SlideShare a Scribd company logo

Intrusion detection using data mining

B
balbeerrawat

This document describes a project to develop an intrusion detection system using data mining techniques. It discusses approaches to intrusion detection including signature-based and anomaly-based methods. For the project, a hybrid network-based and host-based intrusion detection system is proposed. Data preprocessing and mining techniques including clustering, outlier detection, and classification are applied to network packet data and system call logs to detect attacks.

Education
1 of 17
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
By Shishir Shandilya(0610101041) Rajesh Ghildiyal(06180101036) Balbeer Singh Rawat(06180101006) Under the Guidance of MR. Ajit Singh
Problem Definition  An Intrusion Detection System is an important part of the Security Management system for computers and networks that tries to detect break-ins or break-in attempts.  Approaches to Solution  Signature-Based  Anomaly Based.
Types of Intrusion Detection  Classification I  Real Time  After-the-fact (offline)  Classification II  Host Based  Network Based
Approaches to IDS Technique Signature Based Anomaly Based Concept  Model well-known Model is based on normal behavior of the attacks system  use these known Try to flag the deviation from normal patterns to identify pattern as intrusion intrusion. Pros and  Specific to attacks  Usual changes due to traffic etc may lead Cons can not extend to higher number of false alarms . unknown intrusion patterns( False Negatives)
Approaches for IDS Network-Based Host-Based •Are installed on N/W •Are installed locally on Switches host machines •Detect some of the attacks, that host-based systems don’t. E.g.. DOS, Fragmented Packets.
Recommended Approach  None provides a complete solution  A hybrid approach using HIDS on local machines as well as powerful NIDS on switches
Attack Simulation  Types of attacks  NIDS ○ SYN-Flood Attack  HIDS ○ ssh Daemon attack.
NIDS – Data Preprocessing  Input data  tcpdump trace.  Huge  One data record per packet  Features extracted(Using Perl Scripts)  Content-Based Group records and construct new features corresponding to single connection  Time-Based Adding time-window based information to the connection records (Param: Time-window)  Connection-Based Adding connection-window based information (Param: Time-window)
Preprocessing on tcpdump  From the tcpdump data we extracted following fields  src_ip ,dst_ip  src_port, dst_port  num_packets_src_dest / num_packets_dest_src  num_ack_src_dst/ num_ack_dst_src  num_bytes_src_dst/ num_bytes_dst_src  num_retransmit_src_dst/ num_retransmit_dst_src  num_pushed_src_dst/ num_pushed_dst_src  num_syn_src_dst/ num_syn_dst_src  num_fin_src_dst/ num_fin_dst_src  connection status
Preprocessing on tcpdump cont…  Time-Window Based Features  Count_src/count_dst  Count_serv_src/ count_serv_dest  Connection-Window Based  Count_src1 /count_dst1  Count_serv_src1/ count_serv_dest1
NIDS- Datamining Technique  Outlier Detection  Clustering Based Approach(K-Means) ○ Outlier Threshold ○ Preprocessed dataset  K-NN Based Approach ○ distance threshold ○ Preprocessed dataset  Results  Clustering did not give good results. ○ Limited Data  K-NN ○ Giving Alarms
HIDS – Data Preprocesing  Input data  “strace” system call logs for a particular process(sshd)  One data record per system call  Sliding-Window Size for grouping.  Features extracted(Using Perl Scripts)  Sliding the window over the trace to generate possible sequences of system calls.
HIDS – Data Preprocessing cont… a d f g a e d a e b s d e a ad f g d f g a f g a e g a e d a e d a e d a e d a e b a e b s e b s d b s d e s d e a
Datamining Technique Used  Learning to predict system calls  Predict ith system call for each test record<p1, p2,p3>  Done using Classification (Decision Trees)  Anomaly Detection  Use of misclassification score to detect anomalies
Literature Survey  Types of attacks (Host and Network Based)  Techniques  Association rules and Frequent Episode Rules over host based and network based  Outlier Detection using clustering  classification
Future Work  NIDS  To incorporate threshold distance as a configurable parameter for K-Means Algorithm used  HIDS  Try out meta-learning algorithms for classification  A small user Interface for configuring parameters.
References  “Mining in a data-flow Environment: Experience in Network Intrusion Detection”, W. Lee, S. Stolfo, K. Mok.  “Mining audit data to build intrusion detection models”, W. Lee, S. Stolfo, K. Mok.  “Data Mining approaches for Intrusion Detection”, W. Lee S. Stolfo.  “A comparative study of anomaly detection schemes in network intrusion detection”, A. Lazarevic, A ozgur, L. Ertoz, J. Srivastava, Vipin Kumar.  “Anomaly Intrusion detection by internet datamining pf traffic episodes” Min Qin & Kai Gwang.  “A database of computer attacks for the evaluation of Intrusion Detection System”, Thesis by Kristopher Kendall.

