AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING RDIAL BASIS FUNCTION NETWORK

R.MAHESHWARAN PG Scholar, K.L.N. College Of Engg, Madurai, India, maheshwaran1810@gmail.com R.MOHAN KUMAR Assistant Professor , K.L.N. College Of Engg, Madurai, India R.Rajeswari Research Scholar, Mother Therasa Womens University, Kodaikanal, India rajeswaripuru@gmail.com

Abstract Internet and computer networks

are exposed to an ever increasing number of security threats that can damage computer systems and communication channels. Intrusion Detection Systems (IDSs) has been growing for network security over the past years. Due to the increasing of networks speed and the amount of network traffic, it is essential that IDSs need to be focussed. It is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. Some of the attacks affect large number of computers in the world daily. Detection of these attacks and prevention of computers from it is a major research topic for researchers throughout the world. In this paper we propose radial basis function network to detect intrusion classification Keywords: Intrusion Detection System, Radial basis function network(RBF), KDD Cup 99 Dataset.

systems that identify patterns of traffic or application data presumed to be malicious (misuse detection systems), and systems that compare activities against a 'normal' baseline (anomaly detection systems). Intrusion detection systems (IDS) are an essential part of the security infrastructure. They are used to detect, identify and stop intruders. The administrators can rely on them to find out successful attacks and prevent a future use of known exploits. IDS are also considered as a complementary solution to firewall technology as they recognize against the network that are missed by the firewall. Nevertheless, IDS are plagued with false positive alerts, letting security professionals to be overwhelmed by the analysis tasks. Therefore, IDS employ several techniques in order to increase the detection probability of suspect threats while reducing the risk of false positives. While using pattern matching to detect intrusions, IDS users try to refine the attack signatures and limit the search to smaller traffic intervals. On the other hand, by using protocol analysis in the detection process, IDS rely on protocol specification in order to adequately analyze the traffic. So, they will be able to understand each field in the packet, and supervise the right execution of the protocols which leads to reduce the number of false positives. 1) An Anomaly-Based Intrusion Detection: An Anomaly-Based Intrusion Detection System is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and will detect any type of misuse that falls out of normal

I.INTRODUCTION
In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. A system that performs automated intrusion detection is called an Intrusion Detection System (IDS). An IDS can be either host-based, if it monitors system calls or logs, or network-based if it monitors the flow of network packets. Modern IDSs are usually a combination of these two approaches. Another important distinction is between

system operation. This is as opposed to signature based systems which can only detect attacks for which a signature has previously been created. In order to determine what attack traffic is, the system must be taught to recognize normal system activity. This can be accomplished in several ways, most often with artificial intelligence type techniques. Systems using neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. 2) Misuse-Based Detection: Misuse detection monitors for deviations in normal protocol. This method is useful to detect attempts by a user or application attempting to gain unauthorized access to a system. The misuse detection approach attempts to recognize attacks that follow intrusion patterns that have been recognized and reported by experts. Misuse Detection catches intrusions in terms of characteristics of known attacks or system vulnerabilities; any action that conforms to the pattern of a known attack or vulnerability is considered intrusive. These systems are vulnerable to intruders who use new patterns of behavior or who mask their illegal behavior to deceive the detection system. 1.1 Networking Attacks This section is an overview of the four major categories of networking attacks. Every attack on a network can comfortably be placed into one of these groupings [Sung et al 2003]. 1) Denial of Service (DoS): A DoS attack is a type of attack in which the hacker makes a computing or memory resources too busy or too full to serve legitimate networking requests and hence denying users access to a machine e.g. apache, smurf, neptune, ping of death, back, mail bomb, UDP storm etc. are all DoS attacks. 2) Remote to User Attacks (R2L): A remote to user attack is an attack in which a user sends packets to a machine over the internet, which s/he does not have access to in order to

