Professional Documents
Culture Documents
Report
Report
Seminar-I Report
On
SUBMITTED BY
Sagar B. Jadhav
2022-23
1
MET’s Institute of Technology-Polytechnic (BTech)
Bhujbal Knowledge City
Adgaon, Nashik
CERTIFICATE
Semester-III
2
Abstract:
A machine learning-based intrusion detection system (IDS) has become
essential to safeguarding our economic and national security due to the
enormous volumes of data that are generated every day and the ever-
increasing interconnectedness of the world's internet infrastructures. The
single learning model technique is used for intrusion detection in previous
shallow learning and deep learning strategies. The single learning model
technique may have difficulties deciphering the distribution of incursion
patterns' increasingly complex data. A single deep learning model, in
particular, might not be able to effectively capture distinctive patterns from
invasive attacks with a limited sample size. We suggest the Big Data based
Hierarchical Deep Learning System to further improve the performance of
machine learning-based IDS (BDHDLS). [1]
Keywords:
3
Index
Page
Chapter Chapter Name
No.
No.
1 Introduction
6
2 Literature survey
14
3 Technical Details
16
4 Future Scope
21
5 Conclusion
23
6 References
24
4
List of Figures
5
Introduction
6
Intrusion is some time also called as hacker or cracker attempting to break into
or misuse your system. While introducing the concept of intrusion detection in
1980, defined an intrusion attempt or a threat to be the potential possibility of a
deliberate unauthorized attempt to access information, manipulate information,
or Render a system unreliable or unusable. Intrusion detection systems do
exactly as the name suggests: they detect possible intrusions. More specifically,
IDS tools aim to detect computer attacks and/or computer misuse, and to alert
the proper individuals upon detection. An intrusion detection system (IDS)
inspects all inbound and outbound network activity and identifies suspicious
patterns that may indicate a network or system attack from someone attempting
to break into or compromise a system. An IDS installed on a network provides
much the same purpose as a burglar alarm system installed in a house. Through
various methods, both detect when an intruder/attacker/burglar is present, and
both subsequently issue some type of warning or alert.
7
1.1] Problem Definition in Detail:
For example, an IDS might inspect the data carried by network traffic to see if it
contains known malware or other malicious content. If it detects this type of
threat, it sends an alert to your security team so they can investigate and
remediate it. Once your team receives the alert, they must act quickly to prevent
an attack from taking over the system. To ensure that an IDS doesn’t slow down
network performance, these solutions often use a switched port analyzer
(SPAN) or test-access port (TAP) to analyze a copy of the inline data traffic.
However, they don’t block threats once they enter the network, as intrusion
prevention systems do.
8
The info from an intrusion detection system can also help the
security team.
9
1.2] Justification of a problem:
In the modern world, when hostile attacks on computer systems are on the rise,
it is obvious that we need an instruction detection system. Malicious code poses
a genuine and constant threat, from hackers stealing personal information to
cybercriminals initiating ransomware assaults. Computer systems can be
shielded against these dangers with the use of an instruction detection system.
Both questionable or potentially harmful programme instructions and malicious
code within executable files can be found with this tool. The system can identify
harmful code by examining a program's instructions and alerting the user so
they may take precautions to protect their machine.
As the system can recognise instructions that are not a part of the intended
programme and notify the user to take appropriate action, it can also offer an
additional layer of defence against malware and other dangerous code. For
every corporation that wants to secure the security of their system, an
Instruction Detection System is a vital tool for defending computer systems
against malicious attacks. An instruction detection system can produce false
positives if it is not properly calibrated. This often happens when the system is
not configured correctly or is not trained properly. An instruction detection
system can be expensive to implement, especially if a business requires a large
number of sensors or cameras. An instruction detection system can intrude on
the privacy of users by capturing their activities without their knowledge or
consent.
11
1.3] Need of proposed system:
12
Robotics, artificial intelligence (AI)-assisted customer support, and automated
online training are just a few examples of the many uses for the IDS system.
The technology can give consumers more precise and customised solutions by
recognising instructions in a natural language environment. As a result of the
system's ability to recognise and comprehend instructions rapidly and precisely,
it can also be utilised to help eliminate the need for manual labour.
13
Literature Review
Usman Shuaibu Musa Says That , Computer network availability, integrity, and
confidentiality problems arise as a result of the exponential expansion in
computer network use. As a result, network administrators are forced to
implement a variety of intrusion detection systems (IDS) that assist in keeping
an eye on network traffic for harmful and unauthorised activity. When a
security policy is violated with malicious intent, it is called an intrusion. In
order to look for malicious activity and known dangers, intrusion detection
systems monitor traffic passing through computer systems on a network. When
they discover threats, they send out alarms. There are two methods for
14
identifying malicious activity: signature-based detection and misuse detection.
