Online Network Intrusion Detection System Using VFDT

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 6, June 2014)

536

Online Network Intrusion Detection System Using VFDT

Sandeep Gore

1

, Poonam Gupta

2

1_{Research scholar,}2_{Assistant Professor, Department of Computer Engg., GHRCEM, Wagholi, Pune, India.}

Abstract— In a network system the security is a main concern for a user. It's basically i) virus attack II) infiltrators have suffered from mainly two security attacks.Intruder does not only mean it want to hack the private information over the Network, it also served a node bandwidth usage and includes an increase for delay other host over the network.Many organizations today more and more very large databases that grow without limit at a rate of several million records per day. Intrusion detection (ID) is the act of detecting inappropriate, incorrect, and anomalous activities. It's also questionable activity that occurs in the corporate network. Intrusion detection system is the act of identifying unauthorized or unusual activity on the system.

The proposed system is a Network Intrusion Detection System that is an enhancement of the existing system by using VFDT. Study VFDT's properties and demonstrate its utility through an extensive set of experiments on synthetic (real time network traffic) data. Also describes and evaluates VFDT, an anytime system that builds decision trees using constant memory and constant time per example and learning and classification work simultaneously. Online mining approach classifies each incoming sample because it arrives within the system inflicting less coaching samples exists within the memory at any time, which might get replaced by new samples when obtaining processed. The planned design uses Network Packet soul to smell the incoming packets, a reference rule base for supervision the incoming network packets and really quick call Tree Learner (VFDT Classifier) to classify the information.

Keywords— IDS, VFDT, Intrusion, Network Security, Hoeffding bounds.

I. INTRODUCTION

Intrusion detection events occurring in a process of monitoring of computer system or network and possible events, which are violations or a violation of computer security policies, acceptable for signs of imminent danger of policies, use standard safety practices or events for a variety of reasons, malware (for example, worms, spyware), such as the attackers unauthorized access from the Internet system is gaining, Their privileges and authorized users system abuse or additional rights for which they are not authorized to carry. Although many incidents are not malicious in nature, many others; For example, a person can be incorrect and a computer to address a different system to connect to without the authorization of attempted [1]

Data stream mining useful information from constant, rapid data streams is the process of extracting data Stream Mining a very broad concept, and this classification, detection, and clustering several technical areas. clinical support systems are typically real-time medical predictions and that several characteristics and conditions based on multivariate data in this paper, the author need

classification mainly data stream classification,

Because.[2]Intrusion detection that compromise the integrity, confidentiality, Information resources include identification of a set of malicious actions and availability. Traditional methods are known to be detected for intrusion attacks are based on extensive knowledge of signatures. Events monitored for intrusion detection signatures of match edge against. In methods extract detect intrusions various audit features streams, and human experts provided by the facility to a set of attack signatures values by comparison. [3] one of the first move toward streamlining data for traffic classification and a integrated traffic classification based Traffic classification framework, data stream (a one-time scan, incremental, Internet traffic, is the dynamic qualities to deal with potential infinite that require DSTC) online, and make the proposed algorithm any time learning. The identification and classification according to application type is an important element of network traffic. Network trend analysis, dynamic access control, intrusion detection and lawful interception. [4] Internet traffic monitoring and control in the last few years has research interests attracted many. Accurate identification and classification of network to application type traffic according network trend analysis, dynamic access control, legal protection, and intrusion detection is an important element for. [5] Information security in intrusion detection to detect behaviors that privacy, Integrity or attempt to compromise the availability of a resource act of. Intrusion detection, intrusion prevention in General, not much used for such purposes. Being focused on data mining

technology, these techniques has advantages and

(2)

International Journal of Emerging Technology and Advanced Engineering

537

First of all, online data streamlining data stream type decision tree to regard credit card transaction data. Second, select properties to be important for detection use on illegal online to build a decision tree type VFDT (very fast Decision Tree learner) algorithm.[7] significant research development of intrusion detection systems (IDS) heterogeneous computer network able to detect malicious traffic indicative activity was dedicated to. While signature-based IDS known attacks have proven effective in discovering, anomaly-based IDS automatically detect undocumented threats before being able to hold even greater promise. traditional IDS are usually trained in batch mode, And so to develop the network in real time data streams cannot adapt to the limits, data stream mining techniques can be used to solve real world applications dynamically IDS, credit fraud detection as a stream of models [8] network traffic, enable network intrusion detection to create a new type of With consistent high speed data of huge volume. Application data stream classification can be modeled as problems. [9] Adaptive learning agents in continuous data mining by dynamic currents of variable data with the concept challenges to cope. Fundamental processes years, months and even seconds, times drastically, this change real-time data streams mostly in generating may change, also known as concept drift [10] KDD system that continuously and indefinitely, as they include examples.

