IMMIX-Intrusion Detection and Prevention System

for Computing, Communication, Controls, Energy and Materials (ICSTM),

Vel Tech Rangarajan Dr. Sagunthala R&D Institute of Science and Technology, Chennai, T.N., India. 6 - 8 May 2015. pp.96-101.

IMMIX-Intrusion Detection and Prevention System

Sarode Harshal Vasudeo1, Prof. Pravin Patil2 and R. Vinoth Kumar3
1
M. Tech. Wireless and Network Security, Center for Development of Advance Computing, Pune, India
2
Computer Engineering, PICT, Pune, India
3
Asst. Prof. Department of Information Technology, VelTech University, Chennai, India
Email: 1sarodeharshal123@gmail.com, 2prpatil@pict.edu, 3vinothkumar.r@veltechuniv.edu.in

Abstract— Computer security has become a major problem in

our society. Specifically, computer network security is
concerned with preventing the intrusion of an unauthorized
person into a network of computers. An intrusion detection
system (IDS) is a tool to monitor the network traffic and users
activity with the aim of distinguishing between hostile and non-
hostile traffic. Most of current networks implement Misuse
detection or Anomaly detection techniques for Intrusion
detection. By deploying misuse based IDS it cannot detect
unknown intrusions and anomaly based IDS have high false
positive rate for detection. To overcome this, proposed system
uses combination of both network based and host based IDPS
as Hybrid Intrusion Detection and Prevention System which
will be helpful for detecting maximum attacks on networks.
Keywords— anomaly based; attacks; classification; intrusion
detection; intrusion prevention; misuse based;
single system administrator can monitor whole networks as
well as host systems.
II. SURVEY
Intrusion is set of action used to compromise security of the
network components in terms of Confidentiality, Integrity
and Availability. This can be done by an internal or external
person to get unauthorized access to systems.
To secure infrastructure of networked components intrusion
detection system (IDS) provide mechanisms which will
gather and analyze information from various network
resources using host or network to identify possible security
breaches.

I. INTRODUCTION Intrusion detection systems provides functionality like

Computer systems are handling large amount of data over
networks, so that data communications must be secure
enough to transceiver data. In earlier day’s firewalls, data
encryptions, antivirus are used to prevent unauthorized
access to network system.
But these tools are compromised and accessed data. There is
one tool called intrusion Detection System which will be
used to monitor unwanted attempts to access, attacks or
manipulate user data over the network called Network
Intrusion Detection System.
Host based Intrusion Detection Systems are used to monitor
particular host in the network. This system cannot identify
network based attacks and vise versa so we have to create a
system which can monitor both host system based intrusion
and network based intrusion in the single system so that it
will be handy to network administrators to ease their work
by eliminating two different systems monitoring. Using a
monitoring and analyzing user systems and network
activities, configuring systems for generation for possible
vulnerabilities, file integrities, access control for specific
files, recognizing pattern of typical attacks, user policy
violation and analyzing abnormal activity of the user.
Intrusion detection system works on the principle of
intrusion activities are different from normal system
activities and that can be detectable by intrusion detection
system.
There are different types of attacks mainly external and
internal. Internal intruders have authorized to access the
system but they are not super user or root access to system.
External intruders are unauthorized users of machine.
A. Different Types of Attacks [2][4]:
1. Virus Attacks— This is self replicating program that will
infect system files without permission of user. This will
increase infection rate if the file is on Network File
System and accessed by another computer.

