An intrusion detection system (IDS) checks the content of headers and payload of packets to detect intrusions from the network. It is an essential function for network security. Traditionally, an ...IDS, such as Snort, which is a widely used open source IDS, is implemented as a program running in the user space on a hardware server. Recently, with the availability of Extended BPF (eBPF) in the Linux kernel, efficiently checking and filtering arriving packets directly in the kernel becomes feasible. In this work, we design and implement an IDS that has two parts working together. The first part runs in the Linux kernel. Its uses eBPF to perform fast patterns matching to pre-drop a very large portion of packets that have no chance to match any rule. The second part runs in the user space. It examines the packets left by the first part to find the rules that match them. