 15 Processors |
800 AUD [38] |
Labour cost
|
Resource Name |
Resource Title |
Cost (per hour) |
|
Vinod Allam |
Team Leader |
95 AUD [39] |
|
Venkat Rakesh Nunna |
Senior Developer |
85 AUD [40] |
|
Solomon Waskar |
Network Administrator |
65 AUD [39] |
|
Shilpa Bhonagiri |
Analyst and Tester |
75 AUD [41] |
Total Labour Cost- 320 AUD (per hour), 48,000 AUD (Estimated working hours cost)
Total Budget
|
Software and hardware requirement cost |
1,577 AUD |
|
Labour Cost |
48, 000 AUD |
|
Total |
49, 577 AUD |
References
[1] N. Thanh Van, T. Ngoc Thinh and L. Sach, “An anomaly-based Network Intrusion Detection System using Deep learning”, 2017, pp. 1-2.
Hardware and Software Requirements
[2] A. Girija and D. Rao, Network Intrusion Detection System. CmpE 226, pp. 1-2
[3] C. Modi, D. Patel, A. Patel and M. Rajarajan, “Integrating Signature Apriori based Network Intrusion Detection System (NIDS) in Cloud Computing”, 2017.
[4] H. Artail, H. Safa, M. Sraj, I. Kuwatly and Z. Al-Masri, “A hybrid honeypot framework for improving intrusion detection systems in protecting organizational networks”, 2017.
[5] M. Roesch, “Snort — Lightweight Intrusion Detection from Networks”, in Proceedings of LISA ’99, Washington, 1999, pp. 2-9.
[6] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods, Systems and Tools. 2014, pp. 30-34.
[7] R. Mitchell and I.-R. Chen, “A survey of intrusion detection in wireless network applications,” Comput. Commun., vol. 42, pp. 1–23, 2014.
[8] O. Al-Jarrah and A. Arafat, “Network intrusion detection system using attack behavior classification,” in 2014 5th International Conference on Information and Communication Systems, ICICS 2014, 2014.
[9] Network Intrusion Detection and Prevention. Springer US, 2010, pp. 34-35.
[10] H. Zeidanloo, M. Zadeh and M. Zamani, “A Taxonomy of Botnet Detection Techniques”, in A Taxonomy of Botnet Detection Techniques, malaysia, 2010, pp. 1-4.
[11] N. Hopper, “Short Paper: Challenges in protecting Tor hidden services from botnet abuse”, 2014.
[12] Y. Boshmaf, I. Muslukhov, K. Beznosov and M. Ripeanu, “Design and analysis of a social botnet”, Computer Networks, vol. 57, no. 2, pp. 556-578, 2013.
[13] D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani and D. Garant, “Botnet detection based on traffic behavior analysis and flow intervals”, Computers & Security, vol. 39, pp. 2-16, 2013.
[14] Z. Zhu, G. Lu and Y. Chen, “Botnet Research Survey”, in Botnet Research Survey, Finland, 2008, pp. 1-5.
[15] E. Alomari, S. Manickam, B. B. Gupta, S. Karuppayah and R. Alfaris, “Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art”, International Journal of Computer Applications, vol. 49, no. 7, pp. 24-32, 2012.
[16] A. Rahimian, R. Ziarati, S. Preda and M. Debbabi, “On the Reverse Engineering of the Citadel Botnet”, Montreal, Canada, 2014.
[17] C. Yin, M. Zou, D. Iko and J. Wang, “Botnet Detection Based on Correlation of Malicious Behaviors”, International Journal of Hybrid Information Technology, vol. 6, no. 6, pp. 291-300, 2013.
[18] M. K, R. A and V. K, “DoS and DDoS Attacks: Defense, Detection and Traceback
Mechanisms -A Survey”, Global Journals Inc, vol. 14, no. 7, pp. 1-19, 2014.
[19] A. Kumar, “DDoS Attacks—A Cyberthreat and Possible Solutions”, pp. 1-4.
Project Plan and Weekly Activities
[20] S. Arunmozhi and Y. Venkataramani, “DDoS Attack and Defense Scheme in Wireless Ad hoc Networks”, International Journal of Network Security & Its Applications, vol. 3, no. 3, pp. 182-187, 2011.
[21] A. Carlin, M. Hammoudeh and O. Aldabbas, “Defence for Distributed Denial of Service Attacks in Cloud Computing”, in The International Conference on Advanced Wireless, Information, and Communication Technologies, 2015, pp. 490-497.
[22]”DDoS flooding attack detection through a step-by-step investigation”, Australia, 2012, pp. 1-5.
