Simulation system for computer network intrusion detection. +CD

number: 
1810
إنجليزية
department: 
Degree: 
Imprint: 
Computer Science
Author: 
Susan Mohammed Najim Aldean Al-Naqshbandi
Supervisor: 
Dr.Venus W. Samawi
Dr. Sattar B. Sadkhan
year: 
2007

Abstract:

Intrusion Detection Systems (IDSs) reinforce firewalls by adding another layer of security to computer systems. This extra security is becoming an increasing necessity as internet services increase and systems with sensitive data more commonly open up to internet access. An IDS’s responsibility is to detect patterns of scrupulous network traffic on the open ports. The purpose of this thesis is to contribute some ideas that will be a step forward in finding the solution to detect attacks through developing proper Artificial Immune System (AIS). Genetic Algorithms (GA) are now a possible alternative for the detection of malicious intrusions. The normal and the abnormal behaviors in networked computers are hard to predict as the boundaries cannot be well defined. This prediction process may generate false alarms in many anomaly based intrusion detection systems. However, with fuzzy logic, the false alarm rate in determining intrusive activities can be reduced; a set of fuzzy rules (fuzzy classifiers) can be used to define the normal and abnormal behavior in a computer network. Therefore, fuzzy-genetic classifier may achieve the aim. The main aim of this research is to evolve comprehensible rule(s) that improves classification rate of the prediction process (i.e. discriminate attacks from normal behavior), producing shorter rules, and performing automatic feature selection according to the complexity of data. The proposed system combines both anomaly based intrusion detection and misuse detection. To do so, a detection phase of Immune system is suggested, which its implementation based on Genetic Fuzzy systems GFSs. Genetic algorithms are used to tune the fuzzy membership functions and to select an appropriate set of features, then generate a proper prediction rule(s). Three types of training approaches are suggested: General Data Splitting method (Normal and Attack data), Data filtering Splitting method at which the whole data is divided into five classes (Normal data, Probing attack, Dos attack, U2R attack, R2L attack), and Feature Ranking which ranks the importance of input features for each of the five classes of patterns in the DARPA (Defense Advanced Research Projects Agency) data. In this work, two types of classifiers are suggested and implemented: One-Rule-Classifier and Voter-Classifier. In order to evaluate the performance of the proposed Intrusion Detection approach, a standard set of data KDD (Knowledge Discovery in Database dataset prepared and managed by Massachusetts Institute of Technology’s (MIT) Lincoln Labs.) is used. KDD dataset includes a wide variety of intrusions simulated in a network environment. The suggested classifiers were tested over the entire dataset to evaluate real-world performance. The preliminary results are promising and allow concluding that the used chromosome encoding and its associated rule set representation are a good alternative for extracting a small set of comprehensible rules with high classification (detection) efficiency rate attaining 99.99%. The model generated may be installed on an existing Intrusion Detection System for further analysis of its performance.