View
4
Download
0
Category
Preview:
Citation preview
Intrusion Detection System based on Ontology for Web Applications
Dissertation
Submitted in partial fulfillment of the requirements for
the degree of
Master of Technology, Computer Engineering
By
Ashwini D.Khairkar
MIS No: 121122009
Under the guidance of
Mr.D.D.Kshirsagar
Department of Computer Engineering and Information Technology
College of Engineering, Pune
Pune - 411005
June 2013
DEPARTMENT OF COMPUTER ENGINEERING AND
INFORMATION TECHNOLOGY,
COLLEGE OF ENGINEERING, PUNE
Dissertation Approval Sheet
This is to certify that the dissertation titled
Intrusion Detection System based on Ontology for web Applications
has been successfully completed
By
Ms. Ashwini D. Khairkar
(121122009)
and is approved for the degree of Master of Technology in Computer
Engineering.
----------------------------------------
Mr.D.D.Kshirsagar
(Guide)
---------------------------------------
Dr. J.V.Aghav
(H. O. D.)
---------------------------------------
External Examiner
Date :
Place : College of Engineering, Pune
Abstract
Web application security is the major security concern for e-business and information sharing
community. The use of e-business and information sharing community are exponentially
increased and due to this cyber threats also increased. Current research shows that more than
75% attacks are being deployed at application layer and that of 90% applications are
vulnerable to these attacks. Nowadays it is very important to maintain a high level security to
ensure safe and trusted communication of information between various organizations. So
Intrusion Detection Systems have become a needful component in terms of computer and
network security. Intrusion Detection Systems (IDSs) are one of the most useful tools to
identifying malicious attempts over the network and protecting the systems without
modifying the end-user software.
In our propose system we are using novel approach for effective defense against the
application level attacks. We discuss about utilizing methods and techniques of semantic web
in the Intrusion Detection Systems based on ontology. Which specify the different categories
of attacks? The system semantically analyzes the specific field of payload and headers where
attack is possible. Inference ability of the system provides the capability for detecting the
zero day and complex web application attacks that easily eludes packet level inspection.
The propose system is time efficient by analyzing the specified field of protocol, and
able to provide significant search space reduction as well as low false positive rate and high
detection rate. To implement and measure the performance of our system we used the
KDD99 benchmark dataset and obtained reasonable detection rate. Protégé is an open source
tool used to develop our System.
Acknowledgments
I express my sincere gratitude towards my guide Mr. D.D.Kshirsagar for his
constant help, encouragement and inspiration throughout the project work.
Without his invaluable guidance, this work would never have been a successful
one.
I take this opportunity to thank our Head of Department Dr.J.V.Aghav and
Mtech Coordinator Dr.V.K.Pachghare for their able guidance and suggestions
which were indispensable in the completion of this project. I would also like to
thank all the faculty members and staff of Computer Engineering and IT
department for making my journey of post-graduation successful. I am also
extremely thankful to the Dr. Sandeep Kumar ,Asst. Prof Dept. of Computer
Science engineering , IIT Roorkee.
Last, but not the least, I would like to thank my classmates for their valuable
suggestions and helpful discussions. I am thankful to them for their
unconditional support and help throughout the year.
Ms. Ashwini D. Khairkar
College of Engineering, Pune
June 15, 2013
INDEX
1.INTRODUCTION ............................................................................................................................................... 1
1.1.SECURITY .................................................................................................................................................. 1
1.2.INTRUSION DETECTION SYSTEM ........................................................................................................ 2
1.3.TYPES OF IDS ............................................................................................................................................ 3
1.3.1. HOST BASED INTRUSION DETECTION: ...................................................................................... 3
1.3.2. NETWORK BASED INTRUSION DETECTION: ............................................................................. 3
1.4. DIFFERENT APPROACHES OF IDS ...................................................................................................... 4
1.5. ONTOLOGY .............................................................................................................................................. 5
1.6. EVALUATION OF AN ONTOLOGY BASED IDS ................................................................................. 7
2.WEB ATTACKS ................................................................................................................................................. 8
2.1. SMURF ...................................................................................................................................................... 8
2.2. MAIL BOMB .............................................................................................................................................. 8
2.3. CROSS SITE SCRIPTING ......................................................................................................................... 9
2.4. BUFFER OVERFLOW ............................................................................................................................... 9
3.LITERATURE SURVEY .................................................................................................................................. 11
3.1. NETIC ALGORITHMS ........................................................................................................................ 11
3.2. DATA MINING ALGORITHMS......................................................................................................... 12
3.3. CLUSTERING ALGORITHMS ........................................................................................................... 12
3.4. NAVIE BAYES .................................................................................................................................... 13
3.5. DECISION TREE ................................................................................................................................. 13
3.6. ARTIFICIAL NEURAL NETWORK .................................................................................................. 13
3.7. SUPPORT VECTOR MACHINE ........................................................................................................ 13
3.8.ONTOLOGY BASED IDS USING BAYSEIN FILTER ...................................................................... 14
3.9. PROBLEMS WITH EXISTING SYSTEMS ........................................................................................ 14
4.PROPOSED SYSTEM ...................................................................................................................................... 17
4.1. PROPOSED SYSTEM .............................................................................................................................. 17
4.2. OBJECTIVES .......................................................................................................................................... 17
4.3. SYSTEM REQUIREMENT AND SPECIFICATION .............................................................................. 15
4.4. PROPOSED SYSTEM ARCHITECTURE .............................................................................................. 18
5.IMPLEMENTATION AND RESULTS ............................................................................................................ 21
5.1. IMPLEMENTATION ............................................................................................................................... 21
5.2. OTOLOGY TO DETECT ATTACK ....................................................................................................... 22
5.3. DESCRIPTION OF DATA ...................................................................................................................... 24
5.4. SYSTEM ANALYSIS ............................................................................................................................. 24
5.5. COMPARISON WITH EXISTING SYSTEM ........................................................................................ 27
6.CONCLUSION AND FUTURE WORK .......................................................................................................... 29
7.ACHIVMENT ................................................................................................................................................... 30
LIST OF FIGURE
1.1.NETWORK TRAFFIC DISTRIBUTION ON WEB........................................................................................ 1
