The use of internet has increased with the advancement in technology such as smart phones and high-speed internet. With the increase in a number of web users, the demand for online security has increased as well in order to protect digital frameworks from various security breaches. The online security breaches and cyber-attacks resulted in compromising security; integrity and authenticity of a network because it allows cybercriminals to conduct illegal activities such as file modification and unauthorised access to confidential data [1].
Organisations can use Intrusion Detection System (IDC) which is a software application that monitors the network for policy violations or malicious practices. The detection system are divided in two groups 1. Is Host based intrusion detection system and the other 2. Network based intrusion detection system[2]. In previous few years, the development in network security and network-based services has become a crucial factor for organisations. In order to ensure security of networks and identify different cyber-attacks, companies used anomaly-based network intrusion detection technique. Techniques which are used in anomaly-based network intrusion detection include knowledge-based, machine learning based, and statistical based.
[3] Companies face challenges while using different security methods, which are based on existing network data characters, in order to improve their performance. The Network Intrusion Detection System (NIDS) is installed by corporations at key points of the networkin order to check traffic from and to all hosts that are using a network [4].This report will focus on the network intrusion detection system, and it will include the background of the topic, and requirements of the project.
Network Intrusion Detection System (NIDS) is further protection which examines network activity to detect attacks or intrusions. NIDS systems can be hardware and software based devices used to examine an attack. NIDS products are being used to observe connection in detect whether attacks have been launched. NIDS systems just monitor and generate the alert of an attack, whereas others try to block the attack.
The network intrusion detection systems can detect several types of the attacks that use the network. NIDS are excellent for detecting access without authority or some kinds of access in excess of authority. A NIDS does not require much modification for production hosts or servers. It is benefit because these servers regularly have close operating system for CPU and installing additional software updates may exceed the systems capacities. Most NIDSs are quite easy to deploy on a network and can observe traffic from multiple machines at once.[5] We are using Snort for the network intrusion detection system. Snort is principally a rule-oriented detection system to capture the intrusion. It can perform real-time traffic monitoring, analysis and packet logging on Internet Protocol (IP) networks. Snort reads the rules at the start-up time which can be predefined or customised and builds internal data structures or chains to apply these rules to captured data. Snort is accessible with a various.
Established pre-defined rules to perceive intrusion activity and you can also free to enhance your own rules as per the constraint. Below is the block diagram for the snort architecture
Block diagram of Network intrusion detection system
The above figure is a bock [6] of network intrusion detection system, where it captures the incoming traffic using wire shark, captured data is sent into the detection mode where it analyses the files in batch mode and before forwarding it to the system, data is being filtered which leads to elimination of the network traffic.[7] Once the data id filtered all the known attacks which are signature based are removed and analysed, after analysing the known attacks it is send to anomaly based detection technique where it uses association pattern analysis to detect the malicious traffic and notes its signature so that it can be stored as signature based detection techniqu
3.Table of weekly Activities for MN692
Week Number
Activity
Week -1
Will be authenticating all the details and activity to be performed in this stage of the project from the research done in the previous stage to complete the project effectively. Doing research on some data collection method with the help of some basic tools on network traffic, IP source and destination and packet capture from the network for network intrusion detection system.
Week-2
To reduce the obscurity and uncontaminated network data for the research method to be used to get the final outcome, the pre-processing research method will be used to relate to the data.
Week-3
The concept research method is on use are data mining technique, which will be used to exploration and understand the application of decision-tree algorithm.
Week-4
Considerate and illustrative doubts on One-class support vector machine (1-class SVM).
Week-5
The software required for packet sniffing is snort, which is required to be installed and configure the rules of snort.
Week-6
Authentication the rules of snort appropriately and cross checking the software required for snort and works perfectly to initiated the project.
Week-7
To build the research method which is the hybrid detection method?
Week-8
To improve the intrusion detection method and also to assess and random test the system.
Week-9
To do a complete verification of the project in accordance to our project requirement and accomplishing all the task assigned to compete and to organize for demonstration of project.
