R.C.P.I.T.

,Shirpur

CHAPTER 1
INTRODUCTION

1.1 INTRODUCTION
An intrusion detection system (IDS) is a device or software application that
monitors a network or systems for malicious activity or policy violations. Any
detected activity or violation is typically reported either to an administrator or
collected centrally using a security information and event management (SIEM)
system. A SIEM system combines outputs from multiple sources, and uses alarm
filtering techniques to distinguish malicious activity from false alarms.
There is a wide spectrum of IDS, varying from antivirus software to
hierarchical systems that monitor the traffic of an entire backbone network.The
most common classifications are network intrusion detection systems (NIDS)
and host-based intrusion detection systems (HIDS). A system that monitors
important operating system files is an example of a HIDS, while a system that
analyzes incoming network traffic is an example of a NIDS. It is also possible to
classify IDS by detection approach: the most well-known variants are signature-
based detection (recognizing bad patterns, such as malware) and anomaly-based
detection (detecting deviations from a model of "good" traffic, which often relies
on machine learning). Some IDS have the ability to respond to detected
intrusions. Systems with response capabilities are typically referred to as
an intrusion prevention system.

1.2 WHAT IS INTRUTION DETECTION(ID)

Anomaly Based Network Intrusion Detection System 1

 R.C.P.I.T.,Shirpur

Intrusion detection (ID) is a type of security management system for

computers and networks. An ID system gathers and analyzes information from
various areas within a computer or a network to identify possible security
breaches, which include both intrusions (attacks from outside the organization)
and misuse (attacks from within the organization). ID uses vulnerability
assessment (sometimes refered to as scanning), which is a technology developed
to assess the security of a computer system or network.
1.3 NEED OF IDS
For any company with a connection to the internet, a firewall should always
be your first line of defense. But despite what the glossy brochures promise, a
firewall doesn't mean that you no longer have to worry about computer security.
Firewalls can be attacked. One way to plug these gaps in your security is to
use an Intrusion Detection System.
1.4 ADVANTAGES OF IDS
Intrusion detection system can be referred as management system for both
computers and networks. It is combination of architected devices and software
applications with the purpose of detecting malicious activities and violation of
policies and produce report on that.
Intrusion detection system can monitor a network for any kind of abusive,
abnormal or malicious activity.
It keeps to log of every single malicious or abusive activity. These logs are
very important for security professionals to take any steps or to set any rules
against these activities.
The logs kept by IDS can be used against an abuser as an evidence to take
any legal step.

Anomaly Based Network Intrusion Detection System 2

 R.C.P.I.T.,Shirpur

1.5 DISADVANTAGESOF IDS

Often intrusion detection systems often produce false report of malicious
activity. Sometimes this makes the real malicious activity ignored.
One of the key features of most intrusion detection system is they operate
upon packets which are encrypted. These encrypted packets are complicated
for analysis.
1.6 APPLICATION
1. Anomaly Based Network Intrution Detection System.
2. Neural Network Based System ForIntrution Detection System.
3. NICE: Network Intrution Detection And Counter Measure Selection
in Virtual Network System.
4. Analysis And Design For Intrution detection system Based ON Data
Mining
5. Intrution Detection System For The CLOUD COMPUTING And
MANETS

Anomaly Based Network Intrusion Detection System 3

 R.C.P.I.T.,Shirpur

CHAPTER-2
TYPES OF INTRUSION DETECTION SYSTEM

2.1Network-Based A Network Intrusion Detection System (NIDS)

NIDS is one common type of IDS that analyzes network traffic at all layers
of the Open Systems Interconnection (OSI) model and makes decisions about the
purpose of the traffic, analyzing for suspicious activity. Most NIDSs are easy to
deploy on a network and can often view traffic from many systems at once.