1.2.ONTOLOGY OF PROTOCOL ........................................................................................................................ 6
1.3.RFD/XML STATEMENTS DEFINING THE INSTANCE OF MAIL BOMB ............................................... 6
3.1.EXISTING SYSTEM WITH HIGH FALSE POSITIVE RATE .................................................................... 15
3.2.EXISTING SYSTEM WITH LOW DETECTION RATE ............................................................................. 15
3.3.ACCURACY OF EXISTING IDS ................................................................................................................. 16
4.1.PROPOSED SYSTEM ARCHITECTURE .................................................................................................... 18
4.2.WORKING OF SYSTEM ANALYZER ........................................................................................................ 19
5.1.CAPTURING NETWORK PACKET ............................................................................................................ 21
5.2.ONTOLOGY OF SMURF ATTACK ............................................................................................................ 22
5.3.ONTOLOGY OF MAIL BOMB ATTACK ................................................................................................... 22
5.4.ONTOLOGY OF BUFFER OVERFLOW ATTACK .................................................................................... 23
5.5.RESULT FOR INPUT DATA SET = 500000 ............................................................................................... 23
5.6.SYSTEM SHOWS MAXIMUM DR(%)........................................................................................................ 26
5.7.SYSTEM SHOWS NEGLIGIBLE FALSE ALARM RATE ......................................................................... 26
5.8.OVERALL PERFORMANCE OF SYSTEM ................................................................................................ 27
5.9.COMPARISION OF FP RATE ...................................................................................................................... 28
5.10.COMPARISION OF DR .............................................................................................................................. 28
5.11.COMPARISION OF ACCURACY .............................................................................................................. 29
LIST OF TABLE
2.1.DETECTION ABILITY FOR XSS ATTACK ................................................................................................. 9
3.1.SHOWS COMPARISION OF EXISTING IDS WITH FP AND DR ............................................................ 15
3.2.SHOW ACCURACY OF EXISTING IDS..................................................................................................... 16
5.1.EXPERIMENTAL RESULT OF ONTOLOGY BASED IDS ....................................................................... 25
5.2.OVERALL PERFORMANCE OF SYSTEM ................................................................................................ 26
5.3.COMPARISION OF FP AND DR ................................................................................................................. 27
5.4.COMPARISION OF ACCURACY................................................................................................................ 29
CHAPTER-1
INTRODUCTION
1.1. SECURITY
The security of web applications has become increasingly important and a secure web
environment has become a high priority for e-businesses communities. Online transaction of
high sensitive corporate information and its security has becomes more difficult due to
increase in online traffic. The latest technologies like Ajax (Asynchronous JavaScript) and
emergence of Web 2 have complicated the security problem. The problem of security
becomes more severe because of the open threats from hackers to corporate secrets, financial
information and medical resources that exist on Web sites. Rapidly increase in online
business and sharing of information are more prone to attacks and more curial to protect these
applications from hackers. Application level attacks especially Mail bomb and Buffer-
overflow are two of the most common security vulnerabilities that plague web applications
today.[1]On April 24, 2008 hundreds of thousands of Microsoft Web Servers hacked,
including several at the United Nations and in the U.K. government through exploitation the
vulnerabilities of IIS.[16].A security assessment by the Application Defense Center, which
included more than 250 Web applications from e-commerce, online banking, enterprise
collaboration, and supply chain management sites, concluded that at least 92% of Web
applications are vulnerable to some form of attack [2]. Another survey found that about 75%
of all attacks against Web servers target Web-based applications [3].
Figure 1.1.Network Traffic Distribution on web
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
HTTP ARP DNS TCP FTP SMTP
1.2. INTRUSION DETECTION SYSTEM
The Web applications security has become increasingly important in the last decade and
becomes hottest issue due to exponentially increase in electronic communication to millions
of users globally through diverse range of applications. Intrusion Detection Systems have
become a critical technology to help protect these systems. Traditional security solution like
web scanners provides the first line of defense against web attacks and detects the "well-
known” security flaws those have signatures. Scanners lack semantics thus unable to make
intelligent decision upon data leakage or business logic flaws, result in false alarm, and fail to
detect novel and critical vulnerabilities. Signature base solution usually maintains the white
list (positive security model) and black list (negative security model) which contains the
signature of benign inputs and signature of malicious attack vectors respectively. These lists
needed updating of signature, lack of detection zero day attacks and generate the false
positive and false negative alarms. Both positive and negative security models have
limitations in terms of configuration, and tuning, learning capabilities. Furthermore, many of
the network solution ignore the payload and scan only the header of request. So due to the
lack of contextual nature, network solution are ineffective to mitigate the application level
attacks. So there is need of semantic system which can intelligently understand the
application‟s context, the data and contextual nature of attacks. System should validate the
input syntactically and semantically. Syntax based validation provide the size or content
restrictions whereas semantic based validation may focus on specific data type, specific
format and understanding potentially dangerous and malicious commands or content with
respect to their context and consequences.
Our system is addressing all these issued through automatically updating of
knowledge base. It also caters the heterogeneous environment of web applications, so the
issue of structure or unstructured data will be resolved. Our system mitigate the web
application attacks effectively and efficiently and capable of defeating the current strategy of
novel manipulation of attacks by the hackers. We are proposing an advanced defensive
mechanism for producing a proper automatically input validation through semantic
knowledge base populated with OWL- DL ontologies.
1.3. TYPES OF IDS
Intrusions Detection can be classified into two main categories. They are as follow: -
1.3.1. HOST BASED INTRUSION DETECTION:
HIDSs evaluate information found on a single or multiple host systems, including contents of
operating systems, system and application files. A HIDS consists of an application, generally
software, on a machine that is designed to inspect input actions that are internal to the
machine like system calls, application and audit logs, file-system modifications, and other
host activities and states. Attackers that know of a HIDS on their target system may try to
circumvent the HIDS‟s detection by covering up traces of their attacks through modifying
entries in this database so as to not set off alarms during the next HIDS scan. For this reason a
HIDS database needs to be strongly, often cryptographically, protected.[18]
1.3.2. NETWORK BASED INTRUSION DETECTION:
NIDSs evaluate information captured from network communications, analyzing the stream of
packets which travel across the network [45] .A network-based intrusion detection system
may take the form of an independent network appliance or device tapped into the network
with associated processing capabilities. It monitors network activity, and therefore, its input
is solely in the form of the traffic on the network. Since frequently attacks on networks or
machines within them originate outside of the network, NIDSs have a wide range of possible
attacks to detect from the outside (ingress). These typically include, denial of service (DoS)
attacks, port-scans, spreading viruses, and attempts to break into or exploit vulnerabilities in
computer systems by malicious individuals, worms, or other malware self-spreading on the
network. However, NIDS scan also help to warn about or guard against sensitive data and
attacks within the network or leaving the relevant network (egress)[18][44] .
