Documente Academic
Documente Profesional
Documente Cultură
Network
The first author
Muna Mhammad Taher Jawhar : from Iraq
Ph.D. scholarship
Department of Computer Science
Jamia Millia Islamia
New Delhi, India
E-mail:muna.taher@gmail.com
Ph. No. : 9958414112
I. Introduction
Incessant distribution of application of information technologies to all spheres of
human activity constantly puts new requirements to a level of security of information
system. The number of attacks and criminals concerning computer network is
increases[16]. So the network security has become a very important issue. The
intrusion detection has become research focus of the network security. The intrusion
detection technology uses the trace information which are left by the intruder such as
the failure records of attempt to log to find the illegal intrusion from the outsider or
insider effectively. The intrusion detection system is the computer system which can
realize the intrusion detection technology[9].
Intrusion detection systems(IDS) can be classified as network based and host-based
according to the information source of the detection. Network-based IDS monitors
the network traffic and looks for network-based attacks, while host-based IDS is
installed on host and monitors the host audit trail. Intrusion detection systems can be
roughly classified as anomaly detection and misuse detection. Anomaly detection is
based on the normal behavior of a subject (e.g., a user or a system), any action that
significantly deviates from the normal behavior is considered intrusive. Misuse
detection is based on the characteristics of known attacks or system vulnerabilities,
which are also called signatures. Any action that matches the signature is considered
intrusive. Misuse-base detection detects attacks based on signatures (known attacks
signatures), at which the traffic pattern compared with these signatures, if a match is
found, then it is reported as an attack, otherwise it is not. So misuse detection cannot
detect novel attacks. On the other hand, anomaly-based detection depends on
monitoring system activity and classifying it as either normal or anomalous. The
classification is based on heuristics or rules, rather than patterns or signatures, and
will detect any type of misuse that falls out of normal system behavior. Thus, it is able
to detect not only known intrusion but also unknown intrusion. In addition, this
approach can detect the intrusion that is achieved by the abuse of legitimate users or
masqueraders without breaking security policy[10][7].
However, the major problem of existing models is recognition of attacks in real time
before the damage happen. In this paper, we propose a new method for a real time
network intrusion detection system based on Neural Networks by using NDIS
hooking program works as internet packet sniffer. The paper is organized as follows
section 2 overview of previous work, section 3 discuss the Network Driver Interface
Specification (NDIS), while in section 4 describes architecture and main component
of the system model, section 5 present experimental result, and the conclusion in
section 6.
A. Data Provider
The system is using real data from the internet by using NDIS hooking program
which work as packet sniffer. NDIS hooking sniffer is control, capture and extract
appropriate features from the packet traveling in internet. The features extract
from the packet headers of protocol IP,TCP and UDP which using in this model
are: source IP address, destination IP address, source port, destination port,
SYN,ACK,FIN,RES flags, urgent mode flag and protocol type.
B. Preprocessor
The Preprocessor component gets traffic feature from data provider then
convert to binary bipolar form in order to feed the neural net sensors in Neural
Network based analyzer component. And, sent them to the network
classification stage. Therefore the following operation are applied to the
feature.
• Normalization
In the normalization, each numerical value in the data set is normalized
in form 1 and -1. All the features which have integer value or
continuous convert to binary bipolar.
Ym=(1/2)Xm+n/2 …….(2)
Yk+1=Fnet(WmYk)…….(3)
0 if output <0
Fnet=
Output if output >=0 …………..(4)
Table 1:the result of running the MLP network for different learning algorithms
Training algorithm No. of Epochs Detection time Gradient MSE
Resilient back propagation 43 0:04 0.153 0.0501
Gradient descent with momentum 1000 0:47 0.0448 0.159
Levenberg-Marquardt 7 0:13 0.809 0.0486
One step secant 1000 2:03 4.85 0.101
Scaled conjugate gradient 1000 1:36 0.000469 0.0864
BFGS quasi-newton 1000 2:15 0.00275 0.0665
Gradient descent w/momentum & 1000 0:42 0.000961 0.0604
adaptive lr backpropagation
Conjugate gradient backpropagation 51 0:8 0.0161 0.0816
with Polak-Ribiere update
The best two training algorithms as figure (3) illustrate are Resilient back propagation
and Levenberg-Marquardt are using for testing. Table (2) describe the result of test
MLP network.
Table (2): result of MPL testing
Resilient back propagation Levenberg-Marquardt
Attack name Input Output Detection rate Output Detection rate %
%
LAND attack 360 48 13.33 413 86.53
NULL TCP packet 144 29 20.13 0 0
Xmas tree 147 147 100 0 0
SYN/FIN 162 0 0 767 30.12
IOS Bomb 144 144 100 145 100
Chargen Dos 597 622 95.98 0 0
Broadcast 72 0 0 0 0
Snork 2160 2160 100 2151 99.58
Normal 1440 1925 74.80% 1461 98.56
Unknown attack 133 268
Time 8.2412 S 8.3293
Total 5208
From the table above, see the Resilient back propagation is better than Levenberg-
Marquardt in classification of attacks types, the false negative is 12.87% and the
classification rate of the Resilient back propagation is 87.65%, while the classification
rate of Levenberg-Marquardt is 81.73%, and false negative is 0.55%.