More Related Content

PPT
Intrusion Detection Techniques for Mobile Wireless Networks
guest1b5f71
 
PPTX
Introduction to WDM and TDM
Murtadha ali shukur
 
PPTX
Intrusion Prevention System
Vishwanath Badiger
 
PPT
Intrusion .ppt
MuhammadRehan856177
 
PPTX
Network traffic analysis with cyber security
KAMALI PRIYA P
 
PDF
Call Setup
Sokunth Che
 
PPTX
Adhoc wireless networks and its issues
Menaga Selvaraj
 
PDF
Routing in Mobile Ad hoc Networks
Sayed Chhattan Shah
 
Intrusion Detection Techniques for Mobile Wireless Networks
guest1b5f71
 
Introduction to WDM and TDM
Murtadha ali shukur
 
Intrusion Prevention System
Vishwanath Badiger
 
Intrusion .ppt
MuhammadRehan856177
 
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Call Setup
Sokunth Che
 
Adhoc wireless networks and its issues
Menaga Selvaraj
 
Routing in Mobile Ad hoc Networks
Sayed Chhattan Shah
 

What's hot (20)

PPTX
Lecture 10 intruders
rajakhurram
 
PPTX
DSL
Ebrahim Mohammed
 
PPTX
Wsn state-centric programming
AanchalKumari4
 
PPTX
Dos n d dos
sadhana21297
 
PDF
Location Aided Routing (LAR)
Pradeep Kumar TS
 
PPSX
Adhoc and routing protocols
shashi712
 
PPTX
GSM
Mukesh Chinta
 
PDF
Computer network
Soumya Behera
 
PPTX
Olsr protocol ppt
sharat sajjan
 
PPT
MSAT
Ramasubbu .P
 
PDF
Wireless Sensor Networks UNIT-1
Easy n Inspire L
 
PDF
05. Frequency Management and Channel Assignment.pdf
samiulsuman
 
PDF
Mobile Communications Sajay K R
PlusOrMinusZero
 
PPTX
Big data Analytics(BAD601) -module-1 ppt
AmbikaVenkatesh4
 
PDF
Ids(final)
Not yet working. I am still studying
 
PDF
IT8602 Mobile Communication - Unit V
pkaviya
 
PPTX
Presentation on modem
Dnyanesh Patil
 
PPTX
Deep learning approach for network intrusion detection system
Avinash Kumar
 
PPTX
Unit -1 Circuit Switch and Data gram Switch
Nivetha Palanisamy
 
PPTX
Gsm architecture
Prabhat gangwar
 
Lecture 10 intruders
rajakhurram
 
DSL
Ebrahim Mohammed
 
Wsn state-centric programming
AanchalKumari4
 
Dos n d dos
sadhana21297
 
Location Aided Routing (LAR)
Pradeep Kumar TS
 
Adhoc and routing protocols
shashi712
 
GSM
Mukesh Chinta
 
Computer network
Soumya Behera
 
Olsr protocol ppt
sharat sajjan
 
MSAT
Ramasubbu .P
 
Wireless Sensor Networks UNIT-1
Easy n Inspire L
 
05. Frequency Management and Channel Assignment.pdf
samiulsuman
 
Mobile Communications Sajay K R
PlusOrMinusZero
 
Big data Analytics(BAD601) -module-1 ppt
AmbikaVenkatesh4
 
Ids(final)
Not yet working. I am still studying
 
IT8602 Mobile Communication - Unit V
pkaviya
 
Presentation on modem
Dnyanesh Patil
 
Deep learning approach for network intrusion detection system
Avinash Kumar
 
Unit -1 Circuit Switch and Data gram Switch
Nivetha Palanisamy
 