Week-10
Report Writing for the final document.
Week-11
Ongoing report writing and oral presentation document.
Week-12
Finishing the final report and assembly the limitation of the project if any or submit the final report and prepare for demonstration
.4. Roles & Responsibilities of each team member
Week #
Vinod Allam
Solomon waskar
Rakesh nunna
Abdul Rasheed
Week -1
To comprehend and validating the details of the project and implementing.
Exploration on Network data abstraction.
Extraction of the rules required for snort.
To get acquaintance with ‘Honey D’ and other network configuration for the computer.
Week-2
Complete understanding of pre-processing methods.
Scrutiny on the pre-processing systems such as Normalization, Discretization and Feature range.
Congregation and substantiating
Configure the snort as per the rules required for the project.
Reading from IEEE journals on SVM (support vector machine) model to create decomposed subnet.
Week-3
To get acquaintance with decision tree algorithm
To better understand the gain based decision tree algorithm and research on gain calculation for the implementation.
To build a normal algorithm for the requirement of project.
To contribute the known from the svm and explain the team member for construct hybrid detection system
Week-4
To understand all the documentation and research done and illustrative the quires with supervisor and team member as start the project.
To see all the documentation and research done and illustrative the quires with supervisor and team member as begin the project implementation.
Joining all the exploration done till now and illustrative the questions with all team member and supervisor to begin building of the project.
Consolidating all the examination done till now and illustrative the questions with all the team member and supervisor to begin building and introducing the project.
Week-5
Install virtual box and wire-shark.
Installation of snort subscription software and win-cap.
To understand and configure the rules for snort.
To test if the configured snort is running correctly as per requirement.
Week-6
Enduring the configuration steps of software.
Continuing the configuration steps of Snort.
To check for more better configuration of snort
To check if the snort is capturing data as per requirement.
Week-7
Structure the decision-tree algorithm.
Script test situation to the logic of decision-tree algorithm.
Scripting test circumstances to one-class SVM.
Construction of the one-class SVM detection algorithm.
Week-8
Continuation building the decision-tree algorithm.
Extension testing the logic of decision-tree algorithm.
Additional testing the logic of one-class SVM.
Building the one-class SVM detection algorithm.
Week-9
Assess and start acceptance test.
Evaluate and start acceptance test.
Appraise and start acceptance test.
Gage and start acceptance test.
Week-10
For the final report divide the task equally and to complete report.
Writing on the fix and evaluation part of the report and also fix issues in project.
To complete the writing on weekly report and problem fixing of project.
Scrutiny of the project and its limitation if any.
Week-11
Structuring the final report and dividing the oral presentation to each team member.
Preparing for presentation on evaluation step by step procedure.
Oral presentation on decision tree and one class svm.
Will be writing troubleshooting steps.
Week-12
To collect all the data and ready for the demonstration on the project
Fixing any trouble shooting in the project and demonstration.
Finding any project limitation and fixing it.
Compiling all the document and oral presentation and giving it for final proof reading.
Network intrusion detection system, virtual box is installed in the computer in order to simulate the process. Windows is used as the main platform in order to perform. Windows 10 OS is installed in virtual Box, after installing windows snort is being installed and configured according to requirements in order to monitor incoming traffic. Honey D is being deployed in the system in order to capture the attacker’s details. All these applications are being installed to neutralise the attacks using algorithms.
5.1 Implementation
Snort [8] is being deployed to monitor the malicious traffic using signature and anomaly based detections, it displays required information regarding the incoming and outgoing traffic that is being captured by the wire shark and analyses the traffic by using algorithms. All this applications are being deployed inside the OS and incoming traffic is being monitored regularly. HoneyD acts as a trap in order to capture the incoming requests by the attackers by acting as a main server and noting attacker’s details.