1
2. Worm— This self replicating program propagates
through the network without user permission and highly
consumes bandwidth and harm network.
3. Trojan— This is malicious program does not replicate
itself but gives a backdoor access to the system, so that
hacker can be able to control user system without user
permission.
4. Denial of Service (DoS)— It attempts to block access to
computer or network resources. This can be
implemented by forcing target computer to reset or
consuming own resources, because of this no user can
communicate each other due to non-availability of
resource.
5. Network Attack— Any process is used maliciously to
attempt to compromise security of network from data
link layer to application layer by changing protocols or
by injecting false user information to illegally access
network resources.
6. Password Attack— This can be performed by logging in
as different passwords using dictionary attack.
7. Information Gathering Attack— It is used for finding
known vulnerability of existing system through scanning
host system or network.
8. User to Root— By exploiting existing vulnerabilities to
access super user privileges using normal user logging
system. It includes password sniffing, dictionary attack
B. Classification of Intrusion Detection System[2]
There are two types of Intrusion Detection Systems
1. Host-based Intrusion Detection System
2. Network-based Intrusion Detection System
1) Host-Based Intrusion Detection System
A Host-based Intrusion Detection System monitors only the
host system and analyses internals of system working not
includes its external interfaces connected to it. Normally
host based system monitors System Calls which are
generated from User installed programs or Operating
system itself [3].
It also detects which program is using which files and
resources and its access privileges. For example, any newly
installed program starts to collect user information and try
to send it over network or document processor suddenly
starts finding Logs folder of system.
2) Network-Based Intrusion Detection System
A Network-based Intrusion Detection System detects
intrusion in networked data. Intrusion normally occurs in
anomalous patterns through data in sequential manner. The
anomaly attacks are launched by the outsider’s attackers
who want unauthorized access to network resources and
steal information. Normally network is connected to rest of
the world throughout internet. The NIDS reads all the
packets which are coming from outside and tries to find
suspicious patterns. For example if large number of TCP
Port connection is happened between fractions of seconds
we can assume someone tries to commit port scan on
computers in the network. NIDS also provides valuable
information from attack packets like ip address of attacker.
Misuse based intrusion detection systems usually find
known patterns from flow of data but Anomaly based
intrusion detection system tries to find unusual data patterns
flowing through network data.
Typically intrusion detection mechanisms are classified in
to three types (i) Misuse-based [1] (ii) Anomaly based [1]
and (iii) Hybrid detection mechanisms [2]. Hybrid
intrusions detections are most effective because they can
detect both known as well as unknown types of attacks.
1) Misuse-Based Techniques
These techniques used to find known set of attack
signatures which are already predefined in set of Rules. It
will only detect known pattern of attacks which are in rules.
Here writing signatures which contains all types of
variations of attack pattern is complicated assignment.
2) Anomaly-Based Techniques
These techniques are used to find anomalous patterns which
are flowing over the network and which are not generated
from normal user and it can be detected by data analysis
algorithms. It analyses traffic with the help of learning the
expected behavior of system for particular events. It
monitors traffic for long time and generate alarm when
significant deviation occurs. There are three types of
anomalies viz. (i) Point Anomalies (ii) Contextual
Anomalies (iii) Collective Anomalies, Point anomaly is
considered if one instance of data is anomalous with other
rest of data within the context, Contextual anomaly is
considered if instance of data in anomalous with respect to
other in specific context not otherwise most likely its
depends on Contextual and Behavioral attributes, Collective
anomaly in considered when collection of data set is
anomalous with respect to entire data set like individual
data is not anomalous but collection of occurrence of all
individual instance of data set is anomalous [3].
III. FINDINGS OF SURVEY
Most of current intrusion detection system are used to
functioning as for only one type of monitoring system,
means network based intrusion detection systems are useful
2015 International Conference on Smart Technologies and Management for Computing, Communication, Controls, Energy and
Materials
to the network infrastructure not for the host based network If all instances in Set Z are negative. Create a NO node and
and Host based intrusion detection systems are used to stop.
monitor only host systems which will monitor file integrity
of system, file access permission and monitors each and Otherwise select attribute A with values N1, …, Nn and
every program on the host. create a decision node.

Each system have its own control panel to monitor and
modify rules for detection and report generation so that
network or system administrators have to simultaneously
work on two systems which increases workload to the
administrator.
IV. PROBLEM IDENTIFIED TO BE SOLVED
The existing systems are bound to single type of system.
We have to create a system that will monitor both network
and host based system using single system control panel so
that it is easy to administrator to monitor whole association
activity in single panel.
V. JUSTIFICATION OF SURVEY TO SOLVE IDENTIFIED
PROBLEM
By using proposed system we can detect both signature
based network attacks, anomaly based network attacks and
configuring rules belonging to particular host operating
systems we can also detect host based attacks. This system
also handles known and unknown types of attacks.
Step 2: Partition the training instances in Z into subsets
Z1,Z2,….,Zn according to the values of N.
Step 3: apply these steps recursively to each of sets of Zi
then STOP.
Given a collection S of c outcomes
Entropy(S) = ∑ - p(I) log2 p(I)
where p(I) is the proportion of S belonging to class I. ∑ is
over c. Log2 is log base 2.
Note that S is not an attribute but the entire sample set.
Gain(S, A) is information gain of example set S on attribute
A is defined as [11]
Gain(S, A) = Entropy(S) - ∑ ((|SN| / |S|) * Entropy(SN))
Where:
∑ is each value N of all possible values of attribute A
SN = subset of S for which attribute A has value N
|SN| = number of elements in SN
|S| = number of elements in S