Gsm architecture
Prabhat gangwar
 
Ad

Viewers also liked (20)

PPT
Data Mining and Intrusion Detection
amiable_indian
 
PPTX
Databse Intrusion Detection Using Data Mining Approach
Suraj Chauhan
 
PPT
Intrusion detection system ppt
Sheetal Verma
 
PDF
A Study on Data Mining Based Intrusion Detection System
AM Publications
 
PPTX
Analysis and Design for Intrusion Detection System Based on Data Mining
Pritesh Ranjan
 
PPTX
Educational Data Mining/Learning Analytics issue brief overview
Marie Bienkowski
 
PPTX
powerpoint feb
imu409
 
PDF
∂u∂u Multi-Tenanted Framework: Distributed Near Duplicate Detection for Big Data
Pradeeban Kathiravelu, Ph.D.
 
PPSX
Adaptive Intrusion Detection Using Learning Classifiers
Patrick Nicolas
 
PDF
ViTeNA: An SDN-Based Virtual Network Embedding Algorithm for Multi-Tenant Dat...
Pradeeban Kathiravelu, Ph.D.
 
PPTX
DM for IDS
Nesma Mahmoud
 
PPTX
machine learning in the age of big data: new approaches and business applicat...
Armando Vieira
 
PPTX
Ids presentation
Solmaz Salehian
 
PDF
2015 01-17 Lambda Architecture with Apache Spark, NextML Conference
DB Tsai
 
PDF
Using Machine Learning in Networks Intrusion Detection Systems
Omar Shaya
 
PPT
Intrusion Detection
Gregory Hanis
 
PDF
Efficient Duplicate Detection Over Massive Data Sets
Pradeeban Kathiravelu, Ph.D.
 
PPTX
Data mining to predict academic performance.
Ranjith Gowda
 
PPTX
02 Related Concepts
Valerii Klymchuk
 
PDF
Advances in Learning Analytics and Educational Data Mining
MehrnooshV
 
Data Mining and Intrusion Detection
amiable_indian
 
Databse Intrusion Detection Using Data Mining Approach
Suraj Chauhan
 
Intrusion detection system ppt
Sheetal Verma
 
A Study on Data Mining Based Intrusion Detection System
AM Publications
 
Analysis and Design for Intrusion Detection System Based on Data Mining
Pritesh Ranjan
 
Educational Data Mining/Learning Analytics issue brief overview
Marie Bienkowski
 
powerpoint feb
imu409
 
∂u∂u Multi-Tenanted Framework: Distributed Near Duplicate Detection for Big Data
Pradeeban Kathiravelu, Ph.D.
 
Adaptive Intrusion Detection Using Learning Classifiers
Patrick Nicolas
 
ViTeNA: An SDN-Based Virtual Network Embedding Algorithm for Multi-Tenant Dat...
Pradeeban Kathiravelu, Ph.D.
 
DM for IDS
Nesma Mahmoud
 
machine learning in the age of big data: new approaches and business applicat...
Armando Vieira
 
Ids presentation
Solmaz Salehian
 
2015 01-17 Lambda Architecture with Apache Spark, NextML Conference
DB Tsai
 
Using Machine Learning in Networks Intrusion Detection Systems
Omar Shaya
 
Intrusion Detection
Gregory Hanis
 
Efficient Duplicate Detection Over Massive Data Sets
Pradeeban Kathiravelu, Ph.D.
 
