WIXLIB

Journal of Theoretical and Applied Information Technology15th February 2020. Vol.98. No 03 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.organd sends response to client. If the client is fakeclient, then attacker will be tracked , located,identified and saves information about attackersat the honeypot. Though it is an attacker it givesresponse to make them fool. In all these scenario,security is maintained. The limitation here is thatif no any attacker comes in the honeypot systembecomes useless the need for other establishedsecurity tools such as IDS and IPS to be integratedwith the honeypot.[10], Their work develop a new hybrid model thatis used to estimate the intrusion Scope thresholddegree based on Network transaction data’s optimalfeatures. Detection time is reduced and accuracyrate also improved.[11] In their approach they presented a statisticaland complexity analysis of CIDDS-001 dataset.They further utilized supervised and unsupervisedmachine learning techniques to analyze thecomplexity of the dataset in eminent evaluationmetrics. Their evaluation results shows that knearest neighbor, decision trees, random forests,naive bayes and deep learning based classifiers canbe used to develop an efficient network intrusiondetection system.[12] In their work they conducted a set ofexperiments and evaluate machine learningE-ISSN: 1817-3195techniques for detecting malware and theirclassification into respective families dynamically.they received a set of real malware samples andbenign programs from Virus Total, and executed ina controlled & isolated environment which theyrecorded malware behavior for evaluation ofmachine learning techniques in terms of commonlyused performance metrics which was extractedfrom malware and benign executable samples usinga Cuckoo Sandbox and a Python based automatedsystem to form a real malware dataset.There are many researches that have beenconducted in the field of Intrusion detection system.[13], described the log based IDS approach whichthey employed on the user request, the system wasdesigned in such way that it will predict themultiple request and block that particular user andthen analyze the auditing log. This was achieved byanalyzing the user MAC and IP address and is thenblocked.2.1 Comparison of Different Intrusion DetectionSystems used on a Network securityThis section shows a comparison of most closelyrelated work done by researchers using Intrusiondetection security models in the Web and theirlimitations as displayed in table1 below.Table 1: Comparison of Different Intrusion Detection Systems used on a network securityS/NoAuthor(s)Research TitleResult provided1.[14]Honeypot IntrusionDetection SystemIn their study, they developed aHoneypot IDS systemPerformance identifiedon the Network SecurityMonitor (NSM).2.[15]A Survey on PotentialApplications of HoneypotTechnology in IntrusionDetection Systems.The work combined Intrusiondetection system with Honeypot thatdetect new attack pattern that do notexist in signature database.Cost of Security onCorporateNetworkminimized, false positivealarm level also reduced.3.[16]Simple Text BasedCAPTCHA for the Security inWeb Applications.In their work, they implement asimple Text Based CAPTCHAwhich provides simplicity of solvingthe techniques for human as well asthe time that a human actually needsto find the solution.Solution to maximizerobustness and usabilityof text based CAPTCHAsimultaneouslyisprovided.4.[17]Optimize Machine LearningBased Intrusion Detection forCloud Computing: ReviewPaper.The research work presents ananomaly detection technique basedon Genetic Algorithm (GA) andSupport Vector Machine (SVM)performancevaluationwasimproved.Analysis of data setKDD99 the most populardata set on IDS provided.5.[7]Infrastructure SecurityUsing IDS, IPS and HoneypotIn their work, they ImplementIDS, IPS and Honeypot makingResponse time andefficiency of detection431Issues addressed

Journal of Theoretical and Applied Information Technology15th February 2020. Vol.98. No 03 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.orgE-ISSN: 1817-3195Intrusion Detection System moreeffective, accurate and etectionsystemthroughfeature selection analysis andbuilding hybrid efficient modelThe work develop a new hybridmodel that is used to estimate theintrusion Scope threshold degreebased on Network transaction data’soptimal features.Detection time isreduced and accuracy ratealso improved.7.[18]Honeypot Based DetectionSystem with Snooping agentsand Hash TagsTheworkprovidesanImprovement on the Performance ofIntrusion detection System usingHoneypot with Snooping Agents andHash Tags.Detectionimprovedandpositive reduced.8.[13]LogBasedDetection Model.IntrusionThe work Proposes the use ofIntrusion detection model based onUser Request and multiple requestare predicted that belong to aparticular user are blocked and hisauditing logs also analyzed.Unauthorized eventsare predicted and DDOsattacks are prevented bythe log file.9.[19]A two-stage flow-basedIntrusion Detection Model fornext Generation NetworksTheir work propose a flow basedIntrusion Detection System in twostage detection process, first stageuses one class SVM for detection allnormal traffics are discarded andmalicious traffic are forwarded to thesecond stage and only maliciousflows are analyzed in details.Grouping of Maliciousflows in different attackclusters and accuracy inthe separation in theirseparation is provided.3.rateFalseMETHODOLOGYThe major concern of this work is to evaluatethe performance of the security model in anetwork web based system proposed by [1] usingCAPTCHA- based IDS as network security tosecure users data in a web with a developedsecurity model in the network using CAPTCHAbased IDS, IPS and Honeypot.3. 1 Working Principle of Improved CAPTCHABased IDS based on Redirector Model withloosely Generated CAPTCHAThe working principle of the CAPTCHA –based IDS with a redirector as proposed in [1] isshown in Figure1 below.Figure 1. CAPTCHA- based Intrusion Detection Systemproposed in [1]CAPTCHA is a tool commonly used in IPS, toprevent machine intruders (bots) from intrudinginto a system, however, in this research work,CAPTCHA will also be used as IDS. Thetechnique to be used is cognizance of the fact thatthere are software intruders that can read432

