WIXLIB

International Research Journal of Engineering and Technology (IRJET)e-ISSN: 2395 -0056Volume: 04 Issue: 02 Feb -2017p-ISSN: 2395-0072www.irjet.netCIA. In many cases physical intrusion detection systems actas prevention systems as well.-Rate of missingreport is high.-Low detection rateand high false alarm.Examples of Physical intrusion detections are: SecurityGuards, Security Cameras, Access Control Systems (Card,Biometric), Firewalls, Man Traps, Motion Sensors.-It can detect onlyknown attacks.-Needs to be trainedand tuned modelcarefully, otherwiseit tends to falsepositives.3.2 Classification of Intrusion Detection Based onDetection Approach:Disadvantages-Often nodifferentiationbetween an attackattempt and asuccessful attack.It is also possible to classify IDS by detectionapproach:1. Signature-based detection:It is also known as misuse detection. So misusedetection is Signature based IDS where detection ofintrusion is based on the behaviors of known attacks likeantivirus software. Antivirus software compares the datawith known code of virus. In Misuse detection, pattern ofknown malicious activity is stored in the dataset and identifysuspicious data by comparing new instances with the storedpattern of attacks.There are many data mining techniques forintrusion detection such as, frequent pattern mining,classification, clustering, mining data streams, etc. Let us seesome of them here.4.1 Classification:It is different from Misuse detection. Here baselineof normal data in network data in network for example, loadon network traffic, protocol and packet size etc is defined bysystem administrator and according to this baseline,Anomaly detector monitors new instances. The newinstances are compared with the baseline, if there is anydeviation from baseline, data is notified as intrusion. For thisreason, it is also called behavior based Intrusion detectionsystem.Classification is the task of taking each and everyinstances of dataset under consideration and assigning it to aparticular class normal and abnormal means knownstructure is used for new instances. It can be effective forboth misuse detection and anomaly detection, but morefrequently used for misuse detection. Classificationcategorized the datasets into predetermined sets. It is lessefficient in intrusion detection as compared to clustering.Different classification techniques such as decision tree,naive bayes classifier, K-nearest neighbour classifier,Support vector machine etc. are used in IDS.Table: Comparison between signature based detection andbehavior based detection(Misuse detection)-Simplest andeffective method.Advantages-Higher detectionrate.-Low false alarmrate.Behaviour baseddetection(Anomaly baseddetection)-Detect new andunforeseenvulnerabilities.1) Decision Tree:Decision tree [21] is a recursive and tree likestructure for expressing classification rules. It uses divideand conquer method for splitting according to attributevalues. Classification of the data proceeds from root node toleaf node, where each node represents the attribute and itsvalue & each leaf node represent class label of data. Treebased classifier have highest performance in case of largedataset. Different decision tree algorithms are describedbelow [6]:-Can examineunknown and morecomplicatedintrusions.-Rate of missingreport is low. 2017, IRJET Impact Factor value: 5.181-It can’t identify newattacks becauseintrusion detectiondepends upon latestmodel.4. DATA MINING TECHNIQUES FOR INTRUSIONDETECTION:2. Anomaly-based detection:Signature baseddetection-Need a regularupdate of the ruleswhich are used.i) ID3 algorithm: It is famous decision tree algorithmdeveloped by Quinlan. ID3 algorithm basically attribute ISO 9001:2008 Certified Journal Page 1862