In the latter case, an IDS gathers data, analyses it, and then compares it to attack
signatures kept in a sizable database. The second type of detection, known as an
anomaly detection, considers any action that deviates from customary behaviour
to be malicious activity. The proposed paper provides a summary of the several
efforts being made to develop an effective IDS utilising a single, hybrid, and
ensemble machine learning (ML) classifier, each of which has been tested using
a different dataset. A clear path and direction for future study has been provided
by the discussion and comparison of the results from various works. [2]
15
Technical Details
HIDS inspect data that originates from the host system and audit sources, such
as operating system, window server logs, firewalls logs, application system
audits, or database logs. HIDS can detect insider attacks that do not involve
network traffic (Creech & Hu, 2014a).
NIDS monitors the network traffic that is extracted from a network through
packet capture, NetFlow. NIDS is able to monitor the external malicious
activities that could be initiated from an external threat at an earlier phase,
before the threats spread to another computer system.
IDS Techniques Now that we have examined the two basic types of IDS and
why they should be used together, we can investigate how they go about doing
their job. For each of the two types, there are two basic techniques used to
detect intruders: Misuse detection (Signature detection or Pattern Detection).
Anomaly detection (Behavior detection) Misuse Detection or Signature based
IDS or Pattern Detection Almost all IDSs are signature based, also known as
knowledge based. Signature based IDSs monitor network traffic and analyzes
this traffic against specific predefined attacks. When an attack is detected an
alarm is generated. This means that any traffic that doesn’t specifically match a
signature is considered safe. Signature based IDSs obviously require that the
signature base be updated regularly to detect new exploits. If legitimate network
traffic triggers an alarm this is called a false positive. The amount of false
16
positives generated by signature based IDSs can be significantly less than
behavior based IDSs.
A signature based IDS will monitor packets on the network and compare them
against a database of signatures or attributes from known malicious threats. This
is similar to the way most antivirus software detects malware. The issue is that
there will be a lag between a new threat being discovered in the wild and the
signature for detecting that threat being applied to your IDS. During that lag
time your IDS would be unable to detect the new threat.
17
3.1] HOW DOES IDS WORK?
Intrusion detection systems serve three essential security functions: they moni-
tor, detect, and respond to unauthorized activity by company insiders and out-
sider intrusion. Intrusion detection systems use policies to define certain events
that, if detected will issue an alert. In other words, if a particular event is consid-
ered to constitute a security incident, an alert will be issued if that event is de-
tected. Certain intrusion detection systems have the capability of sending out
alerts, so that the administrator of the IDS will receive a notification of a possi-
ble security incident in the form of a page, email, or SNMP trap. Many intrusion
detection systems not only recognize a particular incident and issue an appropri-
ate alert, they also respond automatically to the event. Such a response might in-
clude logging off a user, disabling a user account, and launching of scripts. In
terms of response IDS classified as:
passive system: in a passive system, the IDS detects a potential security breach,
logs the information and signals an alert
Reactive system: In a reactive system, the IDS respond to the suspicious activity
by logging off a user or by reprogramming the firewall to block network traffic
from the suspected malicious source.
Host Based Intrusion Detection Systems: A Host IDS (HIDS) uses a piece or
pieces of software on the system to be monitored. The loaded software uses log
files and/or the system's auditing agents as sources of data. In contrast, a NIDS
monitors the traffic on its network segment as a data source. Host based
intrusion detection involves not only looking at the network traffic in and out of
a single computer, but also checking the integrity of your system files and
watching for suspicious processes. To get complete coverage at your network
with HIDS, you must load the software on every computer. Host based Intrusion
18
Detection is much more effective in detecting insider attacks than is NIDS. Host
Intrusion Detection Systems are run on individual hosts or devices on the
network. A HIDS monitors the inbound and outbound packets from the device
only and will alert the user or administrator of suspicious activity is detected
19
3.2] Advantages & Disadvantages:
Advantages Disadvantages
20
Future Scope
Over the next several years, intrusion detection will evolve in two
directions:
Intrusion detection systems, algorithms and data analysis must take the emer-
ging IoT into the equation. Attackers can breach organizations from multiple
points via cameras, automotive or wearable devices. In order to deduce the in-
truder path, multiple sources of data from all IoT devices in the organization
will have to be distilled into a centralized place.
Cyber criminals are developing new and innovative attacks that employ evasive
and polymorphic techniques to escape detection. These techniques render the
21
old hermetic intrusion detection paradigm useless. Famous for this is anti-
forensic malware. At the initial step of the execution of such malware, it de-
termines whether or not there is an AV or IDS “in the area.” If so, it takes one
or more evasive actions:
(2) remains dormant, hiding its malicious intent until it is in a “safe” environ-
ment
(3) attacks the defense system itself. Close to 80% of current malware uses anti-
forensic techniques at some level.
But this is only one type of evasive attack. Some attacks are non-persistent,
residing only in memory and leaving no footprint on the hard-drive. For ex-
ample, the PowerWare ransomware program that recently targeted the Health-
care industry blends in with legitimate computer activity by using Windows
PowerShell to download a malicious script. Many AVs and IDSs are “file scan-
ning oriented,” hence can be bypassed by such attacks.
23
References
[4] HML - IDS AHybrid Multilevel Anomaly Prediction Approach For In-
struction Detection In SCADA System
24