A term becoming more widely used by vendors is Wireless Intrusion

Prevention System (WIPS) to describe a network device that monitors and
analyzes the wireless radio spectrum in a network for intrusions and performs
countermeasures which monitors network traffic for particular network segments
or devices and analyzes the network and application protocol activity to identify
suspicious activity.

It can identify many different types of events of interest. It is most

commonly deployed at a boundary between networks, such as in proximity to
border firewalls or routers, virtual private network (VPN) servers, remote access
servers, and wireless networks. The NIDS are also called passive IDS since this
kind of systems inform the administrator system that an attack has or had taken
place, and it takes the adequate measures to assure the security of the system.

The aim is to inform about an intrusion in order to look for the IDS capable
to react in the post. Report of the damages is not sufficient. It is necessary that the
IDS react and to be able to block the detected doubtful traffics. These reaction
techniques imply the active IDS.

Anomaly Based Network Intrusion Detection System 4

 R.C.P.I.T.,Shirpur

2.2The Host Intrusion DetectionSystem

According to the source of the data to examine, the Host Based Intrusion
Detection System can be classified in two categories:

2.2.1 The HIDS Based Application:

The IDS of this type receive the data in application, for example, the logs
files generated by the management software of the database, the server web or the
firewalls. The vulnerability of this technique lies in the layer application.

2.2.2The HIDS Based Host:

The IDS of this type receive the information of the activity of the supervised
system. This information is sometimes in the form of audit traces of the operating
system. It can also include the logs system of other logs generated by the
processes of the operating system and the contents of the object system not
reflected in the standard audit of the operating system and the mechanisms of
logging. These types of IDS can also use the results returned by another IDS of
the Based Application type.

Host-based intrusion detection systems (HIDS) analyze network traffic and

system-specific settings such as software calls, local security policy, local log
audits, and more.

A HIDS must be installed on each machine and requires configuration

specific to that operating system and software. Host-Based, which monitors the
characteristics of a single host and the events occurring within that host for
suspicious activity.

2.3 Hybrid intrusion detection system :

Anomaly Based Network Intrusion Detection System 5

 R.C.P.I.T.,Shirpur

Some of the most current intrusion detection system only uses one of the two
detection methods, misused detection or anomaly detection both of them have
their own limitations, this is the technique which combines misuse detection
system and anomaly detection system is known as hybrid intrusion detection
system or we can say that the techniquewhich combines the network intrusion
detection system and host intrusion detection system is known as hybrid intrusion
detection system.

Anomaly Based Network Intrusion Detection System 6

 R.C.P.I.T.,Shirpur

CHAPTER-3
ANOMALY BASED NETWORK
INTRUTION DETECTION SYSTEM

3.1 WHAT IS AN ANOMALY?

In Software testing, Anomaly refers to a result that is different from the
expected one. This behaviour can result from a document or also from a testers
notion and experiences.
An Anomaly can also refer to a usability problem as the testware may
behave as per the specification, but it can still improve on usability. Sometimes,
the anomaly can also referred as a defect / Bug.
3.2 WHAT IS AN ANOMALY REPORT?
The following parameters are involved in a typical anomaly report :
Defect Identifier
Defect summary
Defect description
Status of Defect
Steps to reproduce the defect
Severity

Priority

Bug Logged Date

The area where the bug is identified
Developers/Testers comments

Anomaly Based Network Intrusion Detection System 7

 R.C.P.I.T.,Shirpur

3.3 WHAT ARE DATA FLOW ANOMALIES?

Data Flow Anomalies are identified while performing while box testing or
Static Testing. Data flow anomalies are represented using two characters based
on the sequence of actions. They are defined (d), killed (k), and used (u). There
are nine possible combinations based on these 3 sequence of actions which are
dd, dk, du, kd, kk, ku, ud, uk, uu. The below table clearly shows which one of
these combinations are accepted and which one of these are suspected to be an
anomaly.
Table: 3.1 Combination are Accepted And Suspected to be an anomaly