Data mining to predict academic performance.
Ranjith Gowda
 
02 Related Concepts
Valerii Klymchuk
 
Advances in Learning Analytics and Educational Data Mining
MehrnooshV
 
Ad

Similar to Intrusion detection using data mining (20)

PPTX
Intrusion Detection Systems Pedagogy.pptx
sowaibakhan3
 
PDF
C3602021025
ijceronline
 
PDF
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
PDF
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
ijsrd.com
 
PDF
Bt33430435
IJERA Editor
 
PDF
Bt33430435
IJERA Editor
 
PDF
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SET
IJNSA Journal
 
PDF
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SET
IJNSA Journal
 
PDF
Vol 6 No 1 - October 2013
ijcsbi
 
PDF
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
PDF
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
ieijjournal
 
PDF
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
ieijjournal1
 
PDF
Intrusion detection system: classification, techniques and datasets to implement
IRJET Journal
 
PDF
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
ijceronline
 
PPTX
Role of data mining in cyber security
Khaled Al-Khalili
 
PDF
A Study on Data Mining Based Intrusion Detection System
AM Publications
 
PDF
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
PDF
Network Intrusion Detection System Based on Modified Random Forest Classifier...
IRJET Journal
 
PDF
Survey of network anomaly detection using markov chain
ijcseit
 
PDF
International Journal of Computer Science, Engineering and Information Techno...
ijcseit
 
Intrusion Detection Systems Pedagogy.pptx
sowaibakhan3
 
C3602021025
ijceronline
 
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
A Survey: Comparative Analysis of Classifier Algorithms for DOS Attack Detection
ijsrd.com
 
Bt33430435
IJERA Editor
 
Bt33430435
IJERA Editor
 
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SET
IJNSA Journal
 
CLASSIFICATION PROCEDURES FOR INTRUSION DETECTION BASED ON KDD CUP 99 DATA SET
IJNSA Journal
 
Vol 6 No 1 - October 2013
ijcsbi
 
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
ieijjournal
 
AN IMPROVED METHOD TO DETECT INTRUSION USING MACHINE LEARNING ALGORITHMS
ieijjournal1
 
Intrusion detection system: classification, techniques and datasets to implement
IRJET Journal
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
ijceronline
 
Role of data mining in cyber security
Khaled Al-Khalili
 
A Study on Data Mining Based Intrusion Detection System
AM Publications
 
Survey on Host and Network Based Intrusion Detection System
Eswar Publications
 
Network Intrusion Detection System Based on Modified Random Forest Classifier...
IRJET Journal
 
Survey of network anomaly detection using markov chain
ijcseit
 
International Journal of Computer Science, Engineering and Information Techno...
ijcseit
 

Recently uploaded (20)

PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Introduction_to_Human_Anatomy_and_Physiology_for_B.Pharm.pptx
chetansingh379583
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Institutional Correction lecture only . . .
limvtheghins
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
master seminar digital applications in india
ananyaray35
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 

