2.1 Literature Survey
There exist a fair amount of systems and tools that provide the functionality of network intrusion detection system, which have been thoroughly examined in order to find the pitfalls in them and hence add those missing functionalities in our system.
2.1.1 Theory Associated With Problem Area
184.108.40.206 Network Intrusion Detection
A Network-based Intrusion Detection System (IDS) monitors and analyzes the traffic on its network segment to detect intrusion attempts. An IDS can be made of many sensors, each sensor being in charge of monitoring the traffic passing through its own segment.
Northcutt had described NIDS, as an ID system that monitors the traffic on its network segment as the data source. Implementation requires:
I. The Network Interface Card (NIC) is set in monitor mode so that it captures the entire packet crossing its network segment.
II. A sensor determines if the packet flow matches with a known signature.
III. There are three signatures that are particularly important: first the string signatures that look for a text string that indicates a possible attack. Second the port signatures simply watch for connection attempts to well known, frequently attacked ports. Third the header signatures that watches for dangerous/illogical combinations in packet headers.
220.127.116.11 Classification of Intrusion Detection System
Two classification systems for different intrusion detection systems have been developed: Host based IDS and Network Based IDS
• Signature based detection
Signature based detection is also known as misuse detection or knowledge-based systems. They work on the same principles as most anti-virus software. And rely on the knowledge accumulated about previous attacks and vulnerabilities to detect intrusion attempts. If the current activities match any of the known signatures, an alarm is triggered.
• Anomaly based detection
Anomaly detection systems, also known as behavior-based systems, they rely on the fact that intrusions can be detected by observing deviations from the expected behaviors of the system monitored. These “normal” behaviors can either correspond to some observations made in the past or to some forecasts made by various techniques. Everything that does not correspond to this “normal” or “abnormal” pattern will be flagged as anomalous. Therefore, the core process of anomaly detection is not to learn what is anomalous but to learn what is normal or expected.
2.1.2 Existing Systems and Solutions
• Network Intrusion Detection
Snort’s open source NIDS, has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks. Snort performs protocol analysis, content searching and matching. The program can also be used to detect attacks, including, but not limited to, operating system fingerprinting attempts, semantic URL attacks, buffer overflows, server message block probes, and stealth port scans. It is a rule-based intrusion detection system. It provides good management console with the help of ACID (Analysis Console for Intrusion Databases) plug-in module. Plug-in are very important feature of Snort IDS. Rules can be created by the user itself to prevent certain sort of packets and thus detect possible related attacks. PHP, Apache, and Snort database plug-in required.
2. Cisco Secure IDS
Cisco Secure IDS (Formerly NetRanger) is an enterprise-scale, real-time, rule-based intrusion detection system designed to detect, report, and terminate unauthorized activity throughout a network.
Cisco provides management console but it’s not so good in comparison to that of Snort and Dragon. It is responsible for the communication between the server and the agents. Communication between agents and the server take place at intervals set in the console. The communication port for the console and the agent must be the same for them to communicate. It also contains the list indicating state of each agent.
Netstat is both rule based and anomaly based intrusion detection system for UNIX systems. It Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), IPv6 statistics and the IP routing table. Used without parameters, netstat displays active TCP connections.
2.1.3 Research Findings for Existing Literature
2.1.3 Table for Literature Survey
S. No. Roll Number Name Paper Title Tools/
Technology Findings Citation
1 101503194 Samridhi Strength and Limitation of Nagios as a Network Monitoring System Nagios -status check and notify problem through the use of external “plugins”
-lack of database and performance records
-Lack of Automatic device discovery SophonMongokolluksameePanitaPongaibool and ChayeeIssariyapat
detection Model-based detection is an important complement to signature-based approaches in that the former provides at least some potential for detection of zero-day attacks, while the
latter effectively detect specific known
2 101503180 Ramandeep
Network intrusion detection system using various data mining techniques
-Accustomed Management Console
-Passive/Active Behavior on Attack
-High Reporting Capability
-Medium Interpol ability Dikshant Gupta,
Secure gateway defender- a network intrusion detection system Provides simultaneous multi-level monitoring, detection of known and unknown intrusions and hierarchical sense and response mechanisms Vikram Kothari, Manali Raut, Sairaj Samant, Renuka Pawar
3 Gurparkash Limitations of Network Intrusion Detection Cisco Secure -NIDS
-Intricate Management Console
-Passive/Active Behavior on Attack
-High Reporting Capability
-Medium Interpol ability Steve Schupp
Issues No tools used Security of organizations will have to adopt such a firmest model or mechanism, which provides strongest protection against threats to ensure that the system will remain secure like IDPS. IJCSNS International Journal of Computer Science and Network Security.