1.4. DIFFERENT APPROACHES OF IDS
IDSs are traditionally classified as anomaly-based and signature-based. Anomaly-based
systems watch for deviations of actual behavior from established profiles and classify all
abnormal activities as malicious.[6]Signature-based are equipped with a number of attack
descriptions or signatures and are similar to virus scanners which look for known, suspicious
patterns in their input data . A classic example is to scan each packet on the wire for the string
“/cgi-bin/phf?”. Finding a pattern like this might be a clear indicator of an intrusive attack
based on a vulnerable CGI Script. Misuse or Signature-based detection of web based attacks
has been performed both at the network level by analyzing network traffic and at the
application level, analyzing web server logs. The attack signature can be specified either in a
single-line or by using complex script languages. Signature-based intrusion detection systems
face the challenge of a constantly increasing number of rules that need to be compared to the
input elements. For example, Snort is configured with over 2500 signature rules to detect
scans and attacks [19]. novel approaches to re-structure the signature rules are necessary to
relieve the detection engine of as many redundant checks as possible. Data Mining Methods
for Anomaly Detection provide the framework for web application attacks based on the
statistical techniques but framework lack semantic to analyze the malicious payload on
contextual base, thus fails by assigning equal probabilities to the both equal length attack
string and benign string. Network base IDS and uses the data mining techniques but this
technique cater the character frequency and its occurrence probabilities in malicious data and
lack semantic to understand the contextual nature of attack and its consequences.
Ontologies base IDS solutions are used in information security. Raskin et al
developed the ontology for data integrity of web recourses and Denker et al [10] drive the
control access through ontology developed in DAML+OIL[11] but these ontologies has not
been fully utilize due to simple representation of attack attributes thus inefficient for intrusion
detection. In [15] a better approach developed through ontology, for grasping the domain
knowledge of application and [12, 13] adopted the good approach but carrying overhead due
to lack of search space reduction. Solution provided in general form and ignoring the most
important top web application level attacks like Smurf attacks and Mail bomb attacks. Our
system reuse and modify the [12] taxonomy for developing the comprehensive ontology of
attack.
1.5. ONTOLOGY
“An ontologies is a formal explicit specification of a shared conceptualization”. Formal
means that ontology is a machine readable and ejects the use of natural language. There are
various definitions found in literature about what is ontology. Originally, the term was born
in the field of philosophy, being a word of Greek origin, which deals with the nature of being
and its existence. Below are some of the most used definitions for the term ontology:
According to Gruber [42], "ontology is a formal and explicit specification of a shared
conceptualization."
The W3C consortium defines ontology as: "the definition of terms used to describe
and represent an area of knowledge."
The basic components of ontology are classes (organized in taxonomy), relations (used to
connect the domain concepts), axioms (used to model sentences that are always true),
properties (describe characteristics common to the instances of a class or relationships
between classes) and instances (used to represent specific data). Ontology is used for
modeling data from specific domains and also allows inferences to discover implicit
knowledge in these. More specifically, in this work, we are interested in building ontology
for the representation of data available in Security logs of web applications. In this context,
Ontology can be useful for improving the classification of the attacks occurred and the
identification of related events. An ontological representation of knowledge provides many
benefits over simple string matching techniques and mitigates the attack through reason and
intelligent decision. Ontology driven software system are capable to show a shared
understanding of structured information about the concepts within specific domain and
provide the reasoning and greater ability to analyze the information automatically. Ontology
also specifying the various semantic relationships among different concepts, mitigating the
interoperability issue and being reused and evolve overtime. Ontology file is stored with .owl
extension which is accessible in Java platform through Jena API. Ontology consists of class,
sub-class and instances. The Knowledge base contains the top most level class Attack having
property using which is defined by class Attack as shown in Figure No.1.2. The class
Protocol has the property Sub – Class of, which is defined by class ftp, Http, Https and HTTP
message structure sub class derived two classes HTTP request and HTTP response.
using
sub class of
Figure 1.2. Ontology of Protocol
A subclass relationship in OWL, for instance, looks like this:
<owl:Class rdf:ID="Attack">
<rdfs:subClassOf>
<owl:Class rdf:about="#Protocol"/>
</rdfs:subClassOf>
</owl:Class>
<!-- http://www.semanticweb.org/ontologies/2013/3/Ontology1365003423152.owl#Mailbomb -->
<NamedIndividual rdf:about="&Ontology1365003423152;Mailbomb">
<rdf:type rdf:resource="&Ontology1365003423152;Attack"/>
<Ontology1365003423152:HasService>smtp</Ontology1365003423152:HasService>
<Ontology1365003423152:HasFlag>SF</Ontology1365003423152:HasFlag>
<Ontology1365003423152:HasDuration>1</Ontology1365003423152:HasDuration>
<Ontology1365003423152:hasSrcBytes>2599</Ontology1365003423152:hasSrcBytes>
<Ontology1365003423152:HasType>Mailbomb</Ontology1365003423152:HasType>
<Ontology1365003423152:HasProtocol>tcp</Ontology1365003423152:HasProtocol>
<Ontology1365003423152:hasDestBytes>293</Ontology1365003423152:hasDestBytes>
</NamedIndividual>
Figure 1.3. RDF/XML Statements Defining the instance of mail bomb attack and its properties
Attack
Protoco
l
HttHttp
s
ftp
Http Message
Structure
message
HTTP
request
HTTP
response
1.6. EVALUATION OF AN ONTLOGY BASED IDS
The Accuracy, Detection rate and False Alarm rate was calculated by True Positive, False
Positive, False Negative and True Negative. These terms are defined as follows:
True Positive (TP): Alert is defined as the case when a real attack triggers IDS to produce an
alarm is a correct alarm.
False Positive (FP): Alert is defined as the case when an event triggers IDS to produce an
alarm when no attack has actually taken place, this alarm is false alarm.
False Negative (FN): Alert is defined as the case of IDS failing to detect an actual attack
True Negative (TN): Alert is defined as the case when no attack has place and no alarm is
raised.
Accuracy: Accuracy means probability that the algorithms can correctly predict positive and
negative examples.
Accuracy = [TP + TN /TP + TN + FP + FN]*100
Total #Normal = TN: the total number of normal records
Total #Attack = TA: the total number of attack records
Detection Rate = [(TA-FN)/TA]*100
False Alarm Rate = [FN/TN]*100
CHAPTER-2
WEB ATTACKS
2.1. SMURF –
It is Denial-of-service type of attack, the origin of name Smurf from name of one of the
exploit programs used to execute the attack. In the "Smurf" attack, attackers are using ICMP
echo request packets directed to IP broadcast addresses from remote locations to generate
denial-of-service attacks. The Internet Control Message Protocol (ICMP) is used to handle
errors and exchange control messages. ICMP can be used to determine if a machine on the
Internet is responding. To do this, an ICMP echo request packet is sent to a machine. If a
machine receives that packet, that machine will return an ICMP echo reply packet. A
common implementation of this process is the "ping" command, which is included with many
operating systems and network software packages. ICMP is used to convey status and error
information including notification of network congestion and of other network transport
problems. On IP networks, a packet can be directed to an individual machine or broadcast to
an entire network. When a packet is sent to an IP broadcast address from a machine on the
local network, that packet is delivered to all machines on that network. When a packet is sent
to that IP broadcast address from a machine outside of the local network, it is broadcast to all
machines on the target network. DoS attack performed against all the systems connected to
the Internet where an adversary uses the ICMP echo request packets to IP broadcast addresses
from remote locations to deny services. This attack causes temporary denial of services and
can be automatically recovered. Looking for a large number of echo replies to the innocent
machine from different places without any echo request made by the innocent machine helps
in detecting this attack.