II. LITERATURE REVIEW

Munish Sharma, Anuradha[1] In this paper,They provide a secure and authenticated system to transfer data over the network. The proposed system defined for both the wireless or wired network. This system will provide the safer transmission in Denial of Service (DoS) Attack and Man-In-The-Middle (MITM) Attack which are mostly founds in networks. Beside this it will have single point system administration and maintenance which makes it user friendly. It will also add security to a system as well as networks. Through this proposed system it is easy to mention an IP address.

Yang Zhang, Simon Fong, Jinan Fiaidhi, and Sabah Mohammed[2]In this paper, a new system is introduced that can analyse medical data streams and can make real-time prediction. This system is based on stream mining algorithm called VFDT. The VFDT is extended with the capability using pointers to allow the decision tree to remember the mapping relationship between leaf nodes and the history records. This way can save the need of the offline clustering process that reduces the resource consumption for the system.

In fact, the clustering process and initial training in theory can be processed together at the beginning. After initial training, from any leaf node we can use its pointer list and mapping table to retrieve the corresponding history records directly. It is suggested that clustering and classification should be used together for a more accurate prediction of a new insight requires retrieving the past cases that are represented as similar history records. Clustering helps grouping them, similar ones together. Prediction helps locating them subsequently.

Shina Sheen, R Rajesh [3] in this paper Intrusion Detection with feature selection was able to outperform the decision tree algorithm without feature selection. They believe that this improvement is due to the fact that the first approach is able to focus on relevant features and eliminate unnecessary or distracting features. This initial filtering is able to improve the classification abilities of the decision tree in a shorter time. Of the three features filter algorithms chosen it was found that Chi square and Information Gain was giving a better performance than Relief when KDD data set was taken.

Xu TIAN1, Qiong SUN, Xiaohong HUANG, Yan MA[4] In this paper, they propose a data stream based traffic classification system DSTC towards dynamic online traffic detection, including offline traffic preparation, online traffic labelling, continuous sampled feature selection and data stream based learning process. This is the first time to investigate data stream mining into traffic classification meanwhile, we implement VFDT into DSTC. [5] In this paper, they validate the existence of concept drift phenomenon, which is dynamic feature of real world traffic, from overall traffic level and application level in traffic classification problem and make a first step towards classifying dynamic online traffic in a data stream perspective. Then, they propose a novel integrated dynamic online traffic classification system DSTC, which can combine ML-based method and behaviours-based method, and introduce a data stream based ensemble classification algorithm into traffic classification community for the first time. Experiment results have shown that DSTC can efficiently and gracefully deal with dynamic traffic with high stable accuracy.

III. EXISTING METHODS

C4.5

(3)

International Journal of Emerging Technology and Advanced Engineering

538

Algorithm

C 4.5 training ID3, in the same way as data from a set of decision trees using the concept of information entropy. S1, S2, the training data set is S = ... Already classified samples for each sample SI are a p-dimensional vector (x 1, x 2, i, ..., xp, I), represent where xj features or features, as well as the class of which SI falls.

C 4.5 on each node of the tree, most effectively enriched in a class or other subset splits its own set of data the sample selects the characteristic of generalized information sharing. Criterion (the difference in entropy) with the highest normalized information gain attribute is chosen to. C 4.5 algorithm then recurs on the smaller sub lists.

This algorithm has a few base cases.

• List all the samples the same class when that happen,

it's just a leaf node for saying that class creates a decision tree to select.

• The benefits of any of the information provided. in

this case, a decision node tree using the expected value class C high above 4.5.

• Examples of previously unseen class encountered.

again, the expected value of a decision node higher up the tree by using C 4.5. [11]

IDS

An intrusion detection system (IDs) is a device or software application that malicious activities or policy violations on the network or system activity monitors and produces a management station to report. ID come in a variety of "taste" and explores different ways to suspicious traffic target based approach network (NIDS) and host-based intrusion detection systems (HIDS). Some systems attempt to prevent intrusion attempts, but it is not required nor expected a monitoring system. Intrusion detection and prevention systems (IDPS) mainly identify possible incidents, logging information about them and are focused on reporting effort. in addition, the organizations security policies, existing threats and intimidated by individuals violating Security policies, documenting problems with IDPSes for other purposes such as to identify the use IDPSes Security infrastructure is an essential addition to almost every organization.

