7/27/2019 50409621026-PHARKKAVI-D

1/31

LAYERED APPROACH USINGCONDITIONAL RANDOM

FIELDS FOR INTRUSION

DETECTION

PRESENTED BY

PHARKKAVI D

50409621026

7/27/2019 50409621026-PHARKKAVI-D

2/31

INTRODUCTION

Intrusion detection as defined by the SysAdmin, Audit, Networking,and Security (SANS) Institute is the art of detecting inappropriate,

inaccurate, or anomalous activity. Today, intrusion detection is one of

the high priority and challenging tasks for network administrators and

security professionals.

Any intrusion detection system has some inherentrequirements. Its prime purpose is to detect as many attacks as possible

with minimum number of false alarms, i.e., the system must be

accurate in detecting attacks.

An accurate system that cannot handle large amount of

network traffic and is slow in decision making will not fulfill thepurpose of an intrusion detection system.

We desire a system that detects most of the attacks, gives very

few false alarms, copes with large amount of data, and is fast enough to

make real-time decisions.

7/27/2019 50409621026-PHARKKAVI-D

3/31

ABSTRACT Intrusion detection faces a number ofchallenges an intrusion detection system must reliably

detect malicious activities in a network and must perform

efficiently to cope with the large amount of network traffic.

In this paper, we address these two issues of

Accuracy and Efficiency using Conditional Random Fields

and Layered Approach.

We demonstrate that high attack detectionaccuracy

can be achieved by using Conditional Random Fields and

high efficiency by implementing the Layered Approach

7/27/2019 50409621026-PHARKKAVI-D

4/31

Existing System

The field of intrusion detection and network security has been around

since late 1980s. Since then, a number of methods and frameworks have

been proposed and many systems have been built to detect intrusions.

Various techniques such as association rules, clustering, naive Bayes

classifier, support vector machines, genetic algorithms, artificial neural

networks, and others have been applied to detect intrusions

Experimental results on the benchmark KDD 99 intrusion data set show

that our proposed system based on Layered Conditional Random Fields

outperforms other well-known methods such as the decision trees and the

naive Bayes.

The improvement in attack detection accuracy is very high, particularly,

for the U2R attacks (34.8 percent improvement) and the R2L attacks

(34.5 percent improvement). Statistical Tests also demonstrate higher

confidence in detection accuracy for our method.

7/27/2019 50409621026-PHARKKAVI-D

5/31

Proposed System

Other approaches for detecting intrusion include the use of autonomous

and probabilistic agents for intrusion detection. These methods are

generally aimed at developing a distributed intrusion detection system.

The data analyzed by the intrusion detection system for classification oftenhas a number of features that are highly correlated and complex

relationships exist between them. when classifying network connections as

either normal or as attack, a system may consider features such as logged

in and numberof file creations.

When these features are analyzed individually, they do not provide any

information that can aid in detecting attacks. However, when these features

are analyzed together, they can provide meaningful information, which can

be helpful for the classification task.

7/27/2019 50409621026-PHARKKAVI-D

6/31

To overcome the weakness of a single intrusion

detection system, a number of frameworks have beenproposed, which describe the collaborative use of

network-based and hostbased systems .

Systems that employ both signature based andbehavior-based techniques are discussed in the authors

describe a data mining framework for building adaptive

intrusion detection models.

7/27/2019 50409621026-PHARKKAVI-D

7/31

Software Requirements:

Operating system : - Windows XP Professional.

Coding Language : - Java.

Tool Used : - Eclipse IDE

Hardware Requirements:

System : Pentium IV 2.4 GHz.

Hard Disk : 40 GB.

Floppy Drive : 1.44 Mb.

Monitor : 15 VGA Colour.

Mouse : Logitech.

Ram : 256 Mb.

7/27/2019 50409621026-PHARKKAVI-D

8/31

Module1. Networking Module

2. Layered Approach

3. Network security module

4. Decision Trees

I . Networking Module.

Client-server computing or networking is a distributed applicationarchitecture that partitions tasks or workloads between service

providers (servers) and service requesters, called clients.

Often clients and servers operate over a computer network on

separate hardware..

7/27/2019 50409621026-PHARKKAVI-D

9/31

A server machine is a high-performance host that isrunning one or more server programs which share its

resources with clients. A client also shares any of its

resources; Clients therefore initiate communication

sessions with servers which await (listen to) incoming

requests

7/27/2019 50409621026-PHARKKAVI-D

10/31

2 . Layered Approach

We then describe how to integrate the Layered Approach and theCRFs. we give our experimental results and compare our method with

other approaches that are known to perform well. We observe that our

proposed system, Layered CRFs, performs significantly better than

other systems. We also integrate the Layered Approach with the CRFs

to gain the benefits of computational efficiency and high accuracy ofdetection in a single system. The results from individual classifiers at a

layer are not combined at any later stage in the Layered Approach, and

hence, an attack can be blocked at the layer where it is detected. There

is no communication over head among the layers and the central

decision-maker. We then show that high efficiency can be achieved by

implementing the Layered Approach. Finally, we integrate the Layered

Approach and the CRFs to develop a system that is accurate and

performs efficiently.

