Jpcap Winpcap Used For Network Intrusion
Jpcap Winpcap Used For Network Intrusion
Jpcap Winpcap Used For Network Intrusion
2 ISSN : 0976-268X
ABSTRACT
Intrusion detection systems serve three essential security functions: they monitor, detect, and respond to
unauthorized activity by company insiders and outsider intrusion. Intrusion detection systems use policies to
define certain events that, if detected will issue an alert. In other words, if a particular event is considered to
constitute a security incident, an alert will be issued if that event is detected. Certain intrusion detection systems
have the capability of sending out alerts, so that the administrator of the IDS will receive a notification of a
possible security incident in the form of a page, email, or SNMP trap. Many intrusion detection systems not only
recognize a particular incident and issue an appropriate alert, they also respond automatically to the event. Such
a response might include logging off a user, disabling a user account, and launching of scripts. Of the security
incidents that occur on a network, the vast majority (up to 85 percent by many estimates) come from inside the
network. These attacks may consist of otherwise authorized users who are disgruntled employees. The remainder
comes from the outside, in the form of denial of service attacks or attempts to penetrate a network infrastructure.
Intrusion detection systems remain the only proactive means of detecting and responding to threats that stem
from both inside and outside a corporate network. As stated previously, intrusion detection is the process of
monitoring computers or networks for unauthorized entrance, activity, or file modification. IDS can also be used
to monitor network traffic, thereby detecting if a system is being targeted by a network attack such as a denial of
service attack. There are two basic types of intrusion detection: host-based and network-based. Each has a
distinct approach to monitoring and securing data, and each has distinct advantages and disadvantages. In short,
host-based IDSs examine data held on individual computers that serve as hosts, while network-based IDSs
examine data exchanged between computers
108
information protection (e.g., encryption) have been B. Misuse Detection
used to protect computer systems as a first line of Misuse detection catches intrusions in terms of the
defense. Intrusion prevention alone is not sufficient characteristics of known attacks or system
because as systems become ever more complex, there vulnerabilities, any action that conforms to the pattern
are always exploitable weakness in the systems due to of a known attack or vulnerability is considered
design and programming errors, or various ``socially intrusive. The concept behind misuse detection schemes
engineered'' penetration techniques. For example, after is that there are ways to represent attacks in the form of
it was first reported many years ago, exploitable a pattern or a signature so that even variations of the
``buffer overflow'' still exists in some recent system same attack can be detected. This means that these
software due to programming errors. The policies that systems are not unlike virus detection systems, they can
balance convenience versus strict control of a system detect many or all known attack patterns.
and information access also make it impossible for an
operational system to be completely secure. Alternatively, IDSs may be classified into host-
based IDSs, distributed IDSs, and network-based IDSs
Use definitions from the pioneering work in according to the sources of the audit information used
intrusion detection.
•
by each IDS. Host-based IDSs get audit data from host
Risk: Accidental or unpredictable exposure of audit trails and usually aim at detecting attacks against
information, or violation of operations a single host; distributed IDSs gather audit data from
integrity due to the malfunction of hardware or multiple hosts and possibly the network that connects
incomplete or incorrect software design. the hosts, aiming at detecting attacks involving multiple
• Vulnerability: A known or suspected flaw in hosts. Network-based IDSs use network traffic as the
the hardware or software or operation of a audit data source, relieving the burden on the hosts that
system that exposes the system to penetration usually provide normal computing services.
or its information to accidental disclosure.