2.2. MAIL BOMB -
DoS attack performed against the server where an adversary floods the mail queue, possibly
causing failure. The adversary tries to send thousands of mails to a single user. This attack
denies the service permanently. The service can be regained by the system administrator
intervention; blocking the mails coming from or to the same user within a short period of
time can prevent the attack.
2.3. CROSS SITE SCRIPTING -
XSS is one of the most common application-layer web attacks. XSS commonly targets scripts
embedded in a page which are executed on the client-side (in the user‟s web browser) rather
than on the server-side. XSS in itself is a threat which is brought about by the internet
security weaknesses of client-side scripting languages, with HTML and JavaScript (others
being VBScript, ActiveX, HTML, or Flash) as the prime culprits for this exploit. The concept
of XSS is to manipulate client-side scripts of a web application to execute in the manner
desired by the malicious user. Such a manipulation can embed a script in a page which can be
executed every time the page is loaded, or whenever an associated event is performed. Cross
site scripting (XSS) is a vulnerability of Web applications that can be used by an attacker to
compromise the same origin policy of client-side scripting languages, like JavaScript.4 XSS
occurs when a Web application unknowingly gathers malicious data on behalf of a user,
usually in the form of a hyperlink. Usually the attacker will encode the malicious portion of
the link to the site so, the request looks less suspicious. After the data is collected by the Web
application, it usually creates an output page for the user containing the malicious data that
was originally sent to it, but in a manner to make it appear valid content from the website.
Using XSS and social engineering, an attacker could steal information about credit cards
number or other personal data. The following link is for public use when testing for XSS[20]:
http://www.vuln-dev.net/<script>document.location=‟http://www.repository.
com/cgi-bin/cookie.cgi? ‟%20+document.cookie </script>
Detection Ability x>0.5 => 1.00 attack
< 0.5
Script 0.9
> 0.5
Document 0.5
cookie 0.9
Table 2.1.Detection Ability for XSS Attack
2.4. BUFFER OVERFLOW
A buffer overflow is the computing equivalent of trying to pour two liters of water into a one-
liter pitcher: Some water is going to spill out and make a mess. A buffer (or array or string) is
a space in which data can be held. A buffer resides in memory. Because memory is finite, a
buffer's capacity is finite. For this reason, in many programming languages the programmer
must declare the buffer's maximum size so that the compiler can set aside that amount of
space.
Let us look at an example to see how buffer overflows can happen. Suppose a C language
program contains the declaration:
char sample[10];
The compiler sets aside 10 bytes to store this buffer, one byte for each of the ten elements of
the array, sample[0] through sample[9]. Now we execute the statement:
sample[10] = 'A';
The subscript is out of bounds (that is, it does not fall between 0 and 9), so we have a
problem. The nicest outcome (from a security perspective) is for the compiler to detect the
problem and mark the error during compilation. However, if the statement were
sample[i] = 'A';
we could not identify the problem until i was set during execution to a too-big subscript. It
would be useful if, during execution, the system produced an error message warning of a
subscript out of bounds. Unfortunately, in some languages, buffer sizes do not have to be
predefined, so there is no way to detect an out-of-bounds error. More importantly, the code
needed to check each subscript against its potential maximum value takes time and space
during execution, and the resources are applied to catch a problem that occurs relatively
infrequently. Even if the compiler were careful in analyzing the buffer declaration and use,
this same problem can be caused with pointers, for which there is no reasonable way to
define a proper limit. Thus, some compilers do not generate the code to check for exceeding
bounds.
CHAPTER-3
LITERATURE SURVEY
The field of intrusion detection and network security has been around since late 1980sThere
are many IDSs currently available, ranging from commercial products to unprofitable ones.
Some of its are mention as follows:-
3.1. GENETIC ALGORITHMS
Genetic algorithms were originally introduced in the field of computational biology. Since
then, they have been applied in various fields with promising results. Fairly recently,
researchers have tried to integrate these algorithms with IDS. The REGAL System [37][38] is
a concept learning system based on a distributed genetic algorithm that learns First Order
Logic multi-modal concept descriptions. REGAL uses a relational database to handle the
learning examples that are represented as relational tuples.Dasgupta and Gonzalez [40] used a
genetic algorithm, however they were examining host based, not network-based IDSs.
Li[8] describes a method using GA to detect anomalous network intrusion .The
approach includes both quantitative and categorical features of network data for deriving
classification rules. However, the inclusion of quantitative feature can increase detection rate
but no experimental results are available.
Goyal and Kumar [22] described a GA based algorithm to classify all types of Smurf
attack using the training dataset with false positive rate is very low (at 0.2%) and detection
rate is almost 100% .[23]
Lu and Traore[21] used historical network dataset using GP to derive a set of
Classification . They used support-confidence framework as the fitness function and
accurately classified several network intrusions. But their use of genetic programming made
the implementation procedure very difficult and also for training procedure more data and
time is required.
Xiao et al.[24] used GA to detect anomalous network behaviors based on information
theory. Some network features can be identified with network attacks based on mutual
information between network features and type of intrusions and then using these features a
linear structure rule and also a GA is derived. The approach of using mutual information and
resulting linear rule seems very effective because of the reduced complexity and higher
detection rate. The only problem is it considered only the discrete features.
Gong et al.[25] presented an implementation of GA based approach to Network
Intrusion Detection using GA and showed software implementation. The approach derived a
set of classification rules and utilizes a support-confidence framework to judge fitness
function.
Abdullah et al.[26]showed a GA based performance evaluation algorithm to network
intrusion detection. The approach uses information theory for filtering the traffic data.
3.2. DATA MINING ALGORITHMS
Lee et al. introduced data mining approaches for detecting intrusions in [30],[31], and [32].
Data mining approaches for intrusion detection include association rules and frequent
episodes, which are based on building classifiers by discovering relevant patterns of program
and user behavior. Association rules and frequent episodes are used to learn the record
patterns that describe user behavior. These methods can deal with symbolic data, and the
features can be defined in the form of packet and connection details. However, mining of
features is limited to entry level of the packet and requires the number of records to be large
and sparsely populated; otherwise, they tend to produce a large number of rules that increase
the complexity of the system [46].