7/27/2019 50409621026-PHARKKAVI-D

11/31

3. Network security module

A number of methods and frameworks have been proposed

and many systems have been built to detect intrusions.

Various techniques such as association rules, clustering,naive Bayes classifier, support vector machines,

genetic algorithms, artificial neural networks, and others

have been applied to detect intrusions.

,

7/27/2019 50409621026-PHARKKAVI-D

12/31

4. Decision TreesThe decision trees select the best features for

each decision node during the construction of

the tree based on some well-defined criteria.

One such criterion is to use the information

gain ratio.Decision trees generally have very high speed

of operation and high attack detection accuracy.

The performance of our proposed system,

Layered CRFs, is comparable to that of the

decision trees and the naive Bayes, and our

system has higher attack detection accuracy.For better comparison and readability

7/27/2019 50409621026-PHARKKAVI-D

13/31

The CRFs perform much better for U2R attacks while the

decision trees achieve higher attack detection for Probes and

R2L. The difference in attack detection accuracy for DoS is not

significant.

We note that the reason for better performance of decision trees

is that they perform feature selection. the integrated models as

Layered CRFs, layered decision trees, and layered nave Bayes,respectively.

7/27/2019 50409621026-PHARKKAVI-D

14/31

Network security module

Decision Trees

7/27/2019 50409621026-PHARKKAVI-D

15/31

Main Modules:-CONDITIONAL RANDOM FIELD

The CRFs have proven to be very successful in such tasks, as they do notmake any unwarranted assumptions about the data. Hence, we explore the

suitability of CRFs for intrusion detection. system may consider features

such as logged in and number of file creations. When these features are

analyzed individually, they do not provide any information that can aid in

detecting attacks.

However, when these features are analyzed together, they can providemeaningful information, which can be helpful for the classification task.

Probe layer

The probe attacks are aimed at acquire information about the target

network from a source that is often external to the network. Hence, basicconnection level features such as the duration of connection and source

bytes are significant while features like number of files creations and

number of files accessed are not expected to provide information for

detecting probes.

7/27/2019 50409621026-PHARKKAVI-D

16/31

DoS layer

For the DoS layer, traffic features such as the percentage ofconnections having same destination host and same service and

packet level features such as the source bytes and percentageof packets with errors are significant. To detect DoS attacks, itmay not be important to know whether a user is logged in ornot.

R2L layerThe R2L attacks are one of the most difficult to detect as they

involve the network level and the host level features. Wetherefore selected both the network level features such as theduration of connection and service requested and the host

level features such as the number of failed login attemptsamong others for detecting R2L attack.

7/27/2019 50409621026-PHARKKAVI-D

17/31

U2R layer ( User to Root attacks)

The U2R attacks involve the semantic details that are

very difficult to capture at an early stage. Such attacks are

often content based and target an application.

Hence, for U2R attacks, we selected features such as

number of file creations and number of shell prompts

invoked, while we ignored features such as protocol and

source bytes.

7/27/2019 50409621026-PHARKKAVI-D

18/31

Source Destination

Network

Layer 1:

Probe Attack

Layer 2:

DoS Attack

Layer 1:

R2L Attack

Layer 1:

U2R Attack

CRF

Layer 3:

R2L Attack

Layer 4:

U2R Attack

7/27/2019 50409621026-PHARKKAVI-D

19/31

Data Flow Diagram

Layer 1:

Probe Attack

Layer 2:

DoS Attack

Layer 3:

R2L Attack

Layer 4:

U2R Attack

CRF

Source

Send The File

Receive the File

Verify the Data

7/27/2019 50409621026-PHARKKAVI-D

20/31

Use case Diagram

SourceDestinati

on

Network

Connect in

Network

CRF Layered Approach

7/27/2019 50409621026-PHARKKAVI-D

21/31

Architecture Diagram

7/27/2019 50409621026-PHARKKAVI-D

22/31

Data Flow Diagram

Layer 1:

Probe Attack

Layer 2:

DoS Attack

Layer 3:

R2L Attack

Layer 4:

U2R Attack

CRF

Source

Send The File

Receive the File

Verify the Data

7/27/2019 50409621026-PHARKKAVI-D

23/31

Sequence Diagram

7/27/2019 50409621026-PHARKKAVI-D

24/31

STUDY

7/27/2019 50409621026-PHARKKAVI-D

25/31

7/27/2019 50409621026-PHARKKAVI-D

26/31

7/27/2019 50409621026-PHARKKAVI-D

27/31

7/27/2019 50409621026-PHARKKAVI-D

28/31

7/27/2019 50409621026-PHARKKAVI-D

29/31

7/27/2019 50409621026-PHARKKAVI-D

30/31

7/27/2019 50409621026-PHARKKAVI-D

31/31

CONCLUSION

We have addressed the dual problem of Accuracy andEfficiency for building robust and efficient intrusion detection

systems. Our experimental results in Section 6 show that

CRFs are very effective in improving the attack detection rate

and decreasing the FAR. Having a low FAR is very importantfor any intrusion detection system.