International Research Journal of Engineering and Technology (IRJET)e-ISSN: 2395 -0056Volume: 04 Issue: 02 Feb -2017p-ISSN: 2395-0072www.irjet.netbased algorithm that constructs decision tree according totraining dataset. The attribute which has highest informationgain is used as a root of the tree.probability, P(H/X) is the posterior probability of Hconditioned on X and P(X/H) is the posterior probability of Xconditioned on H.ii) J48 algorithm: It is based on ID3 algorithm anddeveloped by Ross Quinlan. In WEKA, C4.5 decision treealgorithm is known as J48 algorithm. It constructs decisiontree using information gain, attribute which have highestinformation gain is selected to make decision. The maindisadvantage of this algorithm is that it takes more CPU timeand memory in execution. Another different tree basedclassifier [15].Construction of Naive Bayes is easy without anycomplicated iterative parameter. It may be applied to largenumber of data points but time complexity increases.4) Support Vector Machine:Support Vector Machine [8] is supervised learningmethod used for prediction and classification. It separatedata points into two classes 1 and -1 using hyperplanebecause it is binary classification classifier. 1 representsnormal data and -1 for suspicious data. Hyperplane can beexpressed as: W. X b 0iii) AD Tree: Alternating decision tree is used forclassification. AD Tree have prediction node as both leafnode and root node.Where W {w1,w2,.,wn} are weight vector for nattributes A {A1,A2,.,An}, X {x1,x2,.,xn} are attributevalues and b is a scalar. The main goal of SVM is to find alinear optimal hyper plane so that the margin of separationbetween the two classes is maximized. The SVM uses aportion of the data to train the system.iv) NB Tree NB: Tree algorithm uses both decision tree andnaive bayes classifier. Root node uses decision tree classifierand leaf nodes uses naive bayes classifier.v) Random Forest: Random Forest [22] is first introducedby Lepetit et.al. and it is ensemble classification techniquewhich consists of two or more decision trees. In RandomForest, every tree is prepared by randomly select the datafrom dataset. By using Random Forest improve the accuracyand prediction power because it is less sensitive to outlierdata. It can easily deal with high dimensional data.4.2 Clustering:Since the network data is too huge, labelling of eachand every instances or data points in classification isexpensive and time consuming. Clustering is the technique oflabelling data and assign into groups of similar objectswithout using known structure of data points. Members ofsame cluster are similar and instances of different clustersare different from each other. Clustering technique can beclassified into four groups: Hierarchical algorithm,partitioning algorithm, Grid based algorithm and Densitybased algorithm. Some clustering algorithms are explainedhere.2) K-Nearest Neighbor:It is one of the simplest classification technique. Itcalculates the distance between different data points on theinput vectors and assigns the unlabeled data point to itsnearest neighbor class. K is an important parameter. If k 1,then the object is assigned to the class of its nearestneighbor. When value of K is large, then it takes large timefor prediction and influence the accuracy by reduces theeffect of noise.1) K-Means Clustering algorithm:K-Means clustering algorithm [23][13] is simplestand widely used clustering technique proposed by JamesMacqueen. In this algorithm, number of clusters K isspecified by user means classifies instances into predefinednumber of cluster. The first step of K-Means clustering is tochoose k instances as a center of clusters. Next assign eachinstances of dataset to nearest cluster. For instanceassignment, measure the distance between centroid andeach instances using Euclidean distance and according tominimum distance assign each and every data points intocluster. K –Means algorithm takes less execution time, whenit applied on small dataset. When the data point increases to3) Naive Bayes classifier:Naive Bayes classifier [13] is probabilistic classifier.It predicts the class according to membership probability. Toderive conditional probability, it analyzes the relationbetween independent and dependent variable. BayesTheorem:P(H/X) 𝑃(𝑋/𝐻) . 𝑃(𝐻)/𝑃(𝑋)Where, X is the data record and H is hypothesis whichrepresents data X and belongs to class C. P(H) is the prior 2017, IRJET Impact Factor value: 5.181 ISO 9001:2008 Certified Journal Page 1863

