Intrusion Detection In Computer Network

Published Date: 02 Nov 2017

ABSTRACT

In today’s era, it sounds very strange when somebody talks of using a standalone system. Today, almost each and every computer is a part of MAN, WAN, internet or at least LAN. The moment it gets connected to a network, its security goes on high risk. The intrusion detection problem is becoming a challenging task due to the proliferation of heterogeneous computer networks since the increased connectivity of computer systems gives greater access to outsiders and makes it easier for intruders to avoid identification [1]. Intrusion detection systems are used to detect unauthorized accession to a computer system. In this paper a survey has been performed on the intrusion detection techniques which have used genetic algorithm approach.

1. INTRODUCTION

When a computer system is connected to a network, it goes on a high risk. There are various threats to a computer system such as viruses, intrusions etc. Viruses can be greatly controlled by installing antivirus software and updating its virus files regularly.

Any unauthorized access to the resources of the computer is called intrusion to a computer. Intrusions can be detected by installing intrusion detection system (IDS). Various soft computing techniques such as Genetic Algorithm, Artificial Neural Network, Support vector machine and Fuzzy Logic are used to make an intrusion detection system (IDS). Genetic algorithm (GA) alone or in combination with some other artificial intelligence technique is found to be the most efficient approach for intrusion detection [2-13]. The functions of IDS’s are to detect the intrusions, generate the pop up message to the user and take the necessary corrective action.

There are number of limitations to the prevention based approach for computer and network security [14]. It is probably impossible to build a completely secure system. The prevention based security philosophy constrains the user’s activity and productivity. Hence intrusion detection systems are designed based on various detection techniques.

IDS’s are of two types. They are Anomaly intrusion detection and Misuse intrusion detection [15].

a. Anomaly Intrusion Detection:

In anomaly IDS, the users behavior is compared with a known standard behavior and detects any significant deviation from normal behaviors.

This approach can be more effective in protection against unknown or novel attacks since no prior knowledge about specific intrusions is required however it may cause more false positives because abnormality can be due to a new normal behavior [16].

b. Misuse intrusion detection:

This is the most widely used IDS system. It uses patterns of known attacks or weak spot of the system to identify known intrusions. The signatures and patterns used to identify attacks consist of various options in the packet like source address, destination address, source and destination ports and even the key words in the content area of a packet.

The ID’s can also be classified in to two categories based on where they look for intrusions. They are Host based and Network based. Host based monitors activities associated with a particular host Whereas Network based monitors activities associated with a network [16].

2. GENETIC ALGORITHM

GA is the technique which works on the mechanics of natural selection. They are based on the Darwin’s theory of survival of the fittest. The main reason behind the design of GA was, to abstract and rigorously explain the adaptive processes of natural selection and to design artificial system that retrains two important mechanics of natural systems [17].

The major application of GA is in the area of optimization as optimization is the process for perfection and it is the thing for which human has been working so far. The GA process begins with a set of potential solutions or chromosomes (usually in the form of bit string) which are randomly generated or selected. The entire set of these chromosomes comprises a population. The chromosomes evolve during several iterations or generations. New generations (offspring) are generated using the crossover and mutation technique.

Crossover involves splitting two chromosomes and then combining one half of each chromosome with the other pair. Mutation involves flipping a single bit of chromosomes. The chromosomes are then evaluated using a certain fitness criteria and the one which has the highest fitness is taken as the best solution of the problem.

GA’s are different from the other optimization and search procedures. It works with a coding of the parameter set, search from a population of points, use payoffs i.e. objective function information and use probabilistic transition rules.

Following are the GA operators which are applied on a population of chromosomes [18].

a. Selection

Determines which chromosome(s) from the population will be chosen for recombination; depends on the fitness of the chromosome. The selected chromosomes are called parents. Such selection methods are: fitness proportion selection, roulette-wheel selection, stochastic universal sampling, local selection and rank selection.

b. Crossover

The parent chromosomes are recombined by one of the crossover methods. It produces one or more new chromosomes(s) called offspring(s).Such methods are: Single point Crossover, Multipoint Crossover, Uniform and Arithmetic Crossover.

c. Mutation

New genetic material could be introduced in to the new population through mutation process. This will increase the diversity in the population. For encoding, following schemes are used.