•
III. DATA MINING BASICS
Attack: A specific formulation or execution of The term data mining is frequently used to
a plan to carry out a threat. designate the process of extracting useful information
• Penetration: A successful attack -- the ability from large databases. Similarly the term knowledge
to obtain unauthorized (undetected) access to discovery in databases (KDD) is used to denote the
files and programs or the control state of a process of extracting useful knowledge from large data
computer system. sets. Data mining, by contrast it refers to one particular
step in this process. Specifically, the data mining step
II. CLASSIFICATION applies so-called data mining techniques to extract
Intrusion detection techniques are traditionally patterns from the data. Additionally, it is preceded and
categorized into two methodologies: followed by other KDD steps, which ensure that the
A. Anomaly detection extracted patterns actually correspond to useful
knowledge. Indeed, without these additional KDD steps,
Anomaly detection is based on the normal
there is a high risk of finding meaningless or
behaviour of a subject (e.g., a user or a system); any
uninteresting patterns (Fayyad, 1998; Klemettinen et al.,
action that significantly deviates from the normal
1997; Stedman, 1997). In other words, the KDD
behaviour is considered intrusive. Anomaly detection
process uses data mining techniques along with any
techniques assume that all intrusive activities are
required pre- and post-processing to extract high-level
necessarily anomalous. This means that if it could
knowledge from low-level data. In practice, the KDD
establish a "normal activity profile" for a system, this
process is interactive and iterative, involving numerous
could, in theory, flag all system states varying from the
steps with many decisions being made by the user.
established profile by statistically significant amounts
as intrusion attempts. However, if it is considered that IV. PROBLEM DESCRIPTION
the set of intrusive activities only intersects the set of A major shortcoming of current IDSs that employ
anomalous activities instead of being exactly the same, data mining methods is that they can give a series of
it will find a couple of interesting possibilities: (1). false alarms in cases of a noticeable systems
Anomalous activities that are not intrusive are flagged environment modification. There can be two types of
as intrusive. (2). Intrusive activities that are not false alarms in classifying system activities in case of
anomalous result in false negatives (events are not any deviation from normal patterns: false positives and
flagged intrusive, though they actually are). This is a false negatives. False positive alarms are issued when
dangerous problem, and is far more serious than the normal behaviours are incorrectly identified as
problem of false positives. abnormal and false negative alarms are issued when
109
abnormal behaviours are incorrectly identified as Since then, several techniques for detecting
normal. intrusions have been studied. This paper discusses why
intrusion detection systems are needed, the main
Though it’s important to keep both types of false
techniques, present research in the field, and possible
alarm rates as low as possible, the false negative alarms
future directions of research. In the following sections,
should be the minimum to ensure the security of the
it use definitions from the pioneering work in intrusion
system. To overcome this limitation, an IDS must be
detection
capable of adapting to the changing conditions typical
of an intrusion detection environment. For example, in A. k-Means Clustering
an academic environment, the behaviour patterns at the K- Means is an iterative clustering algorithm in
beginning of a semester may be different than the which items are moved among set of clusters until the
behaviour patterns at the middle/end of the semester. desired set is reached. A high degree of similarity
If the system builds its profile based on the audit among elements in the clusters is obtained, while a high
data gathered during the early days of the semester, degree of dissimilarity among elements in different
then the system may give a series of false alarms at the clusters is achieved simultaneously.
later stages of the semester. System security This algorithm assumes that the desire number of
administrators can tune the IDS by adjusting the profile, clusters, K, is an input parameter. The initial values for
but it may require frequent human intervention. Since the means are arbitrarily assigned. These could be
normal system activities may change because of assigned randomly or perhaps could use the values from
modifications to work practices, it is important that an the first K input items themselves.
IDS should have automatic adaptability to new
conditions. Otherwise, an IDS may start to lose its edge. The cluster mean of k= {ti1,ti2,…….tim} is defined
Such adaptability can be achieved by employing as
incremental mining techniques. Such an adaptive
mi = 1/m ij
system should use real time data (log of audit records)
to constantly update the profile.