International Research Journal of Engineering and Technology (IRJET)e-ISSN: 2395 -0056Volume: 04 Issue: 02 Feb -2017p-ISSN: 2395-0072www.irjet.netmaximum then it takes maximum execution time. It is fastiterative algorithm but it is sensitive to outlier and noise.DOS: In DoS, an attacker tries to prevent legitimate usersaccessing or consume a service via back, land, Neptune, podSmurf and teardrop.2) K-Medoids clustering algorithm:R2L: The attacker tries to gain access to the victim system bycompromising the security via password guessing orbreaking. Such attacks are given following table 1.K-Medoids [13] is clustering by partitioningalgorithm as like as K-means algorithm. The most centrallysituated instance in a cluster is considered as centroid inplace of taking mean value of the objects in K-Meansclustering. This centrally located object is called referencepoint and medoid. It minimizes the distance betweencentroid and data spoints means minimize the squared error.KMedoids algorithm performs better than K-Meansalgorithm when the number of data points increases tomaximum. It is robust in presence of noise and outlierbecause medoid is less influenced by outliers, but processingis more expensive.U2R: In U2R, an attacker has local access privilege to thevictim machine and tries to access super users(administrators) privileges via “Buffer overflow” attack.Probing: In Probe attack, an attacker tries to gaininformation about the victim machine. The intention is tocheck vulnerability on the victim machine. e.g., Portscanning.The KDD Cup99 dataset available in three differentfiles such as KDD Full Dataset which contains 4898431instances, KDD Cup 10% dataset which contains 494021instances, KDD Corrected dataset which contains 311029instances. In table 1 the details on KDD full and KDD 10%dataset’s information is given.5. DATA SETS FOR IDS:There are numerous datasets available, but all havesome limitations. The most famous ones are (still) DARPA98/99 and KDD99, but they have several shortcomings andhave been criticized a lot, e.g., by Mahoney and Chan [27].Even so, they are still used today, but results and evaluationsdone by these datasets are quite worthless. Someimprovements had been done by NSL-KDD as alreadymentioned; Qian et al. presented another redesign of theDARPA set.Each sample of the dataset represents a connectionbetween two network hosts according to network protocols.It is described by 41 attributes out of which 38 continuous ordiscrete numerical attributes and 3 categorical attributes.Each sample is labeled as either normal or one specificattack. The dataset contains 23 class labels out of which 1 isnormal and remaining 22 are different attacks. The total 22attacks fall into four categories as forth-mentioned attacks.5.1 KDD Cup 99:The objective of 1999 KDD intrusion detectioncontest is to create a standard dataset for survey andevaluate research in intrusion detection which is preparedand managed by MIT, Lincoln Labs by DARPA IntrusionDetection Evaluation Program. After capturing nine weeks ofraw TCP dump data for LAN simulating a typical U.S. AirForce LAB. They operated the LAN as if it were a true AirForce environment, but peppered it with multiple attacks.5.2 GureKDDcup:GureKDDcup dataset contains connections ofkddcup99 (database of UCI repository) but it adds itspayload (content of network packets) to each of theconnections. It will permit to extract information directlyfrom the payload of each connection to be used in machinelearning processes.The raw training data contains four gigabytes ofcompressed binary TCP dump data from seven weeks ofnetwork traffic by processed into about five millionconnection records. Similarly, the test data yielded aroundtwo million connection records which are captured last twoweeks of the experiment. The KDD dataset was used in theUCI KDD1999 competition. The objective of the competitionis to develop intrusion detection system models to detectattack categories i.e. DOS, PROBE, R2L and U2R.The GureKDDCup capture team follows the samesteps followed to generate kddcup99. They processedtcpdump files with bro-ids [17] and got each connection withits attributes. Finally, the dataset is labeled each connectionbased on the connections-class files (tcpdump.list) that MITprovides. The size of the dataset is 9.3 GB and 6 percentdataset’s size is 4.2 GB. Details of the dataset includingnumber of samples, attack categories, duplicate records andtheir reduced rates are given in table 4. The table 4 containsthe attack and normal categories of all instances before andAttacks fall into four main categories: 2017, IRJET Impact Factor value: 5.181 ISO 9001:2008 Certified Journal Page 1864