Journal of Theoretical and Applied Information Technology15th February 2020. Vol.98. No 03 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.orgCAPTCHA and attempt to infiltrate it and intrudeinto system. CAPTCHAs with weak designpattern and fixed length with varying colours ontext will be employed for use in web-basedsystem acting like IPS while in real sense it is anIDS that will attempt to lewd software intrudersusing machine learning-based attack tosuccessfully read the text-based CAPTCHA andinfiltrates the system. Likewise softwareintruders using unwitting human labour caneasily read the CAPTCHAs and infiltrate thesystem as well. The CAPTCHA character is notonly to be read and re-type back to the system, itis to be read, understand and abide by. Forinstance one of such CAPTCHA may displayed“DO NOT TYPE ANYTHING IN THETEXTBOX” a wise human will understand thatthe textbox should be left empty, while asoftware intruder that successfully read the wordswill just rush and type “DO NOT TYPEANYTHING IN THE TEXTBOX” in thetextbox or something similar to that sentence. Assoon as anything is typed in the provided textbox,the system quickly detects that an intrusion hastaken place and the intruder is quickly redirectedto the Honeypot model for post intrusionactivities. Figure 2 illustrates the IDS usingCAPTCHA as trap.E-ISSN: 1817-3195Trap IDS incorporated on the site using thefollowing technologies as: Back End includesPHP (Hypertext Pre-processor) and MySQL. Forthe Front End we use JavaScript, HTML (HyperText Mark-up Language) and CSS (CascadingStyle Sheet). The following algorithm bestillustrate our CAPTCHA-based IDS model asfollows;Algorithm for the proposed modelStep 1: StartStep 2: Enter Login detailsStep 3: Solve CAPTCHA challengeStep 4: IF (login details correct) {Step 5: IF (CAPTCHA Text 1) {Intelligent spyware Get IP addressSend User IP address to Honeypot and DatabaseStep 6 :}Else {Step 7: Redirect user to MailboxStep 9 :}Step 10: Else {Step 11: Repeat Step 2Step 12 :}Step 13: StopFigure 2: IDS using CAPTCHAThe presence of CAPTCHA in this system naturallydeters software intruders, since CAPTCHAs aregenerally seen as IPS and therefore, its presence inthe system will naturally interpreted as an IPSsystem. However, this system faking softwareintruders to believe it is IPS may not be veryefficient as some software intruders may attemptlogin ignoring the CAPTCHA and the textboxprovided for it, this will re-direct the intruder to thelogin authentication and somehow this may havebeen an intrusion bypassing the fake IPS and theCAPTCHA-trap IDS. This is an instance where thesystem may theoretically be bypassed andsubsequent researches on similar are recommendedstudying this gap.3. 2 Implementation processThe system was developed as a real world systemwhich is an Email web server and a CAPTCHA4333. 3 Working Interfaces and structure of theproposed systemFigure 3 below shows the system interface for theLogin into the Honeypot mail of the system by theAdministrator. It contains Home, Sign Up andLogin.Figure 3: CAPTCHA based email intrusion detection loginSign Up and login page