Combination Description Anomaly

possibilities

Dd Defined the data objects Harmless but

twice suspicious

Dk Defined the data object but Bad

killed it without using it. Programming
Practice

Du Defined the data object and NOT an

using it Anomaly

Kd Killed the Data Object and NOT an

redefined Anomaly

Kk Killed the Data Object and Bad

killed it again Programming

Anomaly Based Network Intrusion Detection System 8

 R.C.P.I.T.,Shirpur

Practice

Ku Killed the Data Object and Defect

then used

Ud Used the Data Object and NOT an

redefined Anomaly

Uk Used the Data Object and NOT an

Killed Anomaly

Uu Used the Data Object and NOT an

used it again Anomaly

Anomaly Based Network Intrusion Detection System 9

 R.C.P.I.T.,Shirpur

CHAPTER-4
BLOOM FILTER

4.1 INTRODUCTION
Bloom filter is probabilistic space efficient data structure supporting add,
find and sometimes delete operation widely used for testing if element is in a set,
especially if set is huge. Probabilistic in this case means that there is no 100%
guarantee that find won't have false positive result. It's hash table like data
structure using multiple hash functions for the same key but unlike hash tables it
does not store the actual key value in a bucket it just marks all buckets for all hash
functions applied to a key as used. So, it's obviously more space efficient than
ordinary hash table.

4.2 WHAT DOES A BLOOM FILTER DO?

A Bloom filter allows you to test whether an element belongs in a set or not.
Actually, thats untrue. It doesnt. It allows you to test if an element most
likely belongs to a set, or if it absolutely doesnt. In others words, false positives
may occur, but false negatives wont. Its this susceptibility to errors that makes
Bloom filters extremely space efficient. But more on that later; first, lets see
what makes Bloom filters so easy to grasp.

4.3 SIMPLICITY IS THE PUREST FORM OF ELEGANCE

I like to think of a Bloom filter as a mathematical set on steroids. The data
structure consists of two discrete components: a bunch of hash functions and a bit
array. Thats it. To initialise a Bloom filter, we set all bits in its bit array to zero.
So, if we have an array of ten bits:

Anomaly Based Network Intrusion Detection System 10

 R.C.P.I.T.,Shirpur

[0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
To add an element, we give it to our hash functions as an input. Each hash
function will output an array index. Lets say we passed the string foo to two hash
functions which give us indices 0 and 4. We set the corresponding bits in our bit
array to 1:

[1, 0, 0, 0, 1, 0, 0, 0, 0, 0]
Querying for an element is just as straightforward. We pass the element to
our hash functions and check the returned indices to see whether the
corresponding bits in the array have a value of 1 or 0. If none of them are 1, the
element in question is not part of the set. We dont necessarily even need to check
all of the values at the given indices. If we find at least one where the bit is zero,
then the element cant be part of the set. Lets say we query for the
string bar using our two hash functions. Lets further assume that the functions
output indices 1 and 5. Checking either one of these bit array indices is enough
for us to conclude that bar is not part of our set, since the value at both indices is
0. If all the corresponding bits are set, then the element may be part of the set.
Since hash functions have a nasty habit of producing collisions, we cant be 100%
sure that the queried element is part of the set. Theres a chance that another
previously added element caused the same bits to be flipped. Removing an
element is a simple operation inasmuch as it cant be done. If we were to reset the
corresponding bits of the element we wish to remove, we may end up removing
other elements that have the same corresponding bits. What happens in a Bloom
filter stays in a Bloom filter.

Anomaly Based Network Intrusion Detection System 11

 R.C.P.I.T.,Shirpur

4.4 HOW EFFICIENT ARE BLOOM FILTERS?

Adding elements is very efficient in terms of time. Since we dont iterate the
bit array but simply set bits, the time the operation takes is only dependent on the
number of hash functions we have. So, for k hash functions, the time complexity
is O(k). Lovely. The same goes for querying for an element. For k hash functions,
there is a constant upper bound to the number of indices we need to check in the
bit array. O(k) for both addition and lookup very nice. If you think the time
complexities are encouraging, then the space complexity is even better. Since we
arent storing the elements themselves, only the information tells us if they are
present or not, the size of a Bloom filter isnt dependent of the size or number of
elements already in the set. If we are willing to accept a false probability of 1%,
less than 10 bits per element to be added is sufficient .