3.3. CLUSTERING ALGORITHMS
Data clustering methods such as the k-means and the fuzzy c-means have also been applied
extensively for intrusion detection [35] and [39]. One of the main drawbacks of the clustering
technique is that it is based on calculating numeric distance between the observations, and
hence, the observations must be numeric. Observations with symbolic features cannot be
easily used for clustering, resulting in inaccuracy. In addition, the clustering methods
consider the features independently and are unable to capture the relationship between
different features of a single record, which further degrades attack detection accuracy.
3.4. NAIVE BAYES
Naive Bayes classifiers have also been used for intrusion detection [27]. However, they make
strict independence assumption between the features in an observation resulting in lower
attack detection accuracy when the features are correlated, which is often the case for
intrusion detection. Bayesian network can also be used for intrusion detection [28]. However,
they tend to be attack specific and build a decision network based on special characteristics of
Individual attacks. Thus, the size of a Bayesian network increases rapidly as the number of
features and the type of attacks modeled by a Bayesian network increases.
3.5. DECISION TREE
Decision trees have also been used for intrusion detection [9]. The decision trees select the
best features for each decision node during the construction of the tree based on some well-
defined criteria. One such criterion is to use the information gain ratio, which is used in C4.5.
Decision trees generally have very high speed of operation and high attack detection
accuracy.
3.6. ARTIFICIAL NEURAL NETWORK
Debar et al. [34] and Zhang et al. [41] discuss the use of artificial neural networks for
network intrusion detection. Though the neural networks can work effectively with noisy
data, they require large amount of data for training and it is often hard to select the best
possible architecture for a neural network.
3.7. SUPPORT VECTOR MACHINE
Support vector machines have also been used for detecting intrusions [33]. Support vector
machines map real valued input feature vector to a higher dimensional feature space through
Non linear mapping and can provide real-time detection capability, deal with large
dimensionality of data, and can be used for binary-class as well as multiclass classification.
There are various mathematical model studied to calculate the accuracy of intrusion detection
system as mention below:-Resilient Back propagation (RP), Multivariate Adaptive
Regression Splines (MARS), Linear Genetic Programs (LGPs).
3.8. ONTOLOGY BASED IDS USING BAYESIAN FILTER
System is effective in detecting the vulnerabilities and zero day attacks as compare with other
traditional system along with low false rate and response time of system is negligible high as
compare with other IDS [15].
3.9. PROBLEMS WITH EXISTING SYSTEMS
Most existing intrusion detection systems suffer from the following problems:
3.9.1. Current IDS are usually tuned to detect known service level network attacks. This
leaves them vulnerable to original and novel malicious attacks. Current IDS Show low
Accuracy and Detection rate, which is important problem in Existing IDS.
3.9.2. Data overload: Another aspect which does not relate directly to misuse detection but is
extremely important is how much data an analyst can efficiently analyze. That amount of data
he needs to look at seems to be growing rapidly. Depending on the intrusion detection tools
employed by a company and its size there is the possibility for logs to reach millions of
records per day.
3.9.3. False positives: A common complaint is the amount of false positives an IDS will
generate. A false positive occurs when normal attack is mistakenly classified as malicious
and treated accordingly.
3.9.4. False negatives: This is the case where an IDS does not generate an alert when an
intrusion is actually taking place.
Ontology along with semantic can help improve intrusion detection by addressing each and
every one of the above mentioned problems. System is very efficient by analyzing and
searching attack pattern in specific portion of packets rather than considering the entire
payload. Only focus on specific portion of input where attack or exploit is possible would
reduce the space reduction and save the processing time. Remove normal activity from alarm
data to allow analysts to focus on real attacks.
Types of IDS False Positive
(FP)
Detection Rate
(%)
Naive Bayesian 0.070 88.06
Decision Tree 1.2 95.5
CRF 0.073 96.02
Table 3.1.Show Comparison of Existing IDS with False Positive, Detection Rate (%)
Figure 3.1 Existing system with high False Positive rate
Figure 3.2.Existing System with Low Detection Rate
0
0.5
1
1.5
Decision Tree Naïve Bayesian CRF
False Positive
False Positive
84
86
88
90
92
94
96
98
Naïve Bayesian Decision Tree CRF
Detection Rate
Detection Rate
Types of IDS Accuracy (%)
Naive Bayesian 96.72
Decision Tree 98.46
CRF 99.53
RP 97.09
SVM 98.85
MARS 92.75
LGP 99.73
Table 3.2.Show Accuracy of Existing IDS
Figure 3.3.Accuracy of Existing System
88
90
92
94
96
98
100
102
Accuracy
Accuracy
CHAPTER-4
PROPOSED SYSTEM d
4.1. PROPOSED SYSTEM
Proposed Intrusion Detection Systems based on ontology that specifying the different
categories of attacks, different encoding schemes used by the hacker, location of attack. The
system semantically analyzes the specific field of payload and headers where attack is
possible.
4.2. OBJECTIVES
1. To provide low false positive rate and low false alarm rate.
2. To increases accuracy and efficiency.
3. To Study of Ontology Framework for Intrusion Detection System.
4. To Detection of Cyber attacks.
4.3. SYSTEM REQUIREMENT AND SPECIFICATION
4.3.1. Hardware Requirement
Processor: Intel Core 2 Duo Processor 2.0 GHz processor (2 MB Cache, 800 MHz
FSB) with 1 GB of RAM
4.3.2. Software Requirement
Technology: Java
Open Source Tool: Protégé_4.1
Software tools: Eclipse, winpcap, Jcap.
Database: My-SQL-5.0.41
4.4. SYSTEM ARCHITECTURE
System Analyzer
Inference Engine
Rule Engine
Figure 4.1.Proposed System Architecture
Proposed System consists of following components as shown in above fig.no.4.1
4.4.1 System Analyzer
This is first layer of our architecture and most important component of our System. Raw
input data is given as input to this Analyzer which analyzes the user input for suspected
malicious contents based on information stored in the knowledge base.
System Analyzer will perform the following task:-
1. Analysis the raw input data.
2. Filter out received HTTP packets.
3. Input HTTP packets are parsed.
4. Perform Message Header checking
i. Read URL and referrer field.
ii. Check Query string portion.
iii. Analyze its value for malicious script and produce alert in case of
malicious value.