Journal of Theoretical and Applied Information Technology15th February 2020. Vol.98. No 03 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.orgTable 2 shows report from event recording bythe proposed system. Successful intrusions arestored in MySQL table for record-keepingpurposes. Items captured and save on the databaseare: IP address of machine the software intruder iscoming from, Date and time of intrusion. Thebrowser used and country.TP expressed as True PositiveTN expressed as True NegativeFP expressed as False Positive andFN expressed as False Negative As adopted by[21]False Positive Alarm Rate /Ratio this can becalculated through the use of confusion matrixparameters which are represented by the followingvalues TP, FN, FP and TN1.True Positive (TP)- Indicates theinstances which are predicted as normal2.False Negative (FN) – This illustrate thatincorrectly classification process occurs. Whereattacks are classified as normal packets.3.False positive (FP) – This value representsincorrect instance where normal packets areclassified as attacks.4.True negative (TN) – This represent thecorrect instance normal packets as being normal.Here the False Positive Rate is defined as FPR 100 (3)As adopted by [22] and [23].We also obtained the detection accuracy for bothsystems using the Naïve Bayes classifier algorithmin Python language, which we obtained thepercentage accuracy of detection for both theExisting and the proposed system. The naïveBayes is a classification method based on Bayestheorem which is used to predict class labels. [24].Table 2: Report Of Intrusion Detected On The System3.4 Experimental dataThe system was experimented using the extracteddata from the database. The entire system wasfully implemented.The system was experimented using different datasets as follows;1. No of Months2. No of IP address captured3. Class (human/ Bots)E-ISSN: 1817-31954. RESULTS AND DISCUSSIONS3.5 Performance MetricsAn IDS is evaluated by the measure of Accuracy,detection rate and F- Measure. It should have avery low false alarm. [20].The performance of the existing and the proposedsystems was evaluated using the followingperformance metrics:The analysis was performed using the WEKA3.8.0 (Waikato Environment for knowledgeanalysis).WEKA which is an open source machinelearning scripting tool which was developed byWaikato University) New Zealand. The existingand proposed system was evaluated using thefollowing perimeters:Precision: - It express as (1)Precision: - is a measure of what fraction of testdata detected as attack are actually from the attackclass.Detection Rate; which is the number of suspectedattacks over all the attacks that exist in the datasetand the formula for computing the Detection Rateis as follows;Detection Rate 100 (2)434The Improved CAPTCHA – based IDSdetection technique was developed on a Windowsoperating system 500 GB Hard drive, 4GB RAMand a Core i5 processor of 2.20GHZ. A modemfor internet access is needed a domain from ISPalso used. The software requirement includes:Xampp local server for running the application onlocal host. Latest internet browser Google chrome,Firefox, Mozilla or Opera etc. and a strongInternet connectivity was required. The analysiswas performed using the WEKA 3.8.0 (WaikatoEnvironment for knowledge analysis).WEKAwhich is an open source machine learningscripting tool which was developed by WaikatoUniversity) New Zealand.To perform theexperiments, we use all the 96 captured IP addressnormal instances and the 33 attack instances thatmake up the data Training set for the head and tail.Our system performs binary classification; theclasses on each dataset are reduced to only two:normal and attack, where the attack class consistsof all Captured IP address of the host intruders thatattack the system within period of time. We also

Journal of Theoretical and Applied Information Technology15th February 2020. Vol.98. No 03 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.orgobtained the detection accuracy for both systemsusing the Naïve Bayes classifier in Python. NaiveBayes is a supervised learning classifier that basedon Bayes' Theorem with the “naive” notion ofindependence among variables of a problem. Thisnotion means that the presence of one variable in aproblem does not have any effect on the presenceof another variable. Naive Bayes uses theconditional probability. It classifies the problemby combining previous calculated likelihood andprobabilities to make the next probability usingBayes rule. It is used in text classification, spamdetection, recommendation system etc. [25].4.1 ResultThe results for the experimental analysis of theImproved CAPTCHA-base IDS are described inthis section.4.2 System TestingThe system was tested on a real world; an emailweb site was designed and in-cooperated on webserver having a login and signing up details foraccount creation.E-ISSN: 1817-3195Figure 3. Screen capture from WEKA analysistool showing detail accuracy by class for theCAPTCHA -based IDS4. 3.1 Comparison Analysis of Resultsobtained from the Malicious Email IDS andthe Improved CAPTCHA- based IDSTable 3 below shows the comparison analysis ofthe result obtained from both the existing theImproved CAPTCHA based IDS based onredirector model using Precision and detectionRatio of captured attacks.4. 3 Analysis of the experimental resultsFigure 2 below illustrate result analysis obtainfrom the experiment conducted using PythonTable 3: Percentage Of Weighted Average Of NaïveBayes Classifier With Python Obtained From TheExisting And Proposed 074.09.0Table 4: Comparison Of Experimental Result ObtainedFrom The Naïve Bayes Multinomial Classifier In WEKAEvaluationMetricsFigure 2. Screen captured of Run analysis of theImproved CAPTCHA based IDS in pythonTP RateFP RatePrecisionDetectionRateF- 40.170.540.750.21Table 5: Correctly And Incorrectly Classified InstancesObtained From The Naïve Bayes Multinomial Classifier.435