4.5 WHAT CAN BLOOM FILTERS BE USED FOR?

There are a vast number of applications where a small probability of getting
false positives is fine as long as we dont get any false negatives. The first
example that springs to mind is using a Bloom filter to decide if we need to
perform a more costly operation such as accessing some resource on disk or over
a network. Asking the Bloom filter does this resource even exist before doing a
costly lookup yields instant performance gains. The same goes for maintaining
blacklists. Google Chrome previously employed Bloom filters to identify
malicious URLs. In this scenario, requested URLs are first checked against a
local Bloom filter; a full check against the real blacklist is done if (and only if)
the filter indicates that the URL is malicious. Even though Chrome has moved
away from using Bloom filters for blacklisting purposes, its very possible that
when you first visited this page, a Bloom filter was used to make sure the
rendering was snappy. WebKit, the popular web browser engine, consults a

Anomaly Based Network Intrusion Detection System 12

 R.C.P.I.T.,Shirpur

Bloom filter to decide which CSS selectors to even bother with before processing
declarations. Off the top of my head, I can think of many more applications,
including eliminating unnecessary calls to web caches, preventing the use of
weak passwords, and checking for reserved usernames during registration
processes. Ill leave the rest of the ideation up to the readers of this blog post;
learning what a data structure does and thinking about what can be achieved with
it evokes a childlike sense of discovery in me, and I hope it does the same for
you!

Anomaly Based Network Intrusion Detection System 13

 R.C.P.I.T.,Shirpur

Chapter-5
INTRUTION DETECTION SYSTEM (IDS)

5.1 NETWORK SECURITY

Network security is the security provided to a network from unauthorized
access and risks. It is the duty of network administrators to adopt preventive
measures to protect their networks from potential security threats.
Computer networks that are involved in regular transactions and
communication within the government, individuals, or business require security.
The most common and simple way of protecting a network resource is by
assigning it a unique name and a corresponding password.
5.1.1 TYPES OF NETWORK SECURITY DEVICES
5.1.1.1 ACTIVE DEVICES
These security devices block the surplus traffic. Firewalls, antivirus
scanning devices, and content filtering devices are the examples of such devices.
5.1.1.2 PASSIVE DEVICES
These devices identify and report on unwanted traffic, for example,
intrusion detection appliances.

5.1.1.3 PREVENTATIVE DEVICES

These devices scan the networks and identify potential security problems.
For example, penetration testing devices and vulnerability assessment
appliances.

Anomaly Based Network Intrusion Detection System 14

 R.C.P.I.T.,Shirpur

5.1.1.4 UNIFIED THREAT MANAGEMENT (UTM)

These devices serve as all-in-one security devices. Examples include
firewalls, content filtering, web caching, etc.
5.1.2 FIREWALLS
A firewall is a network security system that manages and regulates the
network traffic based on some protocols. A firewall establishes a barrier between
a trusted internal network and the internet.
Firewalls exist both as software that run on a hardware and as hardware
appliances. Firewalls that are hardware-based also provide other functions like
acting as a DHCP server for that network.
Most personal computers use software-based firewalls to secure data from
threats from the internet. Many routers that pass data between networks contain
firewall components and conversely, many firewalls can perform basic routing
functions.
Firewalls are commonly used in private networks or intranets to prevent
unauthorized access from the internet. Every message entering or leaving the
intranet goes through the firewall to be examined for security measures.
An ideal firewall configuration consists of both hardware and software
based devices. A firewall also helps in providing remote access to a private
network through secure authentication certificates and logins.