B. k-Means Clustering Algorithm
One straightforward approach can be to regenerate 1. Input:
the user profile with the new audit data. But this would 2. D={t1,t2,……………..,tn} // Set of
not be a computationally feasible approach. Each of elements
these deviations can represent an intrusion or a change 3. K // Number of desire clusters
in behaviour. In case of a change in system behaviours, 4. Output:
the base profile must be updated with the corresponding 5. S // Set of clusters
change so that it does not give any false positives 6. K-means algorithm:
alarms in future. This means that the system needs a 7. Assign initial values for means
mechanism for deciding whether to make a change or m1,m2 ,…………..,mK;
reject it. If the system tries to make a change to the base 8. Repeat
profile every time it sees a deviation, there is a potential 9. Assign each item ti to the
danger of incorporating intrusive activities into the profile. cluster which has the closest
mean;
V. SYSTEM DESCRIPTION 10. calculate new mean for
The central theme of present approach is to apply each cluster;
data mining techniques K-Means clustering for 11. Until convergence
intrusion detection in network. Data mining generally criteria is met;
refers to the process of (automatically) extracting
models from large stores of data. The recent rapid c. Winpcap:
development in data mining has made available a wide WinPcap is an open source library for packet
variety of algorithms, drawn from the fields of statistics, capture and network analysis for the Win32 platforms.
pattern recognition, machine learning, and database. Most networking applications access the network
Introducing the concept of intrusion detection in 1980, through widely used operating system primitives such
defined an intrusion attempt or a threat to be the as sockets. It is easy to access data on the network with
potential possibility of a deliberate unauthorized this approach since the operating system copes with the
attempt to low level details (protocol handling, packet reassembly,
etc.) and provides a familiar interface that is similar to
• manipulate information, or
access information, the one used to read and write files.Sometimes,
• Render a system unreliable or unusable.
however, the 'easy way' is not up to the task, since some
applications require direct access to packets on the
110
network. That is, they need access to the "raw" data on and discover patterns of intrusions. This is the initial
the network without the interposition of protocol stages of present research; much remains to be done
processing by the operating system. including the following tasks:
d. Jpcap: • Implement a support environment for
Jpcap is an open source library for capturing and system builders to iteratively drive the
sending network packets from Java applications. It integrated process of pattern discovering,
provides facilities to: system feature selection, and construction
•
and evaluation of detection models.
•
Capture raw packets live from the wire.
•
Investigate the methods and benefits of
Save captured packets to an offline file, and combining multiple simple detection
read captured packets from an offline file
•
models. It is needed to use multiple audit
Filter the packets according to user-specified data streams for experiments.
•
rules before dispatching them to the
Implement a prototype agent-based
application.
•
intrusion detection system.
•
send raw packets to the network Jpcap is
based on libpcap/winpcap, and is implemented Evaluate present approach using extensive
audit data sets.
in C and Java.
VI. CONCLUSION VII. REFERENCES
[1] Fayyad, U., “Mining Databases: Towards Algorithms
This paper has proposed a systemic framework that for Knowledge Discovery” Bulletin of the IEEE
employs data mining techniques for intrusion detection. Computer Society Technical Committee on Data
This framework consists of classification, clustering Engineering 1999.
and frequency episodes programs, which can be used to [2] S.J. Stolfo, S. Hershkop, K. Wang, O. Nimeskern, and
(automatically) construct detection models. The C.W. Hu, Behavior Profiling of Email, First NSF/NIJ,
experiments on log data and network data demonstrated ISI, 2003;
the effectiveness of clustering models in detecting
[3] W. Lee, S.J. Stolfo, K.W. Mok, Algorithms for Mining
anomalies. The accuracy of the detection models System Audit Data, in Proc. KDD, 1999;
depends on sufficient training data and the right feature
set. The k-means clustering algorithm can be used to [4] W.W. Cohen, Fast Effective Rule Induction, in 12th
Conference on Machine Learning, CA, 1995;
compute the consistent patterns from audit data. These
frequent patterns form an abstract summary of an audit [5] W. Lee, S. Stolfo, Data Mining Approaches for
trail, and therefore can be used to: guide the audit data Intrusion Detection, in 7th Usenix Security, 1998.
gathering process; provide help for feature selection;
111