6.1 Software Requirements
Applications that are being installed
SOFTWARE
VERSION
Snort
2.9
HoneyD
1.5
Virtual Box
5.2
Windows
10
Weka
3.8
6.2 Hardware requirements
2 personnel computers
Specifications
8 GB ram
I5 processor
2 GB graphic card
500 GB hard disk
IDS is mainly classified into two types (i) signature based (ii) anomaly based detection system
7.1 Signature based:
Signature based detection algorithm [9] notes all the signatures of the malicious activities that has happened before and stores it signatures in order to detect it. Signature based detection is mainly based on the attacks that has been happened before
7.2 Anomaly based
Anomaly based detection[9] is mainly based on the behaviour of the traffic, each packet is analysed thoroughly and divided into parts and in case of any malicious behaviour is found the packet is being dropped.
Implementation of snort
Linux should be used to implement Snort. The process is made painless and easy by Ubuntu – easier than to install Snort as well as to configure Windows server. Snort sensors must be seen as apparatuses (such as UPS or a router) and hence, do not require to coordinate with the server infrastructure. Actually, one presumably have other system apparatuses running on some versions of Linux. One final thought is if ones’ intrusion detecting framework is on a similar platform like the rest of the frameworks, it might progress toward becoming compromised alongside different systems in case of an effective intrusion.
For minor fittings, a single PC can house the organization applications (ACID and Snort Center and) screen the network. In bigger organizations, one will presumably need to isolate these capacities. One PC can play out the administration roles while different PCs acts like sensors. Fig 1 demonstrates a common course of action of sensors inside a medium measured system. Ubuntu is intended to give a safe, lightweight condition and, in this way, runs just a negligible arrangement of ordinary Linux services.
Operating with Snort
So as to utilize Snort like an Intrusion Detecting System, first snort should be downloaded from its official site (www.snort.org). Then snort should be designed through the following steps.
Building and installation of libdnet from the source code.
Downloading, building and Installing Data Acquisition Library (DAQ).
Snort will successfully be installed and configured as Intrusion Detecting System after following the above stages.
To test the Snort, one rule was added to offer an alarm whenever there was an access to Facebook. The command was: alert tcp any any -> any any (content:”facebook”; msg=”Someone is accessing to facebook!!”; sid:1000001;)
Therefore after accessing Facebook, Snort generated an alarm message as illustrated through Figure 3.2.
Testing snort
Testing the attempted invasion can be achieved through scanning of the basic intrusion access areas by the intruders of the network. A plan must be fixed to allow fruitful testing to occur.
Testing snort basic principles
One must examine the basic principles governing snort application in remote sensor network:
Snort security matters
Verification of snort intrusion:
This is intended to recognize any intrusion into the network with an aim of deciding and giving affirmation that there is no any point of intrusion into the system from external system. This additionally assists to identify the attempted attack. Along these lines, the snort ought to have the capacity to distinguish the attempted hacking.Result Analysis as well as evaluation
The concentration in this structure is to look at the activity of snort in a remote sensor system to recognize arrange attack by use of WIDS. Adequate outcomes will be received from the way snort is composed, installed and designed in the Remote Network that protects the system from any intrusion or attack. The snort structures execution, dataset employed as well as the testing ought to encourage adequate outcomes to be acknowledged in WIDS found in the server that have different standards and guidelines.The report demonstrates that several forms of intrusions are noted after the installing snort, firewall as well as other safety devices that assist in detecting the attacks.
Experiment one
Aims to inspect whether snort enforces security on outgoing and incoming spoofing as well as spying traffic.
Backdoor
Backdoor is an implementable program that might be employed to spoof and spy the targeted host. After installation, it offers a hidden way through passing normal verification that has wireless access. The software masquerades itself as ICQ program that failed when being installed. Once installation is completed, it will expose a port that will allow intruders or attackers to access network. The backdoor comprises of two portions for the server and client. The server links to the clients as implementable files that the users install without suspecting any issue. After installation, client ports are opened and it starts an attack.
