50409621026-pharkkavi-d
TRANSCRIPT
-
7/27/2019 50409621026-PHARKKAVI-D
1/31
LAYERED APPROACH USINGCONDITIONAL RANDOM
FIELDS FOR INTRUSION
DETECTION
PRESENTED BY
PHARKKAVI D
50409621026
-
7/27/2019 50409621026-PHARKKAVI-D
2/31
INTRODUCTION
Intrusion detection as defined by the SysAdmin, Audit, Networking,and Security (SANS) Institute is the art of detecting inappropriate,
inaccurate, or anomalous activity. Today, intrusion detection is one of
the high priority and challenging tasks for network administrators and
security professionals.
Any intrusion detection system has some inherentrequirements. Its prime purpose is to detect as many attacks as possible
with minimum number of false alarms, i.e., the system must be
accurate in detecting attacks.
An accurate system that cannot handle large amount of
network traffic and is slow in decision making will not fulfill thepurpose of an intrusion detection system.
We desire a system that detects most of the attacks, gives very
few false alarms, copes with large amount of data, and is fast enough to
make real-time decisions.
-
7/27/2019 50409621026-PHARKKAVI-D
3/31
ABSTRACT Intrusion detection faces a number ofchallenges an intrusion detection system must reliably
detect malicious activities in a network and must perform
efficiently to cope with the large amount of network traffic.
In this paper, we address these two issues of
Accuracy and Efficiency using Conditional Random Fields
and Layered Approach.
We demonstrate that high attack detectionaccuracy
can be achieved by using Conditional Random Fields and
high efficiency by implementing the Layered Approach
-
7/27/2019 50409621026-PHARKKAVI-D
4/31
Existing System
The field of intrusion detection and network security has been around
since late 1980s. Since then, a number of methods and frameworks have
been proposed and many systems have been built to detect intrusions.
Various techniques such as association rules, clustering, naive Bayes
classifier, support vector machines, genetic algorithms, artificial neural
networks, and others have been applied to detect intrusions
Experimental results on the benchmark KDD 99 intrusion data set show
that our proposed system based on Layered Conditional Random Fields
outperforms other well-known methods such as the decision trees and the
naive Bayes.
The improvement in attack detection accuracy is very high, particularly,
for the U2R attacks (34.8 percent improvement) and the R2L attacks
(34.5 percent improvement). Statistical Tests also demonstrate higher
confidence in detection accuracy for our method.
-
7/27/2019 50409621026-PHARKKAVI-D
5/31
Proposed System
Other approaches for detecting intrusion include the use of autonomous
and probabilistic agents for intrusion detection. These methods are
generally aimed at developing a distributed intrusion detection system.
The data analyzed by the intrusion detection system for classification oftenhas a number of features that are highly correlated and complex
relationships exist between them. when classifying network connections as
either normal or as attack, a system may consider features such as logged
in and numberof file creations.
When these features are analyzed individually, they do not provide any
information that can aid in detecting attacks. However, when these features
are analyzed together, they can provide meaningful information, which can
be helpful for the classification task.
-
7/27/2019 50409621026-PHARKKAVI-D
6/31
To overcome the weakness of a single intrusion
detection system, a number of frameworks have beenproposed, which describe the collaborative use of
network-based and hostbased systems .
Systems that employ both signature based andbehavior-based techniques are discussed in the authors
describe a data mining framework for building adaptive
intrusion detection models.
-
7/27/2019 50409621026-PHARKKAVI-D
7/31
Software Requirements:
Operating system : - Windows XP Professional.
Coding Language : - Java.
Tool Used : - Eclipse IDE
Hardware Requirements:
System : Pentium IV 2.4 GHz.
Hard Disk : 40 GB.
Floppy Drive : 1.44 Mb.
Monitor : 15 VGA Colour.
Mouse : Logitech.
Ram : 256 Mb.
-
7/27/2019 50409621026-PHARKKAVI-D
8/31
Module1. Networking Module
2. Layered Approach
3. Network security module
4. Decision Trees
I . Networking Module.
Client-server computing or networking is a distributed applicationarchitecture that partitions tasks or workloads between service
providers (servers) and service requesters, called clients.
Often clients and servers operate over a computer network on
separate hardware..
-
7/27/2019 50409621026-PHARKKAVI-D
9/31
A server machine is a high-performance host that isrunning one or more server programs which share its
resources with clients. A client also shares any of its
resources; Clients therefore initiate communication
sessions with servers which await (listen to) incoming
requests
-
7/27/2019 50409621026-PHARKKAVI-D
10/31
2 . Layered Approach
We then describe how to integrate the Layered Approach and theCRFs. we give our experimental results and compare our method with
other approaches that are known to perform well. We observe that our
proposed system, Layered CRFs, performs significantly better than
other systems. We also integrate the Layered Approach with the CRFs
to gain the benefits of computational efficiency and high accuracy ofdetection in a single system. The results from individual classifiers at a
layer are not combined at any later stage in the Layered Approach, and
hence, an attack can be blocked at the layer where it is detected. There
is no communication over head among the layers and the central
decision-maker. We then show that high efficiency can be achieved by
implementing the Layered Approach. Finally, we integrate the Layered
Approach and the CRFs to develop a system that is accurate and
performs efficiently.
