Professional Documents
Culture Documents
I. INTRODUCTION In todays business world, the Internet along with the company networks plays a major role in creating and advancing new business trends. Business requirements have provoked enterprises and governments across the world to develop complicated, composite information networks. Such networks incorporate a diverse array of technologies, including distributed data storage systems, encryption and authentication techniques, voice and video over IP, remote and wireless access, and web services. Moreover, company networks have become more accessible; for instance, most businesses allow access to their services on their internal networks via extranets to their partners, enable customers to interact with the network through ecommerce transactions, and allow employees to tap into company systems through virtual private networks. These access points make the networks more vulnerable to intrusions and attacks, network-based attacks are on the rise [1-4]. A survey in [5] indicated that the losses due to network attacks were US $130 million. This leads to insecure computing environment. This insecure computing environment leads to the development of intrusion detection techniques or anomaly detection techniques.
A. Intrusion detection system An intrusion detection system is a software tool used to detect illegal access to a computer system or network. An intrusion detection system is capable of detecting all types of malevolent network traffic and computer usage. This includes network attacks against susceptible services, data driven attacks on applications, host-based attackssuch as privilege escalation, unauthorized logins and access to sensitive filesand malware. An intrusion detection system monitors traffic in a network in loose mode, very much like a network sniffer. The network packets that are collected are analyzed for rule violations by a pattern recognition algorithm. When rule violations are detected, the intrusion detection system alerts the administrator. A simple anomaly detection system is as shown in Figure 1. Following are the modules of the simple anomaly detection system. Audit data collection: This module is used in the data collection phase. The data collected in this phase is analyzed by the intrusion detection algorithm to find traces of suspicious activity. The source of the data can be host/network activity logs, command-based logs, application-based logs, etc. Action: The processing element must frequently store intermediate results such as information about partially fulfilled intrusion signatures.
Audit data storage: Typical intrusion detection systems store the audit data either indefinitely or for a sufficiently long time for later reference. The volume of data is often exceedingly
ISSN: 2231-2803
http://www.internationaljournalssrg.org
Page 11
ISSN: 2231-2803
http://www.internationaljournalssrg.org
Page 12
ISSN: 2231-2803
http://www.internationaljournalssrg.org
Page 13
ISSN: 2231-2803
http://www.internationaljournalssrg.org
Page 14
ISSN: 2231-2803
http://www.internationaljournalssrg.org
Page 15
Health-related data are collected across the system and sent for automated data analysis that includes dynamic grouping and group analysis. The automated mechanism can be triggered either periodically with a predefined frequency or by a system monitoring tool in case of unusual events. The system focuses on, detecting anomalies in homogeneous collection of nodes and heterogeneous collections will be addressed by grouping in the future. The resulting list of anomalies will be sent to system administrators for final validation. This is a group analysis based on two key observations. First, the nodes performing comparable activities
ISSN: 2231-2803
http://www.internationaljournalssrg.org
Page 16
ISSN: 2231-2803
http://www.internationaljournalssrg.org
Page 17