Ontology Generator
Knowledge
Base
I/p
Dat
5. Perform Message-Body checking
i. Read URL and HTML tags
ii. Check Query string portion
iii. Produce alert in case of malicious value
6. After analyzing input if no malicious activity found, packet would be
Delivered to web application for retrial of requested data. Analyzer accepts the network
stream, captured each HTTP messages, it filter out the HTTP protocols on the basis of HTTP
ontology stored in knowledge base .HTTP messages are checked at two points-header and
payload. The header contains information regarding the payload and control information. The
Analyzer interacts with the inference engine in order to analyze input packet. If packet will
found malicious script the packet is blocked otherwise it will given as input to inference
engine.
Yes
No
Yes
Figure 4.2.Working of system Analyzer
System Analyzer checks input semantically and syntactically as mentioned in ontology and it
also checks hidden field values of URI of each page .It also checks for Method attribute like
GET or POST, Action attribute and Input field for all the information given in the input
Extract HTTP packet
Parse the HTTP packet
Perform header
checking
Maliciou
s Code
Perform body checking
Malicious
code
Web Application
Generate
Error
Message
I/p
Dat
parameters tags like size, name, max Length, their type like checkbox, radio button, hidden
field etc.
4.4.2. Inference Engine
The Inference Engine observes the inconsistency indifferent ontologies in knowledge base
and makes the knowledge base consistence and updated.
4.4.3. Rule Engine
Rule engine layer generates appropriate rules after inference upon the Knowledge base for
specific request .It processes the assertions, rules, deduces new rules and statements. For
implementation purpose we are using the Java base Jena rule engine.
4.4.4. Ontology Generator
This module consists of two layers
a. Ontology Layer
b. Layer of conceptualization of Domain.
All classes are defined using Protégé API using Protégé GUI. Concepts are represented in
Resource description format. Using the Ontology web Language plug-in the RDF format.
Ontology file is stored with .owl extension which is accessible in Java platform through Jena
API.
CHAPTER –5
IMPLEMENTATION & RESULTS
In this section we describe the data-set used, the details of our experimental
procedure, the results and comparison of our results. We give the Detection Rate,
False Alarm Rate together with the classification accuracy for all our
implementations.
5.1. IMPLEMENTATION
Data is captured using winpcap and jcap library. In our experiments, we perform 3-class
classification. The (training and testing) data set contains 500000 randomly generated points
from the three classes, with the number of data from each class proportional to its size. We
analyze total 500000 data packet, to train the system we used KDD cup benchmark dataset
and calculate the accuracy, efficiency and false alarm rate of system. Ontology‟s are created
for smurf, mail bomb and buffer-overflow attack. After accepting the input the data is
analyzed and compare with ontology stored is knowledge base.
Figure 5.1. Capturing Network packet
5.2. ONTOLOGY TO DETECT ATTACK
To test our implementation and experiment with it, we created instances of our ontology in
RDF/XML notation, and asserted them into the knowledge base. We then ran our queries
against the knowledge base.
Figure 5.2 Ontology of Smurf Attack
Figure 5.3. Ontology of Mail bomb Attack
Figure 5.4.Ontology of Buffer-Overflow attack
In Knowledge base the ontology are stored. After reading the input data set it is compare with
ontology for rule generated by rule engine and if match found, then error message is
displayed. Total 7 different data set are tested to calculate the accuracy and efficiency of
system. For large data set also system gives low false positive and alarm rate.
Figure 5.5. Result for input data set = 500000
5.3. DESCRIPTION OF DATA
The KDD cup 1999 dataset was used in the 3rd International Knowledge Discovery and Data
Mining Tools Competition for building a network intrusion detector, a predictive model
capable of distinguishing between intrusions and normal connections. In 1998, DARPA
intrusion detection evaluation program, a simulated environment was set up to acquire raw
TCP/IP dump data for a local-area network (LAN) by the MIT Lincoln Lab to compare the
performance of various intrusion detection methods. It was operated like a real environment,
but being blasted with multiple intrusion attacks and received much attention in the research
community of adaptive intrusion detection. The KDD99 dataset contest uses a version of
DARPA98 dataset. In KDD99 dataset, each example represents attribute values of a class in
the network data flow, and each class is labeled either normal or attack. There are total 41
input attributes in KDD99 dataset for each network connection that have either discrete or
continuous values and divided into three groups. The first group of attributes is the basic
features of network connection, which include the duration, prototype, service, number of
bytes from source IP addresses or from destination IP addresses, and some flags in TCP
connections. The second group of attributes in KDD99 is composed of the content features of
network connections and the third group is composed of the statistical features that are
computed either by a time window or a window of certain kind of connections.
5.4. SYSTEM ANALYSIS
Lot of analysis is done, with small data as well as very large data set and then system
performance is calculated .Results shows that system is more efficient and accuracy is also
high. It gives maximum detection rate and negligible false alarm rate. We checked the system
behavior for 500 records – 500000 records, behavior of system is shown as below:-
Attack
Type
Total No. of
Records(TN)
No. of
Attack
Records(TA)
No. of Attack
Records
Detected(TP)
False
Positive
(FP)
False
Negative
(FN)
Detection
Rate %
False
Alarm
Rate
%
Accuracy
%
Smurf
500
136 136 0 0 100 0 100
bomb 114 114 0 0 100 0 100
Buffer
overflow 133 133 0 0 100 0 100
Normal 117 117 0 0 100 0 100
Smurf
1000
293 287 0 6 97.95 0.6 99.53
bomb 227 220 0 7 96.92 0.7 99.43
Buffer
overflow 251 245 0 6 97.61 0.6 99.52
Normal 229 229 0 0 100 0 100
Smurf
5000
1465 1435 0 30 97.95 0.6 99.54
bomb 1135 1100 0 35 96.92 0.7 99.43
Buffer
overflow 1255 1225 0 30 97.61 0.6 99.52
