International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 3, May June 2013 ISSN 2278-6856

Evaluation of Network Security Policy Incorporating Genetic Network Feedback

Mr. Randhir Kumar1, Dr.Ravindranath.C.C2
Asst. Prof, Dept. of IT GGITM, Bhopal, MP, India Prof, Dept. of EX GGITM, Bhopal, MP, India Abstract: The networks Internet Protocol (IP) are being
congested in routers during the access. In this paper Genetic Algorithm (GA) is applied for finding the fitness value of IPs. These IPs are detected by Intrusion Detection Technique (IDT). The new algorithm is developed to generate a fitness function which can be used for all types of Stateful Protocol Inspection Intrusion Detection System (SPIIDS) to block the existing IPs and its access.
2 1

Keywords: Stateful Protocol Inspection Intrusion Detection System, Genetic Algorithm, Intrusion Detection Technique, network security, congestion management.

1. INTRODUCTION
During the last few years, the security has become the crucial aspect for computer system due to rapidly expansion of computer networks. The need of the hour is ability to detection an attack with regards network security. Considering intruder to be a system, program or a person who successfully breaks the information system and violates the system or network integrity of remote machines with malicious intent or perform an action that are not legally allowed and this activity is known as intrusion [1]. In general, the intruders are of two types: external and internal. External intruder would be defined as an unauthorized user of the system or network, and then the internal intruder is an authorized user who has access to certain areas of the internal system or network. Intrusion detection system (IDS) is an application that monitors network traffic or system activities in real time for malicious activities or policy violations and produces reports to a Management Station [2-3]. IDSs can be divided into two categories: 1. Network based IDS (NIDS) 2. Host based IDS (HIDS) NIDS monitor network traffic at all layers of the Open Systems Interconnection (OSI) model and analyzing any suspicious activity. HIDS analyzes network traffic and system-specific activity (such as operating system, files, process etc.) on a single host or a multiple host [4]. A policy based system has three basic steps in which it works i.e. creation, assignment and execution of the policy depending on the network event type and network requirement in terms of security [5]. GA-based method is designed to detect anomalous network behaviors based on quantitative and categorical features of network data that Volume 2, Issue 3 May June 2013

are derived based on classification rules using GA. The inclusion of quantitative features may lead to increased detection rates [6]. A software implementation of GA based approach to Network Intrusion Detection for deriving a set of classification rules and utilizes a support-confidence framework to judge fitness function of the framework [7]. The use of information theory and GA to detect abnormal network behaviors was developed [8], which can be used only for discrete features. The three ways to detect intrusion in a system are: 1. Signature based detection 2. Anomaly based detection 3. Stateful protocol inspection. 1.1. Signature-based detection This relies on known traffic data to analyze potentially unwanted traffic. This type of detection is very fast and easy to configure. 1.2. Anomaly based detection This type of detection looks at network traffic and detects data that is incorrect, or generally abnormal. This is useful for detecting unwanted traffic that is not specifically unknown. 1.3. Stateful Protocol Inspection This is similar to anomaly based detection, but it can also analyze traffic at the network and transport layer and vendor-specific traffic at the application layer, which anomaly-based detection cannot do [9]. The rest of the paper is organized as follows: Section 2 gives a brief introduction to Genetic Algorithm. System architecture of genetic network feedback is discussed in section 3. Section 4 gives the algorithm and data flow diagram for proposed work. Results are discussed in section 5. Section 6 presents the conclusion and future work.

2. GENETIC ALGORITHM
Genetic Algorithm (GA) is a heuristic search algorithm based on the evolutionary ideas of natural selection and genetics. GA is based on analogy with the genetic structure and behavior of chromosome within the population of individual. In GA, a population of strings (called chromosomes), which encode candidate solutions (called individuals) to an optimization problem, evolves Page 302