Results Analysis
From the alarm. Ids file demonstrates Remote Procedure Call (RPC) a threat based on the buffer overflow exploitation which is categorized as miscellaneous activity and rank it as lower level insecurity as per the WIDS snort standards based ranking. The enemy executing an attacks to a host with an Internet Protocol Address of 192.168.120.100 aiming host with an Internet Protocol Address of 192.168.0.128 that in this circumstance is the mail server. Port 52 is the one that is being used, where snort cannot detect. Port 53 is then open, where backdoor attacks use to survey network services categorized as attempted proprietor privileges gains the Priority. This indicates that the enemy have administrative rights, therefore can fully access the network services. TCP is the protocol used in this situation. When administrator receive the report, it is ease to screen all traffic through TCP port-52 implementing the principle on Snort.Experiment2
Aim: To examine whether snort applies configured policies and rules towards outgoing and incoming traffic.
The death of the ping attack is tested through DOS attack
The point of applying death of ping attacks is to test whether snort has capacity to recognize the traffic from public and internal network. The apparatus went for installed server by sending limitless data parcels. Central servers that are targeted should respond to every ping packet directed to internal system. Designed snort must stop the death ping after it shows up. The command applied ping < IP target host> – t – 1 65500, will transfer packets at a speed of 125 kbs. Target hosts test is the mail server, IP address of 192.168.0.128 like demonstrated below:- Results Analysis
The report indicates that traffic timestamp, time, date, packets NETBIOS Unicode data have accesses categorized by the name generic protocol command on decode precedence, DOS, and SMB. Report evaluation demonstrates that alarm activities contained heavy traffic, from external and internal towards port 53 address 192.168.150.10, applied for NETBIOS. Services of NETBIOS are used to let communication in internal LAN. The report offers details concerning the position of the host within private network. Through port 53, traffic is noticed. The other attacks include the Finger protocol, HTTP and the Trojan horse.
WEKA
For regression analysis, clustering and classification, WEKA tool is applied. To classify the data, a folder in WEKA is opened and Decision tree organizer is used. The outcome is demonstrated using Figure 3.14.Conclusion
The aim of this report was to decide the viability and execution of the intruders detecting system: Comparing it with the outstanding IDS, Snort, is a quick system. Snort was evaluated on different steps on a super PCs with different conventions and packet sizes as well as protocols. A huge amount of packets reduces while using virtualization resulting from changing aspects of virtualization where the assigned physical memory RAM to the host PC is a distributed disc space as well as virtual RAM. It will respectfully impact the function of Suricata and creates packet drops. As the amount of packets received by the network card get higher than the amount received by virtual machines, this thought is conceptualized due to the bottleneck resulting from exchange of low circle data.
8.References
[1]R. von Solms and J. van Niekerk, “From information security ton cyber security”, Computers & Security, vol. 38, pp. 97-1.2, 2013.
[2]h. Liao, C. Richard Lin, Y. Lin and K. Tung, “Intrusion detection system: A comprehensive review”, Journal of Network and Computer Applications, vol. 36, no. 1, pp. 16-24, 2013.
[3] N. Thanh Van, T. Ngoc Thinh and L. Sach, “An anomaly-based Network Intrusion Detection System using Deep learning”, 2017, pp. 1-2.
[4] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods, Systems and Tools. 2014, pp. 30-34.
[5]U. Modi and A. Jain, “An Improved Method to Detect Intrusion Using Machine Learning Algorithms”, Informatics Engineering, an International Journal, vol. 4, no. 2, pp. 17-29, 2016.
[6]P. Casas, J. Mazel and P. Owezarski, “Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge”, Computer Communications, vol. 35, no. 7, pp. 772-783, 2012.
[7] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods, Systems and Tools. 2014, pp. 30-34.
[8] Cleland-Huang, J., 2017. Safety Stories in Agile Development. IEEE Software, 34(4), pp.16-19.
[9]M. Sazzadul Hoque, “An Implementation of Intrusion Detection System Using Genetic Algorithm”, International Journal of Network Security & Its Applications, vol. 4, no. 2, pp. 109-120, 2012.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download