expose the machines vulnerabilities and exploit privileges which a local user would have on the computer e.g. xlock, guest, xnsnoop, phf, sendmail dictionary etc. 3) User to Root Attacks (U2R): These attacks are exploitations in which the hacker starts off on the system with a normal user account and attempts to abuse vulnerabilities in the system in order to gain super user privileges e.g. perl, xterm. 4) Probing: Probing is an attack in which the hacker scans a machine or a networking device in order to determine weaknesses or vulnerabilities that may later be exploited so as to compromise the system. This technique is commonly used in data mining e.g. saint, portsweep, mscan, nmap etc. 1.2 Classification of Intrusion Detection Intrusions Detection can be classified into two main categories. They are as follow: 1)Host Based Intrusion Detection: HIDSs evaluate information found on a single or multiple host systems, including contents of operating systems, system and application files [Planquart ]. 2) Network Based Intrusion Detection: NIDSs evaluate information captured from network communications, analyzing the stream of packets which travel across the network [Planquart ]. 1.3 Components of Intrusion Detection System An intrusion detection system normally consists of three functional components. [Bace ,. 2000 ]. The first component of an intrusion detection system, also known as the event generator, is a data source. Data sources can be categorized into four categories namely Host-based monitors, Network-based monitors, Application-based monitors and Target-based monitors. The second component of an intrusion detection system is known as the analysis engine. This component takes information from the data source and examines the data for symptoms of attacks or other policy violations. The analysis engine can use one or both of the following analysis approaches:

1)Misuse/Signature-Based

Detection:

This

type

of

3) OSSIM: The goal of Open Source Security Information Management, OSSIM is to provide a comprehensive compilation of tools which, when working together, grant network/security administrators with a detailed view over each and every aspect of networks, hosts, physical access devices, and servers OSSIM incorporates several other tools, including Nagios and OSSEC HIDS. 4) Suricata: An open source-based intrusion detection system, was developed by the Open Information Security Foundation (OISF) 5) Bro: An open-source, Unix-based network intrusion detection system /]. Bro detects intrusions by first parsing network traffic to extract its application-level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. 6) Fragroute/Fragrouter: A network intrusion detection evasion toolkit Fragrouter helps an attacker launch IPbased attacks while avoiding detection. It is part of the NIDSbench suite of tools by Dug Song. BASE: The Basic Analysis and Security Engine, BASE is a PHP-based analysis engine to search and process a database of security events generated by various IDSs, firewalls and network monitoring tools. 7) Sguil: Sguil is built by network security analysts for network security analysts Its main component is an intuitive GUI that provides realtime events from 8) Snort/barnyard. It also includes other components which facilitate the practice of network security monitoring and event driven analysis of IDS alerts.

detection engine detects intrusions that follow well-known patterns of attacks (or signatures) that exploit known software vulnerabilities [Kumar et al,1995,.][ Ilgun et al, 1995,]. The main limitation of this approach is that it only looks for the known weaknesses and may not care about detecting unknown future intrusions [Kumar , 1995.]. 2) Anomaly/Statistical Detection: An anomaly based detection engine will search for something rare or unusual [Kumar 1995, ]They analyses system event streams, using statistical techniques to find patterns of activity that appear to be abnormal. The primary disadvantages of this system are that they are highly expensive and they can recognize an intrusive behavior as normal behavior because of insufficient data The third component of an intrusion detection system is the response manager. In basic terms, the response manager will only act when inaccuracies (possible intrusion attacks) are found on the system, by informing someone or something in the form of a response. 1.4 Existing Intrusion Detection Systems 1) Snort: A free and open source network intrusion detection and prevention system was created by Martin Roesch in 1998 and now developed by Sourcefire. In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the greatest open source software of all time . Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior 2) OSSEC: An open source host-based intrusion detection system, performs log analysis, integrity checking, rootkit detection, time-based alerting and active response . In addition to its IDS functionality, it is commonly used as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs, universities and data centers are running OSSEC HIDS to monitor and analyze their firewalls, IDSs, web servers and authentication logs.

II. RELATED WORK

The primary ways an intruder can get into the system is through primary intrusion, system intrusion and remote intrusion, wei et al.(2005), Ping et al. (2005), Chi et al. (2006), Haiho et al. (2006),Gang et al. (2006), Emmanuel et al. (2007).