Binary encoding.

Real number encoding.

3. USING GA APPROACH IN INTRUSION DETECTION

Different researchers have implemented GA in a different way for network intrusion detection. In the below mentioned subsection the important papers of different researchers are discussed.

3.1 Melani J Middlemiss et al. (2003) [19]

Melani J Middlemiss et al. have used GA for weighted feature extraction with specific application to intrusion detection data. They have implemented a simple genetic algorithm which evolves weights for the features of data set. A k-nearest neighbor classifier was used for the fittest function of GA as well as to evaluate the performance of the new weighted feature set. The results shown in this paper indicate that evolving a weighted set of features for a particular class of data can provide an increase in intrusion detection accuracy.

3.2 Ren Hui Gong et al. (2005) [16]

Ren Hui Gong et al. presents a GA based approach to network intrusion detection and the software implementation of the same.

The genetic algorithm is employed to derive a set of classification rules from network audit data and the support confidence frame work is utilized as fitness function to judge the quality of each rule. The generated rules are then used to detect or classify network intrusions in a real time environment.

Unlike most GA based approaches because of the simple representation of the rules and effective fitness function, the proposed method is easier to implement while providing the flexibility to either generally detect network intrusions or precisely classify the types of attacks.

3.3 Jiu-Ling Zhao et al. (2005) [20]

Jiu-Ling Zhao et al. presents a novel approach of using clustering genetic algorithms to solve the computer network intrusion detection problem.

They describe a prototype intelligent intrusion detection system to demonstrate the effectiveness. This system combines two stages in to the process including clustering stage and genetic optimization stage. The algorithm can not only cluster the cases automatically, but also detect the unknown intruded action.

The model of intrusion detection system based clustering genetic algorithm is shown in fig below.

Raw data

Network packet capture

Initialized clustering analysis

Intrusion detection using GA

Recognized intrusion alarm

Unknown intrusion alarm

Normal data

Fig: The model of IDCGA.

The clustering GA is made of two stages. The first stage is clustering analysis. It is built up the initialized clustering sets by similarity rule. The second stage is genetic optimizing .It is to optimize the clustering sets to distinguish the normal action and the intruded action.

3.4 Tao Xia et al. (2005) [21]

Tao Xia et al. present a hybrid method based on information theory and genetic algorithm to detect network attacks.

Information theory is used to filter the traffic data and thus reduce the complexity. A linear structure rule is used to classify the network behavior in to normal and abnormal behaviors. The algorithm is implemented on KDD cup 1999 data set. A high detection rate of 99.25% as well as low false alarm rate of 1.66% is obtained.

3.5 Chi Hoon Lee et al. (2006) [22]

Lee’s paper presents the novel feature selection method that maximizes class separability between normal and attack patterns of computer network connections.

In this paper, the researchers have focused on selecting a robust feature subset based on the genetic optimization procedure in order to improve a true positive intrusion detection rate. The performance of the proposed approach contrasted against one of the state of the art feature selection method using a native Bayesian classifier.

Experimental result shows that the proposed approach is especially effective in terms of detecting totally unknown attack patterns.

3.6 Saqib Ashfaq et al. (2006) [23]

Saqib Ashfaq et al. used a genetic algorithm for generating efficient rules for cost sensitive misuse detection in intrusion detection systems.

In their approach, the researcher used five most weighted features identified by M.J.Middlemiss et al. [19].They have designed a GA to identify these features.

The algorithm generates if–then rules that identify an attack as well as its category so that appropriate action can be taken in response. This approach is cost sensitive that considers the cost of false alarms for each category of attack separately.

They used Michigan approach for rule representation where one rule is represented by a single chromosome. Rules are determined for each attack category separately.

The GA was implemented and evaluated on KDD cup 99 dataset in Java. Majority of the algorithms use nine basic features. This approach presents an efficient rule generator for misuse detection that uses the five most relevant features for each attack category. This reduced and relevant input speeds up the rule generation process and enables real time operation of misuse detection systems. The classification results of the GA generated rules are comparable to those of the winners of the KDD cup 99 competition.