IDPSes observed events relating to important events usually record information security administrators to inform and report observed in production. several attempts to stop it from succeeding IDPSes detects danger can they respond to many response techniques, which include IDPS attack stop, (for example, reconfiguring a firewall) to change the content of the security environment changes or use attack [13]

IV. PROPOSED SYSTEM ALGORITHM

Using NIDS system proposed system approach real time network traffic is focused on strong rules of online mining and the same rules in the same or different network traffic without having to classify the NIDS then uses online with network intrusions VFDT Classifier. The proposed rules mining we online mining approach which each incoming sample (i.e. packets) classification as it arrives There is less training sample system memory at any given time, which are processed by the new samples will be changed after that use the.

As most of the downside is this classification. (x, y) shape N coaching a bunch of samples, where there is a separate category can be labeled y and x is a vector h features, each of which may be symbolic or numeric. These examples aim to supply a model y that categories can predict future examples f y = x with high accuracy for example the most recent purchase, a customer x and not y or an outline of options for sending client catalog May; the decision, a cellular telephone or x and y options can be a record of it is deceitful.

VFDT:

Stream based classification, sharing time with

incrementally VFDT decision tree nodes by using a small amount of data in the incoming stream. expand a node to learn to model how to be seen by many sample is a statistical method relies on the Hoeffding bound or how many samples it bound Chernoff bound additive are required; Before each node is divided into to fix is used as data The tree is evaluated and its tree nodes can be expanded following equation inevitably stream mining model using the Hoeffding bound depict building blocks they represent trees usually Hoeffding tree (HT), which holds a yardstick grows by Hoeffding bound as known as heuristic evaluation function when under the tree. a leaf a conditional node so that it Pushing up trees, to have access to justice. Given that a node is split when a new conditional nodes, Terminal leaf node needs to place the relevant decision with enough evidence as current conditions are better represented by the tree rules. [12]

Hoeffding Tree Algorithm

Inputs: S is a sequence of examples, X is a set of discrete attributes, G(.) is a split evaluation function,

δ is one minus the desired probability of choosing the correct attribute at any given node.

(4)

International Journal of Emerging Technology and Advanced Engineering

539

Algorithm:

Hoeffdfing Tree (S, X, G, δ)

Let HTree be a tree with a single leaf l1 (the root).

Let Xl = X U {Xø}

Let Gl (X) be the G obtained by predicting the most

frequent class in S.

For each class yk

For each value xij of each attribute Xi €X

Let nijk(l1) = 0.

For each example (x,yk) in S

Sort (x,y) into a leaf l using HT.

For each xij in x such that Xi € Xl

Increment nijk(l).

Label l with the majority class among the examples

seen so far at l.

If the examples seen so far at l are not all of the same

class, then

Compute Gl(Xi) for each attribute Xi € Xl-{Xø}

using the counts nijk(l).

Let Xa be the attribute with highest Gl.

Let Xb be the attribute with second-highest Gl.

Compute ɛ using Equation 1.

If Gl(Xa) - Gl (Xb) > ɛ and Xa ≠ {Xø}, then

Replace l by an internal node that splits on Xa. For each branch of the split

Add a new leaf lm, and let Xm = X -{Xa}.

Let Gm(Xø) be the G obtained by predicting

the most frequent class at lm.

For each class yk and each value xij of each

attribute Xi € Xm -{Xø}

Let nijk(lm) = 0.

Return HTree.

We consider root node as leaf node and accumulate examples at root and using Hoeffding bound function to decide root attribute. Once the root attribute is chosen, the succeeding examples will be passed down to the corresponding leaves and used to choose the appropriate attributes there, and so on recursively. At each leaf during learning phase until attribute get chosen majority class of examples will assigned to the leaf node. Unlike traditional learner during training phase at each internal node examples get stored, in our learner instead of storing examples different counters are created dynamically and maintained. When new example come to a particular leave instead of storing it only related counter will get incremented. Due this examples will not be required to store at internal nodes.

These counters will be used for choosing best attribute for that particular node and get deleted after attribute choices. The Hoeffding bound solve the problem of deciding exactly how many network packets statistic are necessary at each node.

ID3

ID3 is a simple inductive, non-incremental, classification algorithm is a top-down, greedy search through a certain set of examples, this decision tree, that future is applied to classify the sample. Each instance has many features and is related to a class of each non-leaf node. Decision trees a decision node while each leaf node corresponds to a class name. Adding a future selection heuristic algorithm ID3 system offers feature selection learning concept that the best training is set, if the selected attribute group to identify the next best feature, a complete set of example input called classified different attribute is used to identify [14]

Architecture

The proposed system, Online learning and online classification of network traffic as well as on two different systems. A computer system on a network stream our system will get trained and dynamic rule base using the system generated learner system. Other system dynamic rules in the same or other network base learner system by grated new network stream is used for the classification of system classifier system Referred to as the traditional approach learning and classification step is one after another in sequence.

(5)

International Journal of Emerging Technology and Advanced Engineering

540

Learner System

In traditional approach, sampled data which has given class labels is used in learning phase. On this data decision tree algorithm get applied for generation decision tree model. From this decision tree rules are generated. New unseen sample coming in the system classified using these rules.

In Learner System following are the main steps

A. Static Rule Base generation (Preparation of training data): In signature base NIDS signatures are used to assign class label to unclassified packet. For this packet signature is get compared with signatures in database. It is time consuming and use full in offline learning approach. In our online learning we use online real time network traffic to learn the model as training data. We apply traditional ID3 Learner on KDD Rule Base. This dataset contain signatures for all types’ of network attacks and generated classification rules.These rules remain unchanged while system is running so called Static rules.Static rules used for assign class label to new network packet. In our approach

KDD Rule Base is used as input generating Static rules.

B. DynamicRule Base generation: Online decision

treelearning algorithm VFDT used for Dynamic rule Base generation in our approach. Following are main steps in DynamicRule Base generation.

a) Network Traffic: It consists of stream of packets. A packet is a fragment of data. Data transmissions in network are broken up into packets. Each packet contains a portion of the data being sent as well as header information which includes the destination address and other information related with source, packet, packet data and protocol used for transmission of packet.

b) Packet Sniffer: The packet sniffer sniffs the incoming packets through the network adapter. Many studies have revealed that the attributes such as Source IP Address, Destination IP Address, Source Port Number, Destination Port Number, TCP Window Size, and TCP Data Length are most promising fields associated with different types of attacks [12], hence the above fields are considered while applying VFDT algorithm on the stream of packets.

c) VFDT Classifier: Classic decision tree learners think training all examples of side-by-side can be stored in main memory, and thus seriously can they learn [1] are limited in the number of instances.

Our approach in decision tree learner we use large (possibly infinite) network traffic flow for our VFDT learner each instance (network packets) will read at once, and the process will take only a small constant time.

It is possible to direct online real network traffic streams (i.e., without the packet network storage) for me, And possibly very complex trees to build with acceptable computational cost.

VFDT learner module packet sniffer and packet statics decision tree learning uses as input for this decision tree learning uses Hoeffding tree algorithm.

Class label for network packet will be assigned using Static Rulesand theses packets passed as input to VDFT classifier to learn the decision tree. As number of network packets increases tree will grow and becomes stable and generates Dynamic Rules. These rules changes with time as decision tree grow. So these are called as Dynamic Rules. Change in Dynamic Rules gets updated to Classifier System. For this Classifier System is synchronized with the Learner System.

Classifier System

Classifier System new network stream is used for classification. In same or different network classifier System works learner system together with other system. Network adapter through the incoming packets the packet sniffer sniffs. Source IP address, destination IP address, source port number, destination port numbers, TCP window size and TCP data packet classification for the required length of the extract essential features. Initially Packer categorized as general packet classifier all packets. When dynamic rule base in networked learning is learner-generated system stares and classifier system update.

Malicious or non-malicious packets the packet classifier classified as if removing malicious packets it will block or that packet if it is non-malicious packet network packets are allowed to enter as Initially accuracy classifier.,. new rules of packet classifier system and dynamically generated and updated for accuracy of learner classifier system increases coming goes on increasing. Online rule generation module will generate the following rule form

IF SourceIP=172.16.52.10 AND SourcePort=1159 THEN CLASS= normal

IF SouceIP=64.185.181.238 THEN CLASS= normal IF SourcePortNumber=13500 THEN CLASS= anomaly

V. EXPERIMENTAL ANALYSIS

Result And Analysis

Data Set:

(6)

International Journal of Emerging Technology and Advanced Engineering

541

This dataset contain 41 fields. It makes huge data, literature survey show that the attributes such as Source IP Address, Destination IP Address, Source Port Number, Destination Port Number, TCP Window Size, and TCP Data Length are most promising fields associated with different types of attacks [12], hence the above fields are considered while applying VFDT algorithm on the stream of packets.

We prepare generic KDD Dataset file as input for static rule generation. Using these rules we assign class label to online real time network packets and which are used as training data for VFDT learner.