Table 3 represents the results of experiment using Hamming and MAXNET
The detection rate for each type of the attack is shown above. The classification rate
of Hamming network is 80.66%, and the false negative is 0.91%. The system are
implemented under windows XP operating system by using Matlab R2008a as a
programming language.
VI. Conclusion
Network Intrusion Detection System is a hot field of the network security research,
and it is a new kind of defense technology of the network security. Usage of neural
network for intrusion detection was present in many publication. Unfortunately, in
description of simulation process very often is lack of recognition of new attacks, low
accuracy detection rate. In this paper, we propose a new method for real time network
intrusion detection system by using Neural Network. Two architecture of Neural
Network used in this paper, MLP and Hamming Networks, with NDIS hooking
program used as internet packet sniffer. The training and testing data used from NDIS
hooking program with simulate eight types of attacks.
Acknowledgment
This work has been financially supported by the Indian Council of Cultural Relations
(I.C.C.R.), India. It has been also partially subsidized by the University of Mousl,
Ministry of Higher Education and scientific Research, Iraq.
Reference
1. AL-Dabbagh, Omar, "Implementation and Analysis of a Software System for
protection of Local Area Network from internal Intruder", Ph.D. thesis,
Department of Computer Science, University of Mousl, Iraq, 2006.
2. Barkley W. and Macdonald D., "Microsoft windows 2000 TCP/IP
Implementation Details", Microsoft Corporation, 2000.
3. Dhawan S., "Network Device Drivers", Van Nostrand Reinhold, 1995.
4. Dima Novikov, Roman V. Yampolskiy, and Leon Reznik, " Artificial
Intelligence Approaches For Intrusion Detection", IEEE,2006.
5. Dima Novikov, Roman V. Yampolskiy and Leon Reznik, " Anomaly
Detection Based Intrusion Detection" , Proceedings of the Third International
Conference on Information Technology: New Generations, IEEE, 2006.
6. Iftikhar Ahmad, Sami Ullah Swati and Sajjad Mohsin, " Intrusions Detection
Mechanism by Resilient Back Propagation (RPROP)", European Journal of
Scientific Research ISSN 1450-216X Vol.17 No.4, pp.523-531, 2007.
7. Jawhar Muna M. T. and Monica M., "Intrusion Detection System: A design
perspective", the proceeding of international conference for data management,
IMT, Gaziabad, India, 2009.
8. Jimmy Shum and Heidar A. Malki, "Network Intrusion Detection System
Using Neural Networks", Fourth International Conference on Natural
Computation, IEEE, 2008.
9. Jingwen Tian and Meijuan Gao, " Network Intrusion Detection Method Based
on High Speed and Precise Genetic Algorithm Neural Network", 2009
International Conference on Networks Security, Wireless Communications and
Trusted Computing, IEEE, 2009.
10. Khattab M. Ali, Venus W, and Mamoun Suleiman Al Rababaa, "The Affect of
Fuzzification on Neural Networks Intrusion Detection System", IEEE, 2009.
11. Lília de Sá Silva, Adriana C. Ferrari dos Santos, José Demisio S. da Silva, and
Antonio Montes, "A Neural Network Application for Attack Detection in
Computer Networks", Instituto Nacional de Pesquisas Espaciais – INPE,
BRAZIL, 2004.
12. Oney W., "programming the Microsoft Windows Driver Model", Microsoft
Press, 1999.
13. Ries C., "Defeating Windows Personal Firewalls: Filtering Methodologies,
attacks, and Defenses", 2005
14. Srinivas Mukkamala, Andrew H. Sung, and Ajith Abraham, " Intrusion
detection using an ensemble of intelligent paradigms", Journal of Network and
Computer Applications 28. p167–182, 2005.
15. TIE-JUN Zhou and LI Yang, "The Research of Intrusion Detection Based on
Genetic Neural Network", Proceedings of the 2008 International Conference on
Wavelet Analysis and Pattern Recognition, Hong Kong, IEEE, 30-31 Aug, 2008.
16. Vladimir Golovko, Pavel Kachurka, and Leanid Vaitsekhovich, "Neural
Network Ensembles for Intrusion Detection", IEEE International Workshop on
Intelligent Data Acquisition and Advanced Computing Systems: Technology and
Applications , Dortmund, Germany, 2007.
17. Wolthusen S., "Tempering Network Stacks", Security Technology Department
Fraunhoferstr, Germany, 2004.