4 Gurjot A framework for constructing features and models for Intrusion Detection System Netstat -NIDS
-Intricate Management Console
-Active Behavior on Attack
-NO Reporting Capability
-UNIX-like OS system command W.Lee and S.J. Stoflo
18.104.22.168 Research Parameters
Sr No. IDS Granularity of Data Processing Audit Source Location Management Console Behavior on Attack Reporting Capability Interpol ability
1 Snort Realtime NIDS Accustomed Passive/Active High Medium
2 Cisco Secure Realtime NIDS Intricate Passive/Active High Medium
3 Netstat Realtime NIDS Intricate Active – –
• Granularity of Data Processing
It refers to the response time of an Intrusion
Detection System depends partly on the granularity of data processing.
• Audit source location
It refers to the location of the Intrusion detection system. The audit source location discriminates intrusion-detection systems based on the kind of input information they analyze that can be audit trials (such as system logs) on host, network packets, application logs, or IDS alerts generated by other IDS. Network-based data are usually read directly off some multicast network (Ethernet). One advantage of using network-based audit data is that it facilitates the intrusion detection system to observe the whole traffic on the network.
• Management Console
It refers to management console i.e. the user interface that the client component of network management software provides. A workstation used to monitor and control a network.
• Behavior on Attack
It describes the response of the intrusion-detection system
to attacks. On the basis of their response to Intrusion, IDS can be either Active or Passive. An active IDS actively reacts to the attack by taking either corrective or pro-active actions whereas a passive IDS merely generate alarms.
• Report Capability
This parameter is related to how quick an IDS reports about the attack to the network administrator.
The interoperability is the measures of the intrusion detection system’s ability to cooperate with other similar systems.
2.1.4 The Problem That Has Been Identified
-Signature based Intrusion Detection System
• It can only detect those threats that are in the database, else it will bypass any new type of threat. The database is needed to be updated frequently.
• Can detect previously known attacks only.
• Every new signature of a new attack or its variant needs to be added to the database, therefore the size becomes very large and hence updating it is too much time consuming.
• Difficult to determine an attack as descripting of attack in database is generally a low level description.
• If the signature are specific in description of attack, the lesser false positives alerts there are but if the signatures are more specific, it will be easier for intruder to prepare a slightly a different variant of that attack which would not match the signature and hence would be overlooked.
-Anomaly based Intrusion Detection System
• Time required to train the system about normal behavior may be lengthy.
• Behavior of surveillance environment may differ after certain period, resulting the retraining of the system.
• If training datasets itself consists of attacks, the intrusion detection system will take malicious behavior as normal.
2.1.5 Survey of Tools and Technologies Used
22.214.171.124 Feature Selection: Recursive Elimination Feature
Recursive feature elimination (RFE) is a feature selection method that fits a model and removes the weakest feature (or features) until the specified number of features is reached. Features are ranked by the model’s feature_importances attributes, and by recursively eliminating a small number of features per loop, RFE attempts to eliminate dependencies and collinearity that may exist in the model.
126.96.36.199 Decision Tree in Machine Learning
Decision Tree Analysis is a general, predictive modelling tool that has applications spanning a number of different areas. Decision trees are constructed via an algorithmic approach that identifies ways to split a data set based on different conditions. This is one of the most widely used and practical methods for supervised learning. Decision Trees are a non-parametric supervised learning method used for both classification and regression tasks. The goal is to create a model that predicts the value of a target variable by learning simple decision rules inferred from the data features.
• Overfitting– Over-complex trees that do not generalize the data well.
• Variance – Decision trees can be unstable because small variations in the data might result in a completely different tree being generated.
• Greedy algorithms cannot guarantee to return the globally optimal decision tree. This can be mitigated by training multiple trees, where the features and samples are randomly sampled with replacement.
• Decision tree learners create biased trees if some classes dominate. It is therefore recommended to balance the data set prior to fitting with the decision tree.
(i) IPv4 – Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol. It is one of the core protocols of standards-based internet working methods.
(ii) The IEEE 802.11 standard is defined through several specifications of WLANs. It defines an over-
the-air interface between a wireless client and a base station or between two wireless clients.
There are several specifications in the 802.11 family ?
• 802.11 ? This pertains to wireless LANs and provides 1 – or 2-Mbps transmission inthe 2.4-GHz band using either frequency-hopping spread spectrum (FHSS) or direct-sequence spread spectrum (DSSS).