Normal 1145 1145 0 0 100 0 100
Smurf
10000
2930 2870 0 60 97.95 0.6 99.53
bomb 2270 2200 0 70 96.92 0.7 99.43
Buffer
overflow 2510 2450 0 60 97.61 0.6 99.52
Normal 2290 2290 0 0 100 0 100
Smurf
50000
14650 14330 0 320 97.82 0.64 99.50
bomb 11350 10990 0 360 96.83 0.72 99.41
Buffer
overflow 12550 12240 0 310 97.53 0.62 99.50
Normal 11450 11450 0 0 100 0 100
Smurf
100000
29300 28660 0 640 97.81 0.64 99.50
bomb 22700 21980 0 720 96.82 0.72 99.41
Buffer
overflow 25100 24480 0 620 97.52 0.62 99.50
Normal 22900 22900 0 0 100 0 100
Smurf
500000
146500 143300 0 3200 97.81 0.64 99.50
bomb 113500 109900 0 3600 96.83 0.72 99.41
Buffer
overflow 125500 122400 0 3100 97.53 0.62 99.50
Normal 114500 114500 0 0 100 0 100
Table 5.1.Experimental Results of Ontology based IDS
Figure 5.6. System shows maximum Detection Rate (DR) %
Figure 5.7. System shows negligible False Alarm Rate
Attack
Type
Total No. of
Records(TN)
Total
no. of
Attack
Records
Total
no. of
Attack
record
Detected
(TA)
False
Positive(FP)
False
Negative(FN)
False
Alarm
Rate
(%)
Detection
Rate (%)
Accuracy
Smurf
95212
27896 27288 0 608 0.53 98.18 99.59
Bomb 21613 20929 0 684 0.61 97.32 99.50
Buffer
overflow 23899 23310 0 589 0.52 97.91 99.58
Normal 21804 21804 0 0 0 100 100
Overall performance 0.41 98.35 99.67
Table 5.2.Overall performance of System
50
55
60
65
70
75
80
85
90
95
100
500 1000 5000 10000 50000 100000 500000
Smurf
Mailbomb
Buffer overflow
Normal
0
0.2
0.4
0.6
0.8
500 1000 5000 10000 50000 100000 500000
Smurf
Mailbomb
Buffer overflow
Normal
Figure 5.8. Overall performance of System
5.5. COMPARISON WITH EXISTING SYSTEM
5.5.1. Comparison of False Positive
Types of IDS False Positive
(FP)
Detection Rate
(%)
Naive Bayesian 0.070 88.06
Decision Tree 1.2 95.5
CRF 0.073 96.02
Proposed
System 0 98.35
Table 5.3.Comparision of False Positive and Detection Rate
0.531 0.61 0.52 0
99.59 99.5 99.58 100
0
20
40
60
80
100
Smurf Mail Bomb Buffer
overflow
Normal
False Alarm Rate (%)
Detection Rate (%)
Accuracy (%)
Figure 5.9.Comparison of False Positive rate
Figure 5.10. Comparison of Detection rate (%)
0
0.2
0.4
0.6
0.8
1
1.2
1.4
Decision Tree Naïve Bayesian CRF Proposed
System
False Positive
False Positive
88
90
92
94
96
98
100
Naïve Bayesian Decision Tree CRF Proposed
System
Detection rate
Detection rate
Types of IDS Accuracy (%)
Naive Bayesian 96.72
Decision Tree 98.46
CRF 99.53
RP 97.09
SVM 98.85
MARS 92.75
LGP 99.73
Proposed
System 99.67
Table 5.4.Comparision of Accuracy
Figure 5.11.Comparison of Accuracy (%) with existing system
90919293949596979899
100
Accuracy (%)
Accuracy (%)
CHAPTER –6
CONCLUSION & FUTURE WORK
We have presented the brief overview of various security techniques. Due to increasing
security concern for web applications, future survival of e-business organizations depends on
the effective security measures at application level. We have critically studied the existing
techniques and figured out that, a semantic based intrusion detection system capable of
making intelligent decision based on the context of the target domain is required. The
propose system using ontological representation of the target domain. It contain the
knowledge of the attacks, the protocol, the data and the target application that would enhance
detection capability as well as result in efficient working of intrusion detection system. It is
believed that Ontology system could be an effective solution for building an integrated
system in the industrial world by combining Firewall and IDS features. It has been
successfully tested that this algorithm minimized false positives, as well as maximize balance
detection rates on the 3 classes of KDD99 benchmark dataset. The attacks of KDD99 dataset
detected with 99.67% accuracy using proposed algorithm.
Furthermore, improvement with Ontology system, testing with others in real network traffic,
will be made in future work.
CHAPTER –7
ACHIVMENT
PUBLICATION
INTERNATIONAL CONFERENCE
Ms.Ashwini D.Khairkar, Mr.D.D.Kshirsagar “Ontology for Detection
of Web Attacks” IEEE “International Conference on
Communication Systems and Network Technologies” (CSNT-
2013)
REFERENCES
[1] Monica S. Lam, Michael Martin, Benjamin Livshits, and JohnWhaley, “Securing
Web Applications with Static and Dynamic Information Flow Tracking,” PEPM‟08,
January 7–8, 2008, SanFrancisco, California, USA.
[2] WebCohort, Inc. “Only 10% of Web applications are secure against common
hackintechniques”,http:// 2004- feb-02.html,2004.
[3] G.Hulme , “New software may improve application security,”
http://www.informationweek.com/story/ 2001.
[4] Benjamin Livshits, Michael Martin, and Monica S. Lam,“SecuriFly: Runtime
Protection and Recovery from Web Application Vulnerabilities,” Technical Report,
Stanford University, September 22, 2006.
[5] Open Web Application Security Project. “The ten most critical Web application .
[6] C.Kruegel, T.Toth, and E.Kirda. ”Service-specific Anomaly Detection for Network
Intrusion Detection”.
[7] Frank S. Rietta. “Application Layer Intrusion Detection for SQL Injection”. ACM
SE‟06 March 10 12, 2006, Melbourne, Florida, USA.
[8] W. Li, “Using Genetic Algorithm for Network Intrusion Detection”. SANS Institute,
USA, 2004.
[9] Y.B. Reddyl, R. Guha, “Intrusion Detection using Data Mining Techniques,”Artificial
Intelligence and Applications ,2004.
[10] V. Raskin, C.F. Hempelmann, K.E. Triezenberg, Nirenburg, “Ontology in
Information Security: A Useful TheoreticalFoundation and Methodological Tool,”
Proceedings of the 2001 Workshop on New Security Paradigms (NSPW-2001), 2001.
[11] G. Denker, L. Kagal, T. Finin, M. Paolucci, K. Sycara,”Security for DAML Web
Services: Annotation and Matchmaking,” The Semantic Web (ISWC 2003),
LNCS2870, Springer, 2003.
[12] DAML+OIL.Availableat:http://www.daml.org/2000/12/daml+oil.dam.
[13] J. Undercoffer, J., Pinkston, A. Joshi, T. Finin, “Target-Centric Ontology for Intrusion
Detection,” IJCAI Workshopon Ontologies and Distributed Systems (IJCAI'03),
August,2003.
[14] Shao-Shin Hung and Damon Shing-Min Lio:A User-centric Intrusion Detection
System by using Ontology Approach.2006 conf/jcis/2006
JCIShttp://dx.doi.org/10.2991/jcis.2006
[15] Abdul Razzaq, Ali Hur, Hafiz Farooq Ahmad, Nasir Haider “Ontology Based
Application Level Intrusion Detection System by using Bayesian Filter” The 2nd
IEEE International Conference on Computer, Control &Communication (IEEE-IC4)
2009,PNEC Karachi, Pakistan.