[23] “A survey of distributed denial of service attack”, in Intelligent Systems and Control (ISCO), 2016 10th International Conference, India, 2016, pp. 1-2
[24] N. Harale and D. Meshram, “Network Based Intrusion Detection and Prevention Systems: Attack Classification , Methodologies and Tools”, International Journal of Engineering And Science, vol. 6, no. 5, 2016.
[25] N. Das and T. Sarkar, “Survey on Host and Network Based Intrusion Detection System”, Int. J. Advanced Networking and Applications, vol. 6, no. 2, pp. 2266-2269, 2014.
[26] K. Labib and R. Vemuri, “NSOM: A Real-Time Network-Based Intrusion Detection System Using Self-Organizing Maps”, Web.cs.ucdavis.edu, 2018. [Online]. Available: https://web.cs.ucdavis.edu/~vemuri/papers/som-ids.pdf. [Accessed: 16- Jan- 2018].
[27] H. Dreger, C. Kreibich, V. Paxson and R. Sommer, “Enhancing the Accuracy of Network-based Intrusion Detection with Host-based Context”, Icir.org, 2017. [Online]. Available: https://www.icir.org/vern/papers/dimva05.pdf. [Accessed: 16- Jan- 2018].
[28] D. Ariu, Host and Network based Anomaly Detectors for HTTP Attacks. Cagliari: Dept. of Electrical and Electronic Engineering University of Cagliari, 2010.
[29] S. Northcutt and J. Novak, Network intrusion detection. Indianapolis, Ind.: New Riders, 2009.
[30] Ibrahim, Laheeb Mohammed, and Karam H. Thanon. “Analysis and detection of the zeus botnet crimeware.” International Journal of Computer Science and Information Security 13, no. 9 (2015): 121.
[31] Dougan, Timothy, and Kevin Curran. “Man in the browser attacks.” International Journal of Ambient Computing and Intelligence (IJACI) 4, no. 1 (2012): 29-39.
[32] Riccardi, Marco, Roberto Di Pietro, Marta Palanques, and Jorge Aguila Vila. “Titans’ revenge: Detecting Zeus via its own flaws.” Computer Networks 57, no. 2 (2013): 422-435.
[33] Zhou, Yajin, and Xuxian Jiang. “Dissecting android malware: Characterization and evolution.” In Security and Privacy (SP), 2012 IEEE Symposium on, pp. 95-109. IEEE, 2012.
[34] Andriesse, Dennis, Christian Rossow, Brett Stone-Gross, Daniel Plohmann, and Herbert Bos. “Highly resilient peer-to-peer botnets are here: An analysis of gameover zeus.” In Malicious and Unwanted Software:” The Americas”(MALWARE), 2013 8th International Conference on, pp. 116-123. IEEE, 2013.
[35] Mohaisen, Aziz, Andrew G. West, Allison Mankin, and Omar Alrawi. “Chatter: Classifying malware families using system event ordering.” In Communications and Network Security (CNS), 2014 IEEE Conference on, pp. 283-291. IEEE, 2014.
[36]”How much does a subscription cost?”, Snort.org, 2018. [Online]. Available: https://www.snort.org/faq/how-much-does-a-subscription-cost. [Accessed: 19- Jan- 2018].
[37]”Microsoft prices Windows 10 licenses at $119 for Home, $199 for Pro”, CNET, 2018. [Online]. Available: https://www.cnet.com/news/microsoft-prices-single-windows-10-licenses-at-119-for-home-199-for-pro/. [Accessed: 19- Jan- 2018].
[38]”Intel Core i5 4th Gen PC Desktops | eBay”, eBay, 2018. [Online]. Available: https://www.ebay.com.au/b/Intel-Core-i5-4th-Gen-PC-Desktops/179/bn_799950. [Accessed: 19- Jan- 2018].
[39] “Team Leader, IT salary (Australia) “, Payscale.com, 2018. [Online]. Avaiable: https://www.payscale.com/research/AU/Job=TeamLeader%2C IT/Salary. [Accessed: 28-Jan-2018].
[40] “Salary: Senior Network Engineer|Glassdoor.com.au”, Glassdoor.com.au, 2018. [Online]. Available: https://www.glassdoor.com.au/salaries/senior-network-engineer-salary-SRCH O0,23.html. [Accessed:28-Jan-2018].
[41] “Netwok Analsyst Salary (Australia) “, Payscale.com, 2018. [Online]. Available: https://www.payscale.com/researcj/AU/Job=NetworkAnalyst/Salary.[Accessed:28-Jan-2018].
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