• 802.11a ? This is an extension to 802.11 that pertains to wireless LANs and goes asfast as 54 Mbps in the 5-GHz band. 802.11a employs the orthogonal frequencydivision multiplexing (OFDM) encoding scheme as opposed to either FHSS or DSSS.
• 802.11b ? The 802.11 high rate WiFi is an extension to 802.11 that pertains to
wireless LANs and yields a connection as fast as 11 Mbps transmission (with a
fallback to 5.5, 2, and 1 Mbps depending on strength of signal) in the 2.4-GHz band.The 802.11b specification uses only DSSS. Note that 802.11b was actually anamendment to the original 802.11 standard added in 1999 to permit wireless
functionality to be analogous to hard-wired Ethernet connections.
• 802.11g ? This pertains to wireless LANs and provides 20+ Mbps in the 2.4-GHz
Here is the technical comparison between the three major WiFi standards.
Fig. 2.2.1 IEEE Standards
2.3 Software Requirements Specification
As the Internet is growing day-by-day, the end users are also increasing in the organizations. Therefore, the network is also becoming huge at a rapid pace, because of which there is increasing probability of network intrusions, which demands the use of intrusion detection systems. Either be it Education institutions or Big industries, the network attacks can cause a lot of damage to the organization, financially and economically, so there is need to watch over the network and stop any intrusions happening.
188.8.131.52 Intended Audience and Reading Suggestions
The intended audience can be anyone; it can be an end user, network administrator or any industry. This product is simple and user-friendly, so anyone can use and deploy it in there system over the network and protect themselves and the network from any intrusions.
184.108.40.206 Project Scope
• Detect intrusions and malicious activities occurring within the network.
• Categorizing the attacks further into DoS, Probe, U2R, R2L.
2.3.2 Overall Description
220.127.116.11 Product Perspective
The IDS monitors the inbound and outbound traffic and identify the malicious traffic which may somehow have bypassed the firewall or may have originated from inside your network. An IDS can monitor and protect your network proactively but they are prone to the false alarms, we have to teach it first what is a normal traffic and what is the malicious form of traffic, only than the efficiency of the IDS can be increased, also the admin must know how to understand the errors and reports generated by the IDS.
18.104.22.168 Product Features
• Being signature based, the IDS requires knowledge of the past activities.
• Resets the TCP connections.
• Checks TCP sequencing issues.
2.3.3 External Interface Requirements
22.214.171.124 User Interfaces
The application provides a user-friendly graphical interface that displays the total number of alerts of all types generated by the system and current captured data in the form of bar graph representing the number of DoS, Probe, R2L, U2R attacks.
126.96.36.199 Hardware Interfaces
• 8GB RAM or more for better and efficient performance and monitoring
• Quad core processor or higher
• 100GB Free Disk Space
• Works on operating systems: Linux, Windows OS
188.8.131.52 Software Interfaces
• GUI using Pyside
• Data sets are used in the software to detect the patterns for intrusions
• Scikit-Learn used as machine learning algorithms
• Programming language : Python
2.3.4 Other Non-functional Requirements
184.108.40.206 Performance Requirements
• Monitoring systems should not have any noticeable effects on the specified network system.
• Policy-enforcing systems should cause minimal degradation of the network service.
220.127.116.11 Safety Requirements
• Systems should be placed unreachable from the unauthorized people.
• Systems location shouldn’t be visible through the network itself.
18.104.22.168 Security Requirements
• Systems should be secured against any unauthorized access to any of the data, unauthorized use of any component.
• Systems should use reliable two way data communication, like encrypting and decrypting the reports send over the network.
• Systems should be secured against any cyber-attacks against them.
• Systems should be updated regularly.
2.4 Cost Analysis
Requires cost of required hardware for smooth working of the software. A large database should be deployed as the database keeps increasing with new variants or detection of new intrusions. No further costs are incurred by this system.
2.5 Risk Analysis
• Resource Limitations
o Network Traffic Loads
o TCP connections
o Long term state
• Attacks against NIDS
• User-Unfriendly GUI
• Lack of Database and Performance Risks
• Lack of Automatic Device Discovery
4.1 System Architecture
Fig. 4.1 MVC Architecture
4.2 Design Level Diagrams
4.2.1 Use Case Diagram
Fig. 4.2.1 Use-Case Diagram
4.2.2 Activity Diagram
Fig. 4.2.2 Activity Diagram
4.2.3 Data Flow Diagram
Fig. 4.2.3 Data-Flow Diagrams
4.2.4 ER Diagram
Fig. 4.2.4 ER-Diagram
4.3 User Interface Diagrams
Fig. 4.3 User Interface Diagram
4.4 System Screenshots
Fig. 4.4 System Screenshot