0.00,snmpgetattack. 5 0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2 ,0.00,0.00,0.00,0.00, 1.00,0.00,0.00,255,254,1.00,0.01,0.01,0.00,0.00,0.00,0.00, 0.00,snmpgetattack. 6 0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2 ,0.00,0.00,0.00,0.00, 1.00,0.00,0.00,255,255,1.00,0.00,0.01,0.00,0.00,0.00,0.00, 0.00,snmpgetattack. 7 0,udp,domain_u,SF,29,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,1, 0.00,0.00,0.00,0.00, 0.50,1.00,0.00,10,3,0.30,0.30,0.30,0.00,0.00,0.00,0.00,0.0 0,normal. 8 Table 1. Input attributes in KDD99 Dataset 0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1 ,0.00,0.00,0.00,0.00, 1.00,0.00,0.00,255,253,0.99,0.01,0.00,0.00,0.00,0.00,0.00, 0.00,normal. S. KDD patterns No . 1 0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1 ,0.00,0.00,0.00,0.00, 1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00, 0.00,normal. 2 0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1 ,0.00,0.00,0.00,0.00, 1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00, 0.00,normal. 3 0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1 ,0.00,0.00,0.00,0.00, 1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00, 0.00,normal. 4 0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2 ,0.00,0.00,0.00,0.00, 1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00, 9 0,udp,private,SF,105,146,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2 ,0.00,0.00,0.00,0.00, 1.00,0.00,0.00,255,254,1.00,0.01,0.00,0.00,0.00,0.00,0.00, 0.00,snmpgetattack. 10 0,tcp,http,SF,223,185,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,4,0.0 0,0.00,0.00,0.00, 1.00,0.00,0.00,71,255,1.00,0.00,0.01,0.01,0.00,0.00,0.00,0 .00,normal.

III. DATA GENERATION

Table 2 Sample KDD data

IV. RADIAL BASIS FUNCTION NEURAL NETWORK

The concept of distance measure is used to associate the input and output pattern values. Radial Basis Functions (RBFs) are capable of producing approximations to an unknown function f from a set of input data abscissa. The approximation is produced by passing an input point through a set of basis functions, each of which contains one of the RBF centres, multiplying the result of

each function by a coefficient and then summing them linearly. For each function t, the approximation to this function is essentially stored in the coefficients and centers of the RBF. These parameters are in no way unique, since for each function t being approximated, many combinations of parameter values exist. RBFs have the following mathematical representation:
N 1 i =0

( x) = exp(

x2 ) 2

in which is simply a scaling parameter. Other choices for the basis functions include the thin plate spline, the multi-quadric and the inverse multi-quadric. The Gaussian function is the most intuitive in that each basis function output will be larger when data point is closer to the basis function R i. The Gaussian form of the RBF does provide direct links through to fuzzy logic systems and cluster analysis, and under these circumstances it is quite possible to associate physical meaning and significance to each of the basis function center positions. Each center can be seen as indicative of a type of behavior or response for not only the RBF network itself, but also the system which the RBF network is being employed to identify.

F(x) = c o + ci (|| x R i ||)

where c is a vector containing the coefficients of the RBF, R is a vector containing the centers of the RBF, and is the basis function or activation function of the network. F(x) is the approximation produced as the output of the network. The coefficient Co, which is a bias term, may take the value 0, if no bias is present. The norm used is the Euclidean distance norm. Equation (3.5) shows the Euclidean distance for a vector x containing n elements:

|| x || =

x
i =1

2 i

Each center Rj has the same dimension as the input vector x, which contains n input values. The centers are points within the input data space and are chosen so that they are representative of the input data. When a RBF calculates its approximation to some input data point, the distance between the input point and each center is calculated, in terms of the Euclidean distance. The distances are then passed through the basis function . The results of the basis functions are weighted with the coefficients C i and these weighted results are then linearly summed to produce the overall RBF output. One of the most common choices for the basis function is that of the Gaussian: Figure 1 shows the arrangement of layers and nodes in layers in the RBF. Inputs are presented in the input layer. The centre patterns represent the input layer and hidden layer matrix. The distance between input patterns and the centre patterns are found and passed as input for the hidden layer. The summed value is passed through an exponential activation function shown as shape and the Input layer Hidden layer Output

Fig.1. Training with Radial Basis Function

outputs are obtained in the output of hidden layer. These outputs are processed with target outputs to obtain the final weights which will be used for testing.