[16] Abdul Razzaq , Hafiz Ahmed , Ali Hur , NasirHaider:” An Implementation of
Intrusion Detection system using GA Algorithm” -IJNSA & its Application ,Vol.4
No.2,March 2012.
[17] S.T. Sarasamma, Q.A. Zhu, and J. Huff, “HierarchelKohonenenNet for Anomaly
Detection in Network Security“, IEEETransaction on Systems, Man, and
Cybernetics-Part B:Cybernetics, 35(2) ,2005,pp.302-312.
[18] J. P. Planquart, “Application of Neural Networks to Intrusion Detection”, SANS
Institute Reading Room.
[19] M.Roesch. “Snort – Lightweight Intrusion Detection for Networks”.Proceedings of
the USENIXLISA’99 Conference, November 1999.
[20] Valdes A, Skinner K (2000) Adaptive, model-based monitoring for cyber attack
detection. In Debar H, M´e L, Wu SF (eds) Proceedings of the Third International
Workshop on Recent Advances in Intrusion Detection, RAID 2000, volume 1907of
Lecture Notes in Computer Science, pages 80–92. Springer.
[21] W. Lu, I. Traore, “Detecting New Forms of Network Intrusion Using Genetic
Programming”.Computational Intelligence, vol. 20, pp. 3, Blackwell Publishing,
Malden, pp. 475-494, 2004.
[22] Anup Goyal, Chetan Kumar, “GA-NIDS: A Genetic Algorithm based Network
Intrusion Detection System”, 2008.
[23] B. Abdullah, I. Abd-alghafar, Gouda I. Salama, A. Abd-alhafez, “Performance
Evaluation of a Genetic Algorithm Based Approach to Network Intrusion Detection
System”, 2009.
[24] T. Xia, G. Qu, S. Hariri, M. Yousif, “An Efficient Network Intrusion Detection
Method Basedon Information Theory and Genetic Algorithm”, Proceedings of the
24th IEEE InternationalPerformance Computing and Communications Conference
(IPCCC „05), Phoenix, AZ, USA.2005.
[25] R. H. Gong, M. Zulkernine, P. Abolmaesumi, “A Software Implementation of a
GeneticAlgorithm Based Approach to Network Intrusion Detection”, 2005.
[26] B. Abdullah, I. Abd-alghafar, Gouda I. Salama, A. Abd-alhafez, “Performance
Evaluation of a Genetic Algorithm Based Approach to Network Intrusion Detection
System”, 2009.
[27] N.B. Amor, S. Benferhat, and Z. Elouedi, “Naive Bayes vs.Decision Trees in
Intrusion Detection Systems,” Proc. ACM Symp. Applied, 2004
[28] C. Kruegel, D. Mutz, W. Robertson, and F. Valeur, “Bayesian Event Classification for
Intrusion Detection,”. Computer Security Applications Conf. , 2000.
[29] Snort (software); http://en.wikipedia.org/wiki/Snort_%28software%29
[30] W. Lee and S. Stolfo, “Data Mining Approaches for Intrusion Detection,” Proc.
Seventh USENIX Security Symp.(Security ‟98),pp. 79-94, 1998.
[31] W. Lee, S. Stolfo, and K. Mok, “Mining Audit Data to Build Intrusion Detection
Models,” Proc. Fourth Int‟l Conf. Knowledge Discovery and Data Mining (KDD ‟98),
pp. 66-72, 1998.
[32] W. Lee, S. Stolfo, and K. Mok, “A Data Mining Framework for Building Intrusion
Detection Model,” Proc. IEEE Symp. Security and Privacy (SP ‟99), pp. 120-132,
1999.
[33] D.S. Kim and J.S. Park, “Network-Based Intrusion Detection with Support Vector
Machines,” Proc. Information Networking, Networking Technologies for Enhanced
Internet Services Int‟l Conf. (ICOIN ‟03),pp. 747-756, 2003
[34] H. Debar, M. Becke, and D. Siboni, “A Neural Network Component for an Intrusion
Detection System,” Proc. IEEE Symp.Research in Security and Privacy (RSP ‟92),
pp. 240-250, 1992.
[35] L. Portnoy, E. Eskin, and S. Stolfo, “Intrusion Detection with Unlabeled Data Using
Clustering,” Proc. ACM Workshop Data Mining Applied to Security (DMSA), 2001.
[36] R. Graham, “FAQ: Network Intrusion Detection Systems”. March 21, 2000
[37] Neri, F., ”Comparing local search with respect to genetic evolution to detect intrusion
in computer networks”, In Proc. of the 2000 Congress on Evolutionary Computation
CEC00, La Jolla, CA, pp.238243. IEEE Press, 16-19 July, 2000.
[38] Neri, F., ”Mining TCP/IP traffic for network intrusion detection”In R. L. de
M‟antaras and E. Plaza (Eds.), Proc. of Machine Learning: ECML 2000,11th
[39] European Conference on MachineLearning, Volume 1810 of Lecture Notes in
Computer Science, Barcelona, Spain, pp. 313322. Springer, May 31- June 2, 2000.
[40] H. Shah, J. Undercoffer, and A. Joshi, “Fuzzy Clustering for Intrusion Detection,”
Proc. 12th IEEE Int‟l Conf. Fuzzy Systems(FUZZ-IEEE ‟03), vol. 2, pp. 1274-1278,
2003
[41] Dasgupta, D. and F. A. Gonzalez, ”An intelligent decision support system for
Intrusion detection and response”, .In Proc. Of International Workshop on
Mathematical Methods, Models and Architectures for Computer Networks Security
(MMM-ACNS),St.Petersburg. Springer- , 21-23 May,2001.
[42] Z. Zhang, J. Li, C.N. Manikopoulos, J. Jorgenson, and J. Ucles,“HIDE: A
Hierarchical Network Intrusion Detection System Using Statistical Preprocessing and
Neural Network Classification ,”Proc. IEEE Workshop Information Assurance and
Security (IAW ‟01),pp. 85-90, 2001.
[43] T. Gruber and R.Toward, principles for the design of ontologies used for knowledge
sharing. In Formal Ontology in Conceptual Analysis and Knowledge Representation.
Kluwer Academic Publishers, 1996
[44] Mr.D.D.Kshirsagar, “Network Intrusion Detection based on Attack Pattern” in IEEE
International Conference on Network and Computer Science (ICNCS 2011)
[45] Mr.D.D.Kshirsagar,"Efficient Detection of Attacks using Supervised Clusters in
Supervised based NIDS” in International Conference on Electronics and
Communication Engineering ICECE-2012).
[46] Mr.D.D.Kshirsagar, "Data Mining based Intrusion Detection System (DM-IDS)” in
International Conference on Computer Science and Information Technology
(ICCSIT-2012)
Recommended