3.7 Yong Wang et al. (2009) [24]

Yong Wang et al. propose a fitness function, an efficient rule generator for denial of service of network intrusion detection. The rules generated are suitable to continuously changing misuse detection. The researcher designed a genetic algorithm using 4-m files. The main program includes selection, crossover, mutation and fitness function. The rules are defined in the fitness function plays a very important role in the whole program. The integrated development environment is Matlab version 7.0(R14) with genetic algorithm tool. The tool box is chosen because the attack events and weight vectors are matrix. During coding the m-files

GA tool is always used to test the fitness value, best individual, average distance between individuals, stopping criteria and so on.

In the fitness function the rules are described as conditional statements. Main program uses the rules to detect ping to death attack and smurf attack in training and testing data sets.

The experimental result show that proposed approach is efficient in network intrusion detection.

3.8 Chen Zhongmin et al. (2009) [25]

Chen Zhongmin et al. designed a training algorithm model based on abnormality detection. The proposed experimental model is based on a hypothesis that if variable x appear more times than the desired value, there is possibility of occurring abnormality.

The proposed GA is implemented on the data of 10,000 items from Lincoln’s laboratory, the size of initial flock is 100, different fine fitness individual has been gotten by different probability of choosing, crossing and mutating 10 attacking samples have been inserted in the original including Syn-Flood, Land and Neptune.

The given technique is seen to be highly efficient and accurate, can detect some unknown attacks and make up for the shortage based on the detection of misapplication. There is one deficiency in the given algorithm having inadequate stability and needing optimization further.

3.9 Chris Sinclair et al. (2010) [26]

It is always difficult to identify anomalous activities on a network. Chris Sinclair et al. have proposed an approach to create rules for an intrusion detection expert system. They employ genetic algorithms and decision trees to automatically generate rules for classifying network connections.

They developed a generalized classic genetic algorithm. Their genetic algorithm does not mandate the encoding of solutions into low-level chromosomes. They used Quinlan’s ID3 algorithm to construct decision trees from structured data. ID3 algorithm uses information theoretic precepts to create efficient decision trees. Decision trees constructed by the ID3 algorithm are based on the training set used to construct them. To generalize the information learned by the decision tree, the decision tree must be pruned. The rules produced by the decision trees are different than those produced by genetic algorithms. These rules are then evaluated against known data sets such as training data from the DARPA .

3.10 Nalini N. and Raghavendra Rao G (2006) [27]

Nalini N. and Raghavendra Rao G. present a novel method of intrusion detection based on genetic algorithms and principal component analysis. This technique can also be used to detect the class of intrusion.

In this paper they experiment with PCA to reduce the number of features of a TCP connection. This helps in reducing the number of bits required to represent a connection without loss of significant information.

They show how network connection information can be modeled as chromosomes and how the parameters in genetic algorithm can be defined in this respect. This hybrid approach detects intrusions with accuracy better than the best available till date.

4. CONCLUSION

Genetic algorithm is found to be one of the efficient techniques in network intrusions detection.

The genetic algorithm is used either to derive a set of classification rules from network audit data or to select the appropriate features of the data set. Middlemiss [19] and Lee [22] have used GA for the selection of appropriate features where as Gong et al. [16], Saqib Ashfaq et al. [23], Tao Xia et al. [21] and Yong Wang et al. [24] have used GA for the generation of classification rules.

Tao Xia et al. [21] present a hybrid intrusion detection method based on information theory and GA.

A clustering GA is also used to detect computer network intrusions. This algorithm includes two steps which are clustering step and genetic optimizing step. The algorithm can not only cluster the cases automatically, but also detect the unknown intruded action. Jiu-Ling Zhao et al [20] have used GA by integrating clustering analysis for intrusion detection.

Chen Zhongmin et al [25] proposed an experimental model based on abnormality detection.

Chris Sinclair et al [26] employ genetic algorithms and decision trees to automatically generate rules for classifying network connections.

Nalini N. and Raghavendra Rao G. [27] present a hybrid method based on genetic algorithms and principal component analysis.