Journal of Theoretical and Applied Information Technology15th February 2020. Vol.98. No 03 2005 – ongoing JATIT & LLSISSN: 957.042.99674.026.0471716.94.4 Discussion of resultsThe precaution to protect the network is the dutyof network administrator as pointed out by [26].Network security infrastructure is one of the majorconcerns for network administrators, and detectinglarge number of attacks by intelligent spywares.Developing IDS model that can perform the taskof intelligently monitoring network systems for anattack by spyware is important aspect of today’stechnological advancement, therefore the need forefficient and effective Intrusion detection systemthat can handle the detection and reporting offrequent attacks by not only humans but intelligentspywares. Thus, this section presents thediscussion on the Detection Ratio and Precision byboth the existing the proposed systems.Furthermore discussion on the differencesobtained from detection Rate and correctly andincorrectly classified instances is another aspectthat needs to be considered in the work.Figure 4. Graphical Representation Of Percentages OfWeighted Average Of The Evaluation Metrics4. 4. 1 Detection Rate achieved on the Numberof detected AttacksAs shown on the graph figure 4 above ,theconfusion matrix parameter are used to help indetecting attacks that are indicated as attacks andare presented as attacks (TP), also the (FP) .Thisvalue represents incorrect instance where normalE-ISSN: 1817-3195packets are classified as attacks. From the table 3above indicates that the proposed system has ahigher number of detected attacks up to 96instances with high detection Rate of 0.74 (74%).In comparison to the existing system the proposedsystem has better and efficient detection rate thanthe existing system which is having total of 49attacks detected with 0.57 (57%) detection rateand with a precision of 0.78(78%) for theproposed system and 0.53 (53%) precision for theexisting system. Precision this is a percentage ofattacks that are properly detected which is alsoterm as Accuracy.Figure 5: Graphical Representation Of Detection RateAnd Precision Of The Two Systems.Generally, we can say our approach achievedgood result when the performance of the systemwas evaluated using the Naïve Bayes classifier ofthe machine learning analysis technique which isan important performance metric for measuringeffectiveness of Intrusion detection system. Asshown in the graph figure 4 above the proposedsystem after analysis indicates a better Accuracyof (82%) with a high correctly classified instanceof 74% classification compared to the existingsystem which has Accuracy of (75%). Thisconfirms that our work has the ability to detectintrusion by intelligent spyware effectively andefficiently.4. 4. 2 Correctly and Incorrectly classifiedinstancesFor correctly classified instances means attacks thatare detected as attack and are classified correctly asattack.While incorrectly classified instancessignifies in inappropriate classification of attacksdetected. This accuracy of detection is betterachieved from the confusion matrix of the WEKAanalysis tool. In comparison to the existing systemthe proposed system has better and efficiency ofcorrectly classified instance of 74% and only 26%incorrectly classified instance , whereas the existingsystem has worse correctly classified instance of436

Journal of Theoretical and Applied Information Technology15th February 2020. Vol.98. No 03 2005 – ongoing JATIT & LLSISSN: 1992-8645www.jatit.org57% and 43% incorrectly classified instances. Thisindicates that from the experimental result theImproved CAPTCHA based IDS which is based onredirector model performs better in terms ofdetecting actual attacks than the Existing system.Figure 6 below illustrates the graphicalrepresentation of the correctly and incorrectlyclassified instances obtained from both the existingand the Improved CAPTCHA- based IDS system.Figure 6.Graphical Representation Of Correctly AndIncorrectly Classified Instances.4. 4. 3 Remarkable differences obtained fromAccuracy, Precision and recallTable 3 presents the results of the analysis of thesystems Accuracy, precision and recall also calledDetection Rate. The result indicates that there areremarkable differences obtained from theExperimental result carried out on the attackdetected which the Accuracy, precision recallvalues were obtained. The proposed system provedto have a better performance with higherdifferences between the Accuracy obtained. Thereis also a difference of 7% Accuracy and 10%difference Precision. This is because the existingsystem considers attacks coming into the systemgenerally without considering the intelligence ofthe attack, whereas in the proposed system itconsider the attack on the spyware which areclassified as been unintelligent and intelligentcapable of breaking and bypassing CAPTCHA. Thepercentage of the bots penetrating the existingsystem

System (IDS), Intrusion-prevention-System (IPS) and Honeypot. Because various exploits are being used to compromise the network. These exploits are capable of breaking into any secured networks. In . Cost of Security on Corporate Network minimized, false positive alarm level also reduced. 3. [16] Simple Text Based