5.1.2.1 HARDWARE AND SOFTWARE FIREWALLS

Hardware firewalls are standalone products. These are also found in
broadband routers. Most hardware firewalls provide a minimum of four network

Anomaly Based Network Intrusion Detection System 15

 R.C.P.I.T.,Shirpur

ports to connect other computers. For larger networks e.g., for business
purpose business networking firewall solutions are available.
Software firewalls are installed on your computers. A software firewall
protects your computer from internet threats.
5.1.3 ANTIVIRUS
An antivirus is a tool that is used to detect and remove malicious software.
It was originally designed to detect and remove viruses from computers.
Modern antivirus software provide protection not only from virus, but also
from worms, Trojan-horses, adwares, spywares, keyloggers, etc. Some products
also provide protection from malicious URLs, spam, phishing attacks, botnets,
DDoS attacks, etc.
5.1.4CONTENT FILTERING
Content filtering devices screen unpleasant and offensive emails or
webpages. These are used as a part of firewalls in corporations as well as in
personal computers. These devices generate the message "Access Denied" when
someone tries to access any unauthorized web page or email.
Content is usually screened for pornographic content and also for violence-
or hate-oriented content. Organizations also exclude shopping and job related
contents.
Content filtering can be divided into the following categories
Web filtering
Screening of Web sites or pages
E-mail filtering
Screening of e-mail for spam
Other objectionable content

Anomaly Based Network Intrusion Detection System 16

 R.C.P.I.T.,Shirpur

5.1.5 INTRUSION DETECTION SYSTEMS

Intrusion Detection Systems, also known as Intrusion Detection and
Prevention Systems, are the appliances that monitor malicious activities in a
network, log information about such activities, take steps to stop them, and
finally report them.
Intrusion detection systems help in sending an alarm against any malicious
activity in the network, drop the packets, and reset the connection to save the IP
address from any blockage. Intrusion detection systems can also perform the
following actions
Correct Cyclic Redundancy Check (CRC) errors
Prevent TCP sequencing issues
Clean up unwanted transport and network layer options

5.2 COMPUTER SECURITY - NETWORK

In this chapter we will discuss regarding the network from the view of
security. We will also look into which are the systems that help us as system
administrators to increase the security.
For example We are system administrators of a large chain of super
markets, but our company wants to go online by launching an online selling
platform. We have done the configuration and the system is up and working, but
after a week we hear that the platform was hacked.
We ask a question to ourselves What did we do wrong? We skipped the
security of the network which is as important as the set up because this hacking
can directly influence the companys reputation resulting in decrease of sales and
market value.

Anomaly Based Network Intrusion Detection System 17

 R.C.P.I.T.,Shirpur

5.2.1 DEVICES THAT HELP US WITH NETWORK SECURITY

5.2.1.1 FIREWALLS
They can be software or applications which operate at the network level.
They protect Private networks from external users and other networks.
Generally, they are a compound of programs and their main function is to
monitor the traffic flow from outside to inside and vice versa. Their position is
generally behind a router or in front of the router depending on the network
topologies.

FIG:5.1 Schema

They are also called Intrusion detection devices; their traffic rules are
configured according to the company policy rules. For example, you block all
incoming traffic to port POP because you dont want to receive a mail so as to be
secured from all possible mail attacks. They log all the network attempts for a
latter audit for you.
They also can work as packet filters this means that the firewall takes the
decisions to forward or not the packet based on source and destination addresses
and ports.
Some of the recommended brands are
Cisco ASA Series

Anomaly Based Network Intrusion Detection System 18

 R.C.P.I.T.,Shirpur

Checkpoint
Fortinet
Juniper
SonicWALL
PfSense

5.2.2 INTRUSION DETECTION SYSTEMS

Intrusion Detection Systems are also as important as the firewall because
they help us to detect the type of attack that is being done to our system and then
to make a solution to block them. The monitoring part like tracing logs, looking
for doubtful signatures and keeping history of the events triggered. They help
also the network administrators to check the connection integrity and
authenticity that occur.
Let us see the schema of their positions

FIG:5.2 Schema For Type Of Attack

Anomaly Based Network Intrusion Detection System 19

 R.C.P.I.T.,Shirpur

5.2.3 INTRUSION DETECTION TOOLS

It is software based, but is an opensource so it is free and easy to configure.
It has a real time signature based network IDS, which notifies the system
administrators or attacks like port scanners, DDOS attacks, CGI attacks,
backdoors, OS finger printing.
5.2.3.1 The other IDS are
BlackICE Defender
CyberCop Monitor
Check point RealSecure
Cisco Secure IDS
Vanguard Enforcer
Lucent RealSecure.
5.2.4 VIRTUAL PRIVATE NETWORK
This type of a network is widely used in a small business or enterprise
networks. It helps to send and receive data across the internet, but in a secure and
encrypted way. Generally, this network is created between two secure network
devices like two firewalls.
An example is a connection between two ASA 5505 firewalls as shown in
the following image.

FIG:5.3connection between two firewalls

Anomaly Based Network Intrusion Detection System 20

 R.C.P.I.T.,Shirpur

CHAPTE-6
MALWARE

6.1 INTRODUCTION
Protecting your computer from malicious software is perhaps the most
important aspect of computer ownership. A wide range of products are available
that offer computer security. However, did you know that certain products only
offer protection against a few malicious attacks? Are you concerned that your
computer may not be fully secured? Before you take the necessary measures of
securing your computer, you should understand the different types of attacks that
could harm your machine.
6.2 WHAT IS MALWARE?
Malicious software (malware) is the wide range of software applications
developed with a malicious intent. The methods used for malware installation is
unlike any other software installation you are accustomed to because malware is
installed through devious means. People often use the terms virus and malware
interchangeably. However, a virus is a type of malware.
6.3 COMPUTER SECURITY-MALWARE
In the previous chapter we treated antiviruses which helped us to protect our
systems but in this chapter we will treat malwares, how to detect them manually,
what are their forms, what are their file extensions, signs of an infected
computer, etc. They are important to be treated because the infection rates of
businesses and personal computers are too high in nowadays.
They are self-replication programs that reproduce their own codes by
attaching themselves to other executable codes. They operate without the

Anomaly Based Network Intrusion Detection System 21

 R.C.P.I.T.,Shirpur

permissions or knowledge of the computer users. Viruses or malwares like in

real-life, in computers they contaminate other healthy files.
However, we should remember that viruses infect outside machines only
with the assistance of a computer user only. These can happen by clicking a file
that comes attached with email from an unknown person, plugging a USB
without scanning, opening unsafe URLs for that reason. We as system
administrators have to remove the administrator permissions of users in these
computers. We categorize malwares in three types
Trojans and Rootkits
Viruses
Worms
6.4 CHARACTERISTICS OF A VIRUS
Following are a couple of characteristics of any virus that infects our
computers.
They reside in a computers memory and activates themselves while the
program that is attached starts running.
For example They attach themselves in general to the explorer.exe in
windows OS because it is the process that is running all the time, so you should
be cautious when this process starts to consume too much of your computer
capacities.
They modify themselves after the infection phase like they source codes,
extensions, new files, etc. so it is harder for an antivirus to detect them.
They always try to hide themselves in the operating systems in the
following ways
Encrypts itself into cryptic symbols, and they decrypt themselves when
they replicate or execute.

Anomaly Based Network Intrusion Detection System 22

 R.C.P.I.T.,Shirpur

For example You can see this in the following image for better
understanding as in my computer I found this file.

After finding this file, I opened it with a text editor and as thought the text
was not understandable as shown in the following screenshot.

After finding this, I tried it on a base64 decoder and I found that it was a
Virus file.

Anomaly Based Network Intrusion Detection System 23

 R.C.P.I.T.,Shirpur

This virus can cause the following to your computer

It may delete important data from your computer to gain space for
their processes.
It may avoid detection by redirection of disk data.
It may perform tasks by triggering an event with itself. For example,
this happens when in an infected computer pop-up tables etc., show
up automatically on the screen.
They are common in Windows and Mac OS because these operation
systems do not have multiple file permissions and are more spread
out.

Anomaly Based Network Intrusion Detection System 24

 R.C.P.I.T.,Shirpur

6.5 WORKING PROCESS OF MALWARES AND HOW TO CLEAN

IT
Malwares attach themselves to programs and transmit to other programs by
making use of some events, they need these events to happen because they
cannot
Start by themselves
Transmit themselves by using non-executable files
Infect other networks or computer
From the above conclusions, we should know that when some unusual
processes or services are run by themselves we should further investigate their
relations with a possible virus.
To investigate these processes, start with the use of the following tools
o fport.exe
o pslist.exe
o handle.exe
o netstat.exe
The Listdll.exe shows all the dll files being used, while the netstat.exe with
its variables shows all the processes that are being run with their respective ports.
You can see the following example on how I mapped the process of
Kaspersky antivirus which I used along with the command netstat-ano to see the
process numbers and task manager to see to which process belongs to this
number.

Anomaly Based Network Intrusion Detection System 25

 R.C.P.I.T.,Shirpur

Then we should look for any modified, replaced or deleted files and
the shared libraries should also be checked. They generally infect executable
program files with extension like .EXE, .DRV, .SYS, .COM, .BIN. Malwares
changes extension of genuine files, for example: File.TXT to File.TXT.VBS.
If you are a system administrator of a webserver, then you should be aware
of another form of malware which is called as webshell. It generally is in a .php
extension but with strange file names and in an encrypted form. You should
delete them in case you detect them.
After that is done, we should update the antivirus program and rescan the
computer again.

Anomaly Based Network Intrusion Detection System 26

 R.C.P.I.T.,Shirpur

6.6 DETECTING A COMPUTER ERROR FROM A VIRUS

INFECTION
In this section we will treat how to detect a computer or OS fault from a
virus because sometimes people and system administrators mix the symptoms.
The following events are most likely not caused by a malware
Error while the system is booting in bios stage, like Bioss battery cell
display, timer error display.
Hardware errors, like beeps RAM burn, HDD, etc.
If a document fails to start normally like a corrupted file, but the other files
can be opened accordingly.
Keyboard or mouse doesnt answer to your commands, you have to check
the plug-ins.
Monitor switching on and off too often, like blinking or vibrating, this is a
hardware fault.
On the other hand, if you have the following signs in your system, you should
check for malware-
Your computer shows a pop-up or error tables.
Freezes frequently.
It slows down when a program or process starts.
Third parties complain that they are receiving invitation in social media or
via email by you.
Files extensions changes appear or files are added to your system without
your consent.
Internet Explorer freezes too often even though your internet speed is very
good.

Anomaly Based Network Intrusion Detection System 27

 R.C.P.I.T.,Shirpur

Your hard disk is accessed most of the time as you can see from the LED
light on your computer case.
OS files are either corrupted or missing.
If your computer is consuming too much bandwidth or network resources
this is the case of a computer worm.
Hard disk space is occupied all the time, even when you are not taking any
action, for example installing a new program.
Files and program sizes changes comparing to its original version.
6.6.1 SOME PRACTICAL RECOMMENDATIONS TO AVOID
VIRUSES
Dont open any email attachment coming from unknown people or from
known people that contain suspicious text.
Dont accept invitation from unknown people on social media.
Dont open URL sent by unknown people or known people that are in any
weird form.

Anomaly Based Network Intrusion Detection System 28

 R.C.P.I.T.,Shirpur

Anomaly Based Network Intrusion Detection System 29