We measure the performance of the system by accuracy rate and error rate for classification by comparing class labels of same packets classified using static rule base in Learner system and Dynamic rule base in Classifier System. Experiments shows that initially error rate is high and as time passes system learns the model and become stable error rate goes on decreasing and accuracy of the classification increases. Network specific signature dataset can give good results than the KDD dataset.

Error rate =

Accuracy rate =

[image:6.612.322.568.121.639.2]

Lerner:

[image:6.612.50.289.385.597.2]

Figure 2: Sniffer

(7)

International Journal of Emerging Technology and Advanced Engineering

[image:7.612.49.294.123.461.2]

542

Figure 4: VFDT

Classifier:

Figure 5: Online Rule Based

VI. CONCLUSION AND FUTURE WORK

Our online network intrusion detection with VFDT Classifier is novel approach for today’s NIDS system. We can use this approach for online learning of classifier from real network packets stream and also able to accurately classify the anomalies. Due to online learning property of VFDT learner memory and processor requirement is very less. Using VFDT learner we can mine the robust rules from huge online network traffic and we can be use same rules for online classification of future network traffic with high accuracy and high speed of classification .Initially error rate of the classification is high and as time passes system learns the model and become stable error rate goes on decreasing and accuracy of the classification increases. In this online learning approach all real time network packet get used for learning classifier and dynamic rule get used for classification new attacks get identified.

Network specific signature dataset if used for generation of Static Rule Base can give good results than the KDD

dataset.

REFERENCES

[1] Munish Sharma, Anuradha "Network Intrusion Detection System for

Denial of Service Attack based on Misuse Detection "Department of Electronics and Communication Engineering, Bhiwani Institute of Technology and Sciences Bhiwani, Haryana, India – 127021, IJCEM International Journal of Computational Engineering & Management, Vol. 12, April 2011 ISSN (Online): 2230-7893

[2] Yang Zhang, Simon Fong, Jinan Fiaidhi, and Sabah Mohammed,

"Real-Time Clinical Decision Support System with Data Stream Mining " Hindawi Publishing Corporation Journal of Biomedicine and Biotechnology Volume 2012, Article ID 580186, 8 pages doi:10.1155/2012/580186

[3] Shina Sheen, R Rajesh, Member IEEE, "Network Intrusion

Detection using Feature Selection and Decision tree classifier" Dept of Mathematics and Computer Applications PSG College of Technology Coimbatore, India

[4] Xu TIAN, Qiong SUN, Xiaohong HUANG, Yan MA " Dynamic

Online Traffic Classification using Data Stream Mining", 2008

International Conference on MultiMedia and Information

Technology

[5] Xu TIAN, Qiong SUN, Xiaohong HUANG, Yan MA "A Dynamic

Online Traffic Classification Methodology based on Data Stream Mining", 2009 World Congress on Computer Science and Information Engineering

[6] TheodorosLappas and Konstantinos Pelechrinis, "Data Mining

Techniques for (Network) Intrusion Detection Systems", Department of Computer Science and Engineering UC Riverside, Riverside CA 92521

[7] Tatsuya Minegishi, Masayuki Ise, AyahikoNiimi, Osamu Konishi"

Extension of Decision Tree Algorithm for Stream Data Mining Using Real Data", Fifth International Workshop on Computational Intelligence & Applications IEEE SMC Hiroshima Chapter, Hiroshima University, Japan, November 10, 11 & 12, 2009

[8] Zachary Miller, William Deitrick, Wei Hu " Anomalous Network

Packet Detection Using Data Stream Mining", Journal of Information Security, 2011, 2, 158-168 doi:10.4236/jis.2011.24016 Published Online October 2011

[9] Chunquan Liang, Yang Zhang, Qun Song, "Decision Tree for

Dynamic and Uncertain Data Streams", JMLR: Workshop and Conference Proceedings 13: 209-224 2nd Asian Conference on Machine Learning (ACML2010), Tokyo, Japan, Nov. 8{10, 2010.

[10] Lior Cohen, Gil Avrahami, Mark Last, Abraham Kandel, "Efficient

Learning Algorithms for Agents Mining Time-Changing Data Streams" , 1Department of Information Systems Engineering Ben-Gurion University of the Negev Beer-Sheva 84105, Israel

[11] http://en.wikipedia.org/wiki/C4.5_algorithm

[12] http://www.hindawi.com/journals/ijdsn/2012/863545/

[13] http://en.wikipedia.org/wiki/Intrusion_detection_system