International Research Journal of Engineering and Technology (IRJET)e-ISSN: 2395 -0056Volume: 04 Issue: 02 Feb -2017p-ISSN: 2395-0072www.irjet.netReferences:after reduction of duplicate samples. The first columndescribes the sample categories, second column is number ofsamples in each category present in original dataset, column3 presents the number of samples after reduction ofduplicate samples and 4 column is explores the percentageof reduction.[1] Deepthy K Denatious & Anita John, “Survey on DataMining Techniques to Enhance Intrusion Detection”,International Conference on Computer Communication andInformatics (ICCCI 2012), Jan. 10 – 12, 2012, Coimbatore,INDIA5.3 NSL-KDD:[2] Rung-Ching Chen, Kai-Fan Cheng and Chia-Fen Hsieh,“Using Rough Set And Support Vector Machine For NetworkIntrusion Detection”, International Journal of NetworkSecurity & Its Applications (IJNSA), Vol 1, No 1, April 2009It is a data set [5] proposed to solve some of theunderlying problems of the KDD'99 data set which arediscussed in [2]. KDD data set still suffers from some of theproblems which are discussed by McHugh [3]. The datasetcan’t be a perfect representative of existing real networks,because of the lack of public data sets for network-basedIDSs. But due to unavailability of effective benchmarkintrusion detection data set, still we use the fourteen yearsold datasets for evaluation of intrusion detection models.[3] Deepak Upadhyaya and Shubha Jain, “Hybrid Approachfor Network Intrusion Detection System Using K-MedoidClustering and Naïve Bayes Classification”, IJCSIInternational Journal of Computer Science Issues, Vol. 10,Issue 3, No 1, pp 231-236, May 2013[4] Xiang, M.Y. Chong and H. L. Zhu, “Design of Multiple-levelTree classifiers for intrusion detection system”, IEEEconference on Cybernetics and Intelligent system, 2004Furthermore, the number of records in the NSL-KDDtrain (125973 samples) and test sets (22544 samples) arereasonable. This advantage makes it affordable to run theexperiments on the complete set without the need torandomly select a small portion. Consequently, evaluationresults of different research work will be consistent andcomparable. There is no redundancy sample present in thedataset. The testing set contains some attack which are notpresent in the training set.[5] Peddabachigiri S., A. Abraham., C. Grosan and J. Thomas,“Modeling of Intrusion Detection System Using Hybridintelligent systems” , Journals of network computerapplication, 2007[6] Mrutyunjaya Panda and Manas Ranjan Patra, “AComparative Study Of Data Mining Algorithms For NetworkIntrusion Detection”, First International Conference onEmerging Trends in Engineering and Technology, pp 504507, IEEE, 20086. CONCLUSION:On the basis of detection rate, accuracy, executiontime and false alarm rate, the paper has analysed differentclassification and clustering data mining techniques forintrusion detection. According to given necessary parameter,execution time of Support vector machine is less andproduces high accuracy with smaller dataset, whileconstruction of Naive Bayes classifier is easy. Also decisiontree has high detection rate in case of large dataset. Inclustering techniques, execution time of KMeans clusteringalgorithm is less in case of small dataset, but when numberof data point increases, K-Medoids performs better.The NSL-KDD data set is the refined version of theKDD cup99 data set. Many types of analysis have beencarried out by many researchers on the NSL-KDD datasetemploying different techniques and tools with a universalobjective to develop an effective intrusion detection system.An exhaustive analysis on various data sets like KDD99,GureKDD and NSL-KDD are made in using various datamining based machine learning algorithms like SupportVector Machine (SVM), Decision Tree, K-nearest neighbour,K-Means and Fuzzy C-Mean clustering algorithms. 