Intrusion detection using data mining

  • 1. By Shishir Shandilya(0610101041) Rajesh Ghildiyal(06180101036) Balbeer Singh Rawat(06180101006) Under the Guidance of MR. Ajit Singh
  • 2. Problem Definition  An Intrusion Detection System is an important part of the Security Management system for computers and networks that tries to detect break-ins or break-in attempts.  Approaches to Solution  Signature-Based  Anomaly Based.
  • 3. Types of Intrusion Detection  Classification I  Real Time  After-the-fact (offline)  Classification II  Host Based  Network Based
  • 4. Approaches to IDS Technique Signature Based Anomaly Based Concept  Model well-known Model is based on normal behavior of the attacks system  use these known Try to flag the deviation from normal patterns to identify pattern as intrusion intrusion. Pros and  Specific to attacks  Usual changes due to traffic etc may lead Cons can not extend to higher number of false alarms . unknown intrusion patterns( False Negatives)
  • 5. Approaches for IDS Network-Based Host-Based •Are installed on N/W •Are installed locally on Switches host machines •Detect some of the attacks, that host-based systems don’t. E.g.. DOS, Fragmented Packets.
  • 6. Recommended Approach  None provides a complete solution  A hybrid approach using HIDS on local machines as well as powerful NIDS on switches
  • 7. Attack Simulation  Types of attacks  NIDS ○ SYN-Flood Attack  HIDS ○ ssh Daemon attack.
  • 8. NIDS – Data Preprocessing  Input data  tcpdump trace.  Huge  One data record per packet  Features extracted(Using Perl Scripts)  Content-Based Group records and construct new features corresponding to single connection  Time-Based Adding time-window based information to the connection records (Param: Time-window)  Connection-Based Adding connection-window based information (Param: Time-window)
  • 9. Preprocessing on tcpdump  From the tcpdump data we extracted following fields  src_ip ,dst_ip  src_port, dst_port  num_packets_src_dest / num_packets_dest_src  num_ack_src_dst/ num_ack_dst_src  num_bytes_src_dst/ num_bytes_dst_src  num_retransmit_src_dst/ num_retransmit_dst_src  num_pushed_src_dst/ num_pushed_dst_src  num_syn_src_dst/ num_syn_dst_src  num_fin_src_dst/ num_fin_dst_src  connection status
  • 10. Preprocessing on tcpdump cont…  Time-Window Based Features  Count_src/count_dst  Count_serv_src/ count_serv_dest  Connection-Window Based  Count_src1 /count_dst1  Count_serv_src1/ count_serv_dest1
  • 11. NIDS- Datamining Technique  Outlier Detection  Clustering Based Approach(K-Means) ○ Outlier Threshold ○ Preprocessed dataset  K-NN Based Approach ○ distance threshold ○ Preprocessed dataset  Results  Clustering did not give good results. ○ Limited Data  K-NN ○ Giving Alarms
  • 12. HIDS – Data Preprocesing  Input data  “strace” system call logs for a particular process(sshd)  One data record per system call  Sliding-Window Size for grouping.  Features extracted(Using Perl Scripts)  Sliding the window over the trace to generate possible sequences of system calls.
  • 13. HIDS – Data Preprocessing cont… a d f g a e d a e b s d e a ad f g d f g a f g a e g a e d a e d a e d a e d a e b a e b s e b s d b s d e s d e a
  • 14. Datamining Technique Used  Learning to predict system calls  Predict ith system call for each test record<p1, p2,p3>  Done using Classification (Decision Trees)  Anomaly Detection  Use of misclassification score to detect anomalies
  • 15. Literature Survey  Types of attacks (Host and Network Based)  Techniques  Association rules and Frequent Episode Rules over host based and network based  Outlier Detection using clustering  classification
  • 16. Future Work  NIDS  To incorporate threshold distance as a configurable parameter for K-Means Algorithm used  HIDS  Try out meta-learning algorithms for classification  A small user Interface for configuring parameters.
  • 17. References  “Mining in a data-flow Environment: Experience in Network Intrusion Detection”, W. Lee, S. Stolfo, K. Mok.  “Mining audit data to build intrusion detection models”, W. Lee, S. Stolfo, K. Mok.  “Data Mining approaches for Intrusion Detection”, W. Lee S. Stolfo.  “A comparative study of anomaly detection schemes in network intrusion detection”, A. Lazarevic, A ozgur, L. Ertoz, J. Srivastava, Vipin Kumar.  “Anomaly Intrusion detection by internet datamining pf traffic episodes” Min Qin & Kai Gwang.  “A database of computer attacks for the evaluation of Intrusion Detection System”, Thesis by Kristopher Kendall.