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 3, May June 2013 ISSN 2278-6856
toward better solutions. The evolution starts from a population of randomly generated individuals and happens in generations. In each generation, the fitness of every individual in the population is evaluated, multiple individuals are stochastically selected from the current population (based on their fitness), and modified (recombined and possibly randomly mutated) to form a new population. During the process of evaluation Crossover is used to recombine two strings to get a better string and Mutation is used to mutation of species. Commonly, the algorithm terminates when either a maximum number of generations has been produced, or a satisfactory fitness level has been reached for the population [10]. Genetic Algorithm can be discribed in the following steps: Create random population of n chromosomes. Evaluate fitness of each chromosome in the population. Repeate the following steps until n offsprings have been created: o Select a pair of parent chromosome from the current population. o With the probability Pc crossover the pair at a randomly chosen point to from two offspring. o Mutate the two offspring at each locus with probability Pm. Replace the current population with the new population. Goto step 2. 3.4 Gene Checker:In this component the gene generated by the gene designer is compared with the gene present in the gene pool. If the gene is present in the gene pool then the output of the component is forwarded to network report generator. If the gene is not present then the fitness value of the gene is calculated in the fitness calculator. 3.5 Fitness Calculator: In this block, the fitness of gene is calculated and if the score is more than the threshold value decided for the fitness function then the gene is added in the gene pool and the output is sent to network report generator. 3.6 Network Report Generator: This unit generates report of the network event behavior after a fixed time period. This time period is decided by the network administrator. And while generating final network report, two time period are taken into account i.e. present and immediate previous, and a window of size equal to the time period is created and the reports are scanned to check the event behavior. This is done because it might happen that the number of particular event occurring in a fixed time interval does not pass the threshold, which is required to take a policy enforcement decision. But while checking through the windows it is passing its threshold value at a particular instance of the window. 3.7 Policy Management Point: In this point policy management is done for the policy present in policy repository i.e. policy selection, deletion and creation and storing of policy in the policy repository. The improved model has two policy management points one for the administrator and other for the system. 3.8 Policy Repository: This unit contains all the policy defined by the administrator or by the genetic algorithm based system is stored, so that they can be used. 3.9 Policy Decision Part: Here the policy which is to be implemented is decided by this unit. If the system is running in supervised to allow the policy then it is up to administrator to allow the policy which is enforce by the system to be enforced or just enforce his own policy. And pass on the decision to policy enforcement point via feedback console. 3.10Feedback Console: Here if any policy is selected to be enforced or any change is made to previous policy then feedback console update to the policy repository by sending command to the policy management point. 3.11Policy Enforcement Point: Here the selected policy is enforced on the system.

3. SYSTEM ARCHITECTURE
The improved model of genetic feedback algorithm based network security policy framework [11] consists of following components: 3.1 Gene Designer: In this gene of every new network event will be created based on the packets involved in the network event. The properties can be source and destination IP address and port number, size of packet, in case of security breach the level of threat and damage caused, depending on the type of security breach and etc. 3.2 Genetic Operation Unit: In this unit, genetic operations such as crossover mutation and selection are applied to the initial set of population selected by the administrator. 3.3 Gene Pool: In this component the entire gene selected during genetic operation based on their fitness score is stored along with their fitness value for future references. Volume 2, Issue 3 May June 2013

Page 303

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 3, May June 2013 ISSN 2278-6856 4. ALGORITHM FOR FINDING FITNESS VALUE
The Algorithm of the fitness function is given in two phases 4.1 Phase-I : The value of chromosome has been found in this phase. The following are the parameters based on which the value is dependent. 1. Source IP address 2. Destination IP address 3. Source port number 4. Destination port number 5. Size of packet 6. Number of hops between the source and destination 7. Time to live(TTL) 8. Packet type 4.2 Phase-II In this phase the The match value is found by the equation-( )

5. RESULTS AND DISCUSSIONS

The proposed algorithm is implemented using java and mysql softwares.

Figure 1: Admin Login form for entering in Admin Figure 1 shows the Admin login form which allows entering in the Admin area. Admin have 3 tries for entering correct username and password, after 3 tries the login window will disappear.

This is compared with the Threshold Value (THV) for given network categories. 1. Threat is taken as the fitness function. So the Threat Value (TV) of each event is been calculated from equation (2)

Figure 2: Main window 2. The absolute difference between the Threat Value (TV) of the chromosome and the actual Threat Threshold Value (TTHV) is then computed using equation (3). Main window allow Admin to choose the Network interface card to scan the packets which is shown in figure 2. Admin supervision button opens Administrator window which allow Admin to change the parameter required in algorithm.

