Professional Documents
Culture Documents
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 3, May June 2013 ISSN 2278-6856
Keywords: Stateful Protocol Inspection Intrusion Detection System, Genetic Algorithm, Intrusion Detection Technique, network security, congestion management.
1. INTRODUCTION
During the last few years, the security has become the crucial aspect for computer system due to rapidly expansion of computer networks. The need of the hour is ability to detection an attack with regards network security. Considering intruder to be a system, program or a person who successfully breaks the information system and violates the system or network integrity of remote machines with malicious intent or perform an action that are not legally allowed and this activity is known as intrusion [1]. In general, the intruders are of two types: external and internal. External intruder would be defined as an unauthorized user of the system or network, and then the internal intruder is an authorized user who has access to certain areas of the internal system or network. Intrusion detection system (IDS) is an application that monitors network traffic or system activities in real time for malicious activities or policy violations and produces reports to a Management Station [2-3]. IDSs can be divided into two categories: 1. Network based IDS (NIDS) 2. Host based IDS (HIDS) NIDS monitor network traffic at all layers of the Open Systems Interconnection (OSI) model and analyzing any suspicious activity. HIDS analyzes network traffic and system-specific activity (such as operating system, files, process etc.) on a single host or a multiple host [4]. A policy based system has three basic steps in which it works i.e. creation, assignment and execution of the policy depending on the network event type and network requirement in terms of security [5]. GA-based method is designed to detect anomalous network behaviors based on quantitative and categorical features of network data that Volume 2, Issue 3 May June 2013
are derived based on classification rules using GA. The inclusion of quantitative features may lead to increased detection rates [6]. A software implementation of GA based approach to Network Intrusion Detection for deriving a set of classification rules and utilizes a support-confidence framework to judge fitness function of the framework [7]. The use of information theory and GA to detect abnormal network behaviors was developed [8], which can be used only for discrete features. The three ways to detect intrusion in a system are: 1. Signature based detection 2. Anomaly based detection 3. Stateful protocol inspection. 1.1. Signature-based detection This relies on known traffic data to analyze potentially unwanted traffic. This type of detection is very fast and easy to configure. 1.2. Anomaly based detection This type of detection looks at network traffic and detects data that is incorrect, or generally abnormal. This is useful for detecting unwanted traffic that is not specifically unknown. 1.3. Stateful Protocol Inspection This is similar to anomaly based detection, but it can also analyze traffic at the network and transport layer and vendor-specific traffic at the application layer, which anomaly-based detection cannot do [9]. The rest of the paper is organized as follows: Section 2 gives a brief introduction to Genetic Algorithm. System architecture of genetic network feedback is discussed in section 3. Section 4 gives the algorithm and data flow diagram for proposed work. Results are discussed in section 5. Section 6 presents the conclusion and future work.
2. GENETIC ALGORITHM
Genetic Algorithm (GA) is a heuristic search algorithm based on the evolutionary ideas of natural selection and genetics. GA is based on analogy with the genetic structure and behavior of chromosome within the population of individual. In GA, a population of strings (called chromosomes), which encode candidate solutions (called individuals) to an optimization problem, evolves Page 302
3. SYSTEM ARCHITECTURE
The improved model of genetic feedback algorithm based network security policy framework [11] consists of following components: 3.1 Gene Designer: In this gene of every new network event will be created based on the packets involved in the network event. The properties can be source and destination IP address and port number, size of packet, in case of security breach the level of threat and damage caused, depending on the type of security breach and etc. 3.2 Genetic Operation Unit: In this unit, genetic operations such as crossover mutation and selection are applied to the initial set of population selected by the administrator. 3.3 Gene Pool: In this component the entire gene selected during genetic operation based on their fitness score is stored along with their fitness value for future references. Volume 2, Issue 3 May June 2013
Page 303
Figure 1: Admin Login form for entering in Admin Figure 1 shows the Admin login form which allows entering in the Admin area. Admin have 3 tries for entering correct username and password, after 3 tries the login window will disappear.
This is compared with the Threshold Value (THV) for given network categories. 1. Threat is taken as the fitness function. So the Threat Value (TV) of each event is been calculated from equation (2)
Figure 2: Main window 2. The absolute difference between the Threat Value (TV) of the chromosome and the actual Threat Threshold Value (TTHV) is then computed using equation (3). Main window allow Admin to choose the Network interface card to scan the packets which is shown in figure 2. Admin supervision button opens Administrator window which allow Admin to change the parameter required in algorithm.
If the Threat Value (TV) is above the Threat Threshold Value (THV) decided, then the packet is considered as dangerous. And if the value of is greater than zero then the network event is considered as dangerous or else the network event is safe.
Figure 3: Action for low fitness value Volume 2, Issue 3 May June 2013 Page 304
References
[1]. Jones, Anita. K. and Robert. S. Sielken. Computer System Intrusion Detection: A Survey. Technical Report. Department of Computer Science, University of Virginia, Charlottesville, Virginia, 2000. [2]. K. Scarfone, P. Mell, Guide to Intrusion Detection and Prevention Systems (IDPS). Compute Security Resource Center (National Institute of Standards and Technology). February 2007. [3]. John McHugh, Intrusion and Intrusion Detection. Technical Report. CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University Published online: 27 July 2001 Springer-Verlag 2001 [4]. Harley Kozushko, Intrusion Detection: Host-Based and Network-Based Intrusion Detection Systems, Thursday, September 11, 2003 Independent Study. [5]. Mishra, A. Jhapate, A.K. ; Kumar, P. ,Improved Genetic Feedback Algorithm Based Network Security Policy Frame Work In proceedings of Future Networks, 2010. ICFN '10. Second International Conference pp: 8 - 10 [6]. Wei Li, A Genetic Algorithm Approach to Network Intrusion Detection, GSEC Practical Assignment Version 1.4 Option 1, November 5,2003. [7]. R. H. Gong, M. Zulkernine, P. Abolmaesumi, A Software Implementation of a Genetic Algorithm Based Approach to Network Intrusion Detection, 2005. [8]. T. Xiao, G. Qu, S. Hariri, and M. Yousif, An Efficient Network Intrusion Detection Method Based on Information Theory and Genetic Algorithm, Proceedings of the 24th IEEE International Performance Computing and Communications Conference (IPCCC 05), Phoenix, AZ, USA. 2005. [9]. Kreugel, C. et al. 2002. Stateful intrusion detection for high-speed networks. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy. May 2002. pp. 285-294. [10]. Principles of Soft Computing by S.N.Sivanandam & S.N.Deepa, John Wiley-India [11]. Suhas B. Chavan, L.M.R.J Lobo Network Security policy framework and Analysis IJCA Special Issue on Network Security and Cryptography NSC, 2011.
Figure 4: Admin window for managing Genetic Algorithm input values The admin window for mapping Genetic Algorithm input values are given in figure 4. In this window the values of blocked IP address and the fitness values can be observed.
Acknowledgment
The authors wish to thank the management of Gyan Ganga Institute of Tech & Mgmt, Bhopal and Dr. P. S. Venkataramu, Principal, GGITM for their constant encouragement for completion of this work.
Page 305