VI. TOOLS, ALGORITHMS AND LANGUAGES USED

A. Tools
Each Intrusion Detection and Prevention System is
integrated with SNORT based rules database to distinguish
normal traffic and suspicious traffic. These SNORT rules
are modified and generalized using text editor. We can be
able to create our own rules to detect and prevent attacks.

B. Algorithms[11]
We are using Decision based algorithm for classification of
data as anomalous and other data. Cluster based algorithm Fig. 1. ID3 Algorithm Tree
is used to further clustering of classified data. Iterative
Dichotomiser 3 which is used in machine learning and C. Language
natural language processing fields. It is based on Concept Java is open source language and network libraries are also
Learning System algorithm. available for capturing and analyzing data packets. Its
platform independent so that we can run this code on any
The algorithm steps are as follows: system which has Java Development Kit / Java Runtime
Environment.
Step 1: if all instances in Set Z are positive, then create YES
node and stop.

98
 VII. SOLUTION PROPOSED
The proposed model consists of three main components
i) Network based Intrusion Detection and Prevention
System (NIDPS)
ii) Host-based Intrusion Detection and Prevention System
(HIDPS)
iii) Centralized Administrative Intrusion Detection
Prevention Panel (CAIDPP).
Model Architecture
Fig. 2. Proposed Model of IMMIX-IDPS System
A. NIDPS Architecture
It using multithreading approach to capture the data packets
and parsed it in to multiple threads for concurrent execution
for handling large amount of data and send it to the queue
handler. The data packets from queue handler will be
checked for both Signature based and Anomaly based
intrusion detection.
We are using Snort [12] rule database for detecting
malicious traffic on network, Snort uses its rule format for
checking packet heeders, source port, destination port and
its payload, metadata. It uses pattern matching technique.
If packet is clean then it will be forwarded for further
processing and if it is malicious it will give alert to
administrative panel and the same will be forwarded to
Centralized Administrative Intrusion Detection Prevention
Panel (CAIDPP).
Fig. 3. Proposed Model of NIDPS System
B. HIDPS Architecture
Its detection engines are customized signatures and rules
specific to operating system and most common applications
of host machine. It uses already created system snapshot of
all files to monitor current state from previous state and if
any file is modified it will create log for that.
We are proposing our own rule file format for detecting
anomalous changes in host system. Rule formats are being
considering File Monitor, Registry Rules, Process Rules and
Service Rules.
File Monitor rules consists of File ID, Rule Tag Name,
Included Files or Directories, File Name, Files Creation
date, File Modification Date, File Original MD5 Hash, File
Owner Name, File Permissions.
Registry Rule contains Registry Rule ID,
RegRuleTagName, Registry Values that should be
monitored which are included in Include Block and registry
keys that we don’t want to monitor which are placed in
Exclude Block.
Process Rule consists of Process Rule ID,
ProcRuleTagName for monitoring running processes.
Service Rule contains Service Rule ID, SrvcRuleTagName,
it includes all services which are running in Include Block
and services which we don’t want to monitor are included in
Exclude Block.
The incoming traffic is gone through Signature based and
Anomaly based intrusion detection if packets are malicious,
alert will be generated to administrative panel and same will
be forwarded to (CAIDPP) and if packets are clean they are
forwarded for further processing.
Fig. 4. Proposed Model of HIDPS System
C. CAIDPP Architecture
This is centralized intrusion detection and prevention panel
to collect data from both Administrative panels and log