If the Threat Value (TV) is above the Threat Threshold Value (THV) decided, then the packet is considered as dangerous. And if the value of is greater than zero then the network event is considered as dangerous or else the network event is safe.

Figure 3: Action for low fitness value Volume 2, Issue 3 May June 2013 Page 304

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 3, May June 2013 ISSN 2278-6856
Action for low fitness value is given from figure 3. From this the error of the existing fitness value can be seen. After getting the fitness value there should be some action taken by selecting any one option. If any of the packets captured is having fitness less than threshold then the admin can Set Fitness. Block IP

References
[1]. Jones, Anita. K. and Robert. S. Sielken. Computer System Intrusion Detection: A Survey. Technical Report. Department of Computer Science, University of Virginia, Charlottesville, Virginia, 2000. [2]. K. Scarfone, P. Mell, Guide to Intrusion Detection and Prevention Systems (IDPS). Compute Security Resource Center (National Institute of Standards and Technology). February 2007. [3]. John McHugh, Intrusion and Intrusion Detection. Technical Report. CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University Published online: 27 July 2001 Springer-Verlag 2001 [4]. Harley Kozushko, Intrusion Detection: Host-Based and Network-Based Intrusion Detection Systems, Thursday, September 11, 2003 Independent Study. [5]. Mishra, A. Jhapate, A.K. ; Kumar, P. ,Improved Genetic Feedback Algorithm Based Network Security Policy Frame Work In proceedings of Future Networks, 2010. ICFN '10. Second International Conference pp: 8 - 10 [6]. Wei Li, A Genetic Algorithm Approach to Network Intrusion Detection, GSEC Practical Assignment Version 1.4 Option 1, November 5,2003. [7]. R. H. Gong, M. Zulkernine, P. Abolmaesumi, A Software Implementation of a Genetic Algorithm Based Approach to Network Intrusion Detection, 2005. [8]. T. Xiao, G. Qu, S. Hariri, and M. Yousif, An Efficient Network Intrusion Detection Method Based on Information Theory and Genetic Algorithm, Proceedings of the 24th IEEE International Performance Computing and Communications Conference (IPCCC 05), Phoenix, AZ, USA. 2005. [9]. Kreugel, C. et al. 2002. Stateful intrusion detection for high-speed networks. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. May 2002. pp. 285-294. [10]. Principles of Soft Computing by S.N.Sivanandam & S.N.Deepa, John Wiley-India [11]. Suhas B. Chavan, L.M.R.J Lobo Network Security policy framework and Analysis IJCA Special Issue on Network Security and Cryptography NSC, 2011.

Figure 4: Admin window for managing Genetic Algorithm input values The admin window for mapping Genetic Algorithm input values are given in figure 4. In this window the values of blocked IP address and the fitness values can be observed.

6. CONCLUSION AND FUTURE WORK

An improved model for genetic feedback algorithm based network security policy framework using network intrusion detection techniques is introduced. A brief overview of Intrusion Detection System (IDS), genetic algorithm, and related detection techniques were presented. The system architecture is also introduced. Factors affecting the GA are addressed in detail. This implementation of genetic algorithm is unique as it considers both temporal and spatial information of DARPA data set Rule Set Rule Base Network Sniffer GA network connections during the encoding of the problem; therefore, it should be more helpful for identification of network anomalous behaviors. Future Work includes Comparing of GA results with existing intrusion rule sets for effectiveness. Data mine the GA results for patterns or data clusters and then analyze for discoveries. Utilize Genetic Programming, which enhance GAs since they produce dynamic programs instead of static chromosomes, which result in more multifaceted and flexible outcomes.

Acknowledgment
The authors wish to thank the management of Gyan Ganga Institute of Tech & Mgmt, Bhopal and Dr. P. S. Venkataramu, Principal, GGITM for their constant encouragement for completion of this work.

Volume 2, Issue 3 May June 2013

Page 305