2017, IRJET Impact Factor value: 5.181[7] M.Govindarajan and Rlvl.Chandrasekaran, “IntrusionDetection Using k-Nearest Neighbor” pp 13-20, ICAC, IEEE,2009[8] Mohammadreza Ektefa, Sara Memar, Fatimah Sidi andLilly Suriani Affendey, “Intrusion Detection Using DataMining Techniques”, pp 200-203, IEEE, 2010[9] Song Naiping and Zhou Genyuan, “A study on IntrusionDetection Based on Data Mining”, International Conferenceof Information Science and Management Engineering , Pp135- 138, IEEE,2010[10] T. Velmurugan and T. Santhanam, “ComputationalComplexity between K-Means and K-Medoids ClusteringAlgorithms for Normal and Uniform Distributions of DataPoints”, Journal of Computer Science 6 (3): 363-368, 2010[11] P Amudha and H Abdul Rauf, “Performance Analysis ofData Mining Approaches in Intrusion Detection”, IEEE, 2011. ISO 9001:2008 Certified Journal Page 1865

International Research Journal of Engineering and Technology (IRJET)e-ISSN: 2395 -0056Volume: 04 Issue: 02 Feb -2017p-ISSN: 2395-0072www.irjet.net[12] R.China Appala Naidu and P.S.Avadhani, “A Comparisonof Data Mining Techniques for Intrusion Detection”,International Conference on Advanced CommunicationControl and Computing Technologies (ICACCCT), pp-41-44,IEEE, 2012Techniques”, International Journal of Computer Applications, Volume 75– No.6, August 2013[23] Iwan Syarif, Adam Pruge Bennett and Gary Wills,“Unsupervised clustering approach for network anomalydetection”, IEEE.[13] Roshan Chitrakar and Huang Chuanhe, “Anomaly basedIntrusion Detection using Hybrid Learning Approach ofcombining kMedoids Clustering and Naïve BayesClassification”, i/Intrusion detection[25] J.S. shanthini, Dr. S. Rajalakshmi, “Data MiningTechniques For Efficient Intrusion Detection System: ASurvey”, International Journal On Engineering Technologyand Sciences – IJETS ISSN(P): 2349-3968, ISSN (O): 23493976 Volume II, Issue XI, November – 2015[14] Roshan Chitrakar and Huang Chuanhe, “AnomalyDetection using Support Vector Machine Classification withk-Medoids Clustering”, IEEE, 2012[15] Sumaiya Thaseen and Ch. Aswani Kumar, “An Analysisof Supervised Tree Based Classifiers for Intrusion DetectionSystem”, International Conference on Pattern Recognition,Informatics and Mobile Engineering (PRIME), IEEE, February21-22 2013[26] Abhaya, Kaushal Kumar, Ranjeeta Jha, Sumaiya Afroz,“Data Mining Techniques for Intrusion Detection: A Review”,International Journal of Advanced Research in Computer andCommunication Engineering Vol. 3, Issue 6, June 2014.[16] David Ndumiyana, Richard Gotora and HiltonChikwiriro, “Data Mining Techniques in Intrusion Detection:Tightening Network Security”, International Journal ofEngineering Research & Technology (IJERT), Vol. 2 Issue 5,May – 2013[27] Matthew V. Mahoney, Philip K. Chan, “An Analysis of the1999 DARPA/Lincoln Laboratory Evaluation Data forNetwork Anomaly Detection”, 6th International Symposium,RAID 2003, Pittsburgh, PA, USA, September 8-10, 2003.Proceedings, Copyright Holder Springer-Verlag BerlinHeidelberg.[17] Muhammad K. Asif, Talha A. Khan,Talha A. Taj, UmarNaeem and Sufyan Yakoob, “ Network Intrusion Detectionand its Strategic Importance”, Business Engineering andIndustrial Applications Colloquium(BEIAC), IEEE, 2013[18] Kapil Wankhade, Sadia Patka and Ravindra Thools, “AnEfficient Approach for Intrusion Detection Using Data MiningMethods”, IEEE 2013[19] Fatin Norsyafawati Mohd Sabri, Norita Md Norwawi andKamaruzzaman Seman, “Hybrid of Rough Set Theory andArtificial Immune Recognition System as a Solution toDecrease False Alarm Rate in Intrusion Detection System”,IEEE 2011[20] Vaishali B Kosamkar and Sangita S Chaudhari, “DataMining Algorithms for Intrusion Detection System: AnOverview”, International Conference in Recent Trends inInformation Technology and Computer Science, 2012[21] Hind Tribak , Blanca L. Delgado-Marquez, P.Rojas,O.Valenzuela, H. Pomares and I. Rojas, “ Statistical Analysis ofDifferent Artificial Intelligent Techniques a

the basis of this Intrusion detection can be defined as the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource (1). The goal of intrusion detection is to identify entities attempting to subvert in-place security controls. An intrusion detection system (IDS) is a device or