them for generating repots. Using JSON technology we are
communicating to both NIDPS and HIDPS to monitor them
from this centralized panel. Modifying rules for both
systems also it will send report to particular email address
provided.
VIII. RESULTS
We have implemented the system and successfully got
many results on both Linux and Windows which are
attached in this paper. We have registered jpcap, libpcap for
capturing data from promiscuous network adapters and
jnotify library for file monitoring on Linux and Windows.
Fig. 5. File Monitoring of HIDPS System
Fig. 6. List of Network Adapters to Capture Data
Fig. 7. Capturing Data on WiFi Network Adapter
Fig. 8. WiFi Access Point List
Fig. 9. IP Address to Block
IX. CONCLUSION
Using this system it is easy to Administrator to monitor
enterprise network perimeter in all three ways namely
private, public and wireless network, all using single
system. Using host based system we can monitor each host
in private network for malicious activity and if detected we
can take possible action or change rule from centralized
server system. Using network based system we can monitor
network for malicious activity and if detected administrator
can take various actions against threat. Using wireless based
system we can monitor companies wireless network for wifi
based attacks and prevent them.
ACKNOWLEDGMENT
The author wishes to thank to Mrs. Vaishali Maheshkar,
Senior Technical Officer, C-DAC, Pune and R&D Dept. C-
DAC, Pune, for their counsel in the preparation of this
paper.
REFERENCES
[1] Fauzia Idrees, Muttukrishnan Rajarajan, A.Y. Memon,
“Framework for Distributed and Self-healing Hybrid
Intrusion Detection and Prevention System” 978-1-
4799-0698-7/13/$31.00 ©2013 IEEE, ICTC2013
[2] Monowar H. Bhuyan, D. K. Bhattacharyya, and J. K.
Kalita, “Network Anomaly Detection: Methods,
Systems and Tools” IEEE Communications Surveys &
Tutorials, vol. 16, no. 1, First Quarter 2014, 1553-
877X/14/$31.00 _c 2014 IEEE
[3] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly
Detection : ASurvey,” ACM Computing Surveys, vol.
41, no. 3, pp. 15:1–15:58, September 2009.
[4] Przemyslaw Kazienko & Piotr Dorosz (April 2003)
[Online] . Available:
http://www.windowsecurity.com/articles-
tutorials/intrusion_detection/Intrusion_Detection_Syst
ems_IDS_Part_I network_intrusions_attack_sympto
ms_IDS_tasks_and_IDS_architecture.html
[5] SebastianZ (Dec 2013) [Online] Available:
http://www.symantec.com/connect/articles/security-
11-part-3-various-types-network-attacks
[6] Mr. Brijain R Patel, Mr. Kushik K Rana, “A Survey on
Decision Tree Algorithm for Classification”,
International Journal of Engineering Development and
Research, 2014 IJEDR | Volume 2, Issue 1 | ISSN:
2321-9939
[7] Ismail Butun, Salvatore D. Morgera, and Ravi Sankar,
“A Survey of Intrusion Detection Systems in Wireless
Sensor Networks”, IEEE Communications Surveys &
Tutorials, vol. 16, no. 1, First Quarter 2014
[8] Shalvi Dave, Bhushan Trivedi and Jimit Mahadevia,
“Efficacy of Attack Detection Capability of IDPS
Based on its Deployment in Wired and Wireless
Environment”, International Journal of Network
Security & Its Applications (IJNSA), Vol.5, No.2,
March 2013, DOI : 10.5121/ijnsa.2013.5208
[9] Jialong He. Important Windows Files Folders and
Tools [Online] Avaliable: http://www.cheat-
sheets.org/saved-copy/Windows_folders_quickref.pdf
[10] Avishek Kumar, Linux Directory Structure and
Important Files Paths Explained, (September 16, 2013)
[Online] Available: http://www.tecmint.com/linux-
directory-structure-and-important-files-paths-
explained/
[11] The ID3 Algorithm (Nov 1997) [Online] Available:
http://www.cise.ufl.edu/~ddd/cap6635/Fall-97/Short-
papers/2.htm
[12] J. Gomez, C. Gill, N. Padilla, R.Banos, C. Jimenez,
“Design of a Snort-Based Hybrid Intrusion Detection
System” S. Omatu et al. (Eds.): IWANN 2009, Part II,
LNCS 5518, pp. 515–522, 2009. © Springer-Verlag
Berlin Heidelberg 2009