A = GT * G Calculated Calculated B = A-1 E = B * GT F=E*D

Step 2: Calculated the Final Weight

Step 3: Stored the Final Weight in a file.

2)The algorithm of Testing Radial Basis Function:

Step 1: Read the Input Step 2: Read the final weights Calculated Numerals = F * E Step 3: Checked the output with the templates for the type of depression.

Fig.2. Flow chart of Radial Basis Function implementation

5) RESULT AND DISCUSSION

1) The algorithm of Training Radial Basis Function:

Step 1: Radial Basis Function are applied No. of Input = 41 No. of Patterns = 25 No. of Centres = 25 Calculated RBF as RBF = exp (-X) Calculated Matrix as G = RBF Fig.3 Radial Basis Function output

Experiments data were collected from the KDD database. The numbers of patterns available are huge with

different types of intrusions. Figure 3 shows the performance of the radial basis function in intrusion detection. The percentage of identification of the intrusion is 88%.

6.

Haihua Gao and Xingyu Wang Huihua Yang, 2006, LS-SVM Based Intrusion Detection Using Kernel Space Approximation and Kernel-Target Alignment. Ilgun K., Kemmerer R.,. Porras P. A, 1995, State Transition Analysis: A Rule-Based Intrusion Detection Approach, IEEE Transaction on Software Engineering, 21(3):pp. 181-199. Kumar S., 1995 Classification and Detection of Computer Intrusions. Kumar S., Spafford E., 1995, A Software architecture to Support Misuse Intrusion Detection in The 18th National Information Security Conference, pp. 194-204.

7. 6. CONCLUSION Information Security plays an important role in Hi-tech computing world. Even though firewall is used to provide security between two different networks, it fails to care about the intranet security (security within a single network). In order to overcome the problem a model called Intrusion Detection System is used. The process of monitoring the events occurring in a computer system or network and analyzing them for sign of intrusions is known as intrusion detection system (IDS).In this paper we have concentrated on the KDD99 benchmark dataset. The intrusion classification with 88% accuracy is achieved using proposed algorithm. 8. 9.

10. Ping Yi, Yichuan Jiang, Yiping Zhong, Shiyong Zhang, 2005, Distributed Intrusion Detection for Mobile Ad Hoc Networks, Proceedings of the The 2005 Symposium on Applications and the Internet Workshops (SAINT-W05). 11. Planquart J. P, Application of Neural Networks to Intrusion Detection. 12. Sung A., Mukkamala S., 2003, Identifying important features for intrusion detection use support vector machines and neural networks in Symposium on Applications and the Internet, pp. 209216. 13. Wei Hu and Weiming Hu, 2005, Network-based Intrusion Detection Using Adaboost Algorithm, Proceedings of the 2005 IEEE/WIC/ACM International Conference on Web Intelligence (WI05).

REFERENCES 1. Arvind Rapaka, Alexander Novokhodko, Donald Bace Wunsch, 2003, Intrusion Detection Using Radial Basis Function Network on Sequences of System Calls, IEEE. R. G, . 2000 Intrusion Detection, Macmillan Technical Publishing. Chi Hoon Lee, Sung Woo Shin, and Jin Wook Chung, 2006, Proceedings of the Seventh ACIS International Conference on Software Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing (SNPD06) Emmanuel Hooper, 2007, An Intelligent Intrusion Detection and Response System Using Network Quarantine Channels: Firewalls and Packet Filters. Fehlauer.J., B.A Eisenstein., 1978,A Declustering Criterion for Feature Extraction in Pattern Recognition, IEEE Trans. on Comp., vol. 27, no. 3, pp. 261 266. Gang Kou, Yi Peng, Yong Shi, And Zhengxin Chen, (2006), Network Intrusion Detection by Multigroup Mathematical Programming based Classifier, Sixth IEEE International Conference on Data Mining -Workshops (ICDMW'06).

2.

3.

4.

5.