-
7/27/2019 50409621026-PHARKKAVI-D
11/31
3. Network security module
A number of methods and frameworks have been proposed
and many systems have been built to detect intrusions.
Various techniques such as association rules, clustering,naive Bayes classifier, support vector machines,
genetic algorithms, artificial neural networks, and others
have been applied to detect intrusions.
,
-
7/27/2019 50409621026-PHARKKAVI-D
12/31
4. Decision TreesThe decision trees select the best features for
each decision node during the construction of
the tree based on some well-defined criteria.
One such criterion is to use the information
gain ratio.Decision trees generally have very high speed
of operation and high attack detection accuracy.
The performance of our proposed system,
Layered CRFs, is comparable to that of the
decision trees and the naive Bayes, and our
system has higher attack detection accuracy.For better comparison and readability
-
7/27/2019 50409621026-PHARKKAVI-D
13/31
The CRFs perform much better for U2R attacks while the
decision trees achieve higher attack detection for Probes and
R2L. The difference in attack detection accuracy for DoS is not
significant.
We note that the reason for better performance of decision trees
is that they perform feature selection. the integrated models as
Layered CRFs, layered decision trees, and layered nave Bayes,respectively.
-
7/27/2019 50409621026-PHARKKAVI-D
14/31
Network security module
Decision Trees
-
7/27/2019 50409621026-PHARKKAVI-D
15/31
Main Modules:-CONDITIONAL RANDOM FIELD
The CRFs have proven to be very successful in such tasks, as they do notmake any unwarranted assumptions about the data. Hence, we explore the
suitability of CRFs for intrusion detection. system may consider features
such as logged in and number of file creations. When these features are
analyzed individually, they do not provide any information that can aid in
detecting attacks.
However, when these features are analyzed together, they can providemeaningful information, which can be helpful for the classification task.
Probe layer
The probe attacks are aimed at acquire information about the target
network from a source that is often external to the network. Hence, basicconnection level features such as the duration of connection and source
bytes are significant while features like number of files creations and
number of files accessed are not expected to provide information for
detecting probes.
-
7/27/2019 50409621026-PHARKKAVI-D
16/31
DoS layer
For the DoS layer, traffic features such as the percentage ofconnections having same destination host and same service and
packet level features such as the source bytes and percentageof packets with errors are significant. To detect DoS attacks, itmay not be important to know whether a user is logged in ornot.
R2L layerThe R2L attacks are one of the most difficult to detect as they
involve the network level and the host level features. Wetherefore selected both the network level features such as theduration of connection and service requested and the host
level features such as the number of failed login attemptsamong others for detecting R2L attack.
-
7/27/2019 50409621026-PHARKKAVI-D
17/31
U2R layer ( User to Root attacks)
The U2R attacks involve the semantic details that are
very difficult to capture at an early stage. Such attacks are
often content based and target an application.
Hence, for U2R attacks, we selected features such as
number of file creations and number of shell prompts
invoked, while we ignored features such as protocol and
source bytes.
-
7/27/2019 50409621026-PHARKKAVI-D
18/31
Source Destination
Network
Layer 1:
Probe Attack
Layer 2:
DoS Attack
Layer 1:
R2L Attack
Layer 1:
U2R Attack
CRF
Layer 3:
R2L Attack
Layer 4:
U2R Attack
-
7/27/2019 50409621026-PHARKKAVI-D
19/31
Data Flow Diagram
Layer 1:
Probe Attack
Layer 2:
DoS Attack
Layer 3:
R2L Attack
Layer 4:
U2R Attack
CRF
Source
Send The File
Receive the File
Verify the Data
-
7/27/2019 50409621026-PHARKKAVI-D
20/31
Use case Diagram
SourceDestinati
on
Network
Connect in
Network
CRF Layered Approach
-
7/27/2019 50409621026-PHARKKAVI-D
21/31
Architecture Diagram
-
7/27/2019 50409621026-PHARKKAVI-D
22/31
Data Flow Diagram
Layer 1:
Probe Attack
Layer 2:
DoS Attack
Layer 3:
R2L Attack
Layer 4:
U2R Attack
CRF
Source
Send The File
Receive the File
Verify the Data
-
7/27/2019 50409621026-PHARKKAVI-D
23/31
Sequence Diagram
-
7/27/2019 50409621026-PHARKKAVI-D
24/31
STUDY
-
7/27/2019 50409621026-PHARKKAVI-D
25/31
-
7/27/2019 50409621026-PHARKKAVI-D
26/31
-
7/27/2019 50409621026-PHARKKAVI-D
27/31
-
7/27/2019 50409621026-PHARKKAVI-D
28/31
-
7/27/2019 50409621026-PHARKKAVI-D
29/31
-
7/27/2019 50409621026-PHARKKAVI-D
30/31
-
7/27/2019 50409621026-PHARKKAVI-D
31/31
CONCLUSION
We have addressed the dual problem of Accuracy andEfficiency for building robust and efficient intrusion detection
systems. Our experimental results in Section 6 show that
CRFs are very effective in improving the attack detection rate
and decreasing the FAR. Having a low FAR is very importantfor any intrusion detection system.