LAYERED APPROACH USING CONDITIONAL RANDOM FIELDS FOR INTRUSION DETECTION

1.INTRODUCTION :
Intrusion detection as defined by the Sys Admin Audit Networking and Security (SANS) Institute is the art of detecting inappropriate, inaccurate, or anomalous Activity[6].Today, intrusion detection is one of the high priority andchallenging tasks for network administrators and security professionals.More sophisticated security tools mean that the attackers come up with newer and more advanced penetration methods to defeat the installed security systems [4].The field of intrusion detection and network security has been around since late 1980s. Since then, a number of methods and frameworks have been proposed and many systems have been built to detect intrusions. Various techniques such as association rules, clustering, naive Bayes classifier, Support vector machines, genetic algorithms, artificial neural networks, and others have been applied to detect intrusions.

1.1 PURPOSE:
The Purpose is that to build an Intrusion Detection System must reliably detect malicious activities in a network and must perform efficiently to cope with the large amount of network traffic.In this project, we address these two issues of Accuracy and Efficiency using Conditional Random Fields and Layered Approach.We demonstrate that high attack detection accuracy can be achieved by using Conditional Random Fields and high efficiency by implementing the LayeredApproach. Finally, we show that our system is robust and is able to handle noisy data without compromising performance.

1.2 SCOPE:
To build an Intrusion Detection System that is accurate as well as very fast to respond to the intrusion. To do so we need to integrate the properties of conditional random fields and the layered approach.

1.3 DEFINITIONS, ACRONYMS, AND ABBREVIATIONS :

TERM Intrusion DEFINITION An illegal act of entering or taking property. Intrusion System(IDS) Detection It is a type of system security for position of others

management

computers in a network. U2R R2L User to Root Root to Layer

1.4 REFERENCES:
[1] Autonomous Agents for Intrusion Detection, http://www.cerias. purdue.edu/research/aafid/, 2010. [2] CRF++: Yet Another CRF Toolkit, http://crfpp.sourceforge.net/, 2010. [3] KDD Cup 1999 Intrusion Detection Data, http://kdd.ics.uci.edu/ databases/kddcup99/kddcup99.html, 2010. [4] Overview of Attack Trends, http://www.cert.org/archive/pdf/ attack_trends.pdf, 2002. [5] Probabilistic Agent Based Intrusion Detection, http://www.cse.sc.

edu/research/isl/agentIDS.shtml, 2010 [6] SANS InstituteIntrusion Detection FAQ, http://www.sans.org/ resources/idfaq/, 2010.

2. THE OVERALL DESCRIPTION : 2.1 PRODUCT PERSPECTIVE :

Various techniques such as association rules, clustering, naive Bayes classifier, support vector machines, genetic algorithms, artificial neural networks, and others have been applied to detect intrusions.Experimental results on the benchmark KDD 99 intrusion data set show.That our proposed system based on Layered Conditional Random Fields outperforms other wellknown methods such as the decision trees and the naive Bayes. The improvement in attack detection accuracy is very high, particularly for the U2R attacks (34.8 percent improvement) and the R2Lattacks (34.5percent improvement). Statistical Tests also demonstrate higher confidence in detection accuracy for our method.

Real-time representation of the system

If a connection has to be treated as normal it should pass through all these layers and conditions, else it would be treated as attack and blocked.

2.1.1 HARDWARE REQUIREMENTS: SYSTEM HARD DISK RAM

: Pentium IV 2.4 GHz. : 40 GB. : 256 MB.

2.1.2 SOFTWARE REQUIREMENTS: OPERATING SYSTEM FRONT END TOOL

: Windows XP : JAVA Swing, RMI, JDBC. : Eclipse

2.5 ASSUMPTIONS AND DEPENDENCIES:

The assumptions are that we require a Windows operating system, preferably Windows XP Professional.

3.1 PERFORMANCE REQUIREMENTS:

There is no specific performance for our system as such, as our systems performance would not alter for single connection or multiple connection, as our system is built in such a way that it can detect multiple intrusions.

3.2 SOFTWARE SYSTEM ATTRIBUTES:

3.2.1 AVAILABILITY: This system is designed in such a manner that it is made available all the time, since the service of intrusion detection is very important to avoid from unauthorized access. 3.2.2 SECURITY: In order to avoid unauthorized access we are checking three conditions: The number of times the user tries to login. If in case a wrong user name and password is provided more than a specific number of times the access to the corresponding system would be denied. If in case after accessing the server the user tries to transfer data that is not in a normal format the access to the system would be again denied. After accessing the server if the user tries to use resources that are not allocated again the access would be denied.

3.2.3 MAINTAINABILITY: As the software is developed using languages like JAVA and concepts like RMI, JDBC and Swings very minimal maintenance would be required.

3.2.4 PORTABILITY: The entire system and all the softwareproducts that are used to support are compatible with the Windows XP Professional operating system. Given any other Microsoft OS, it will run subject to that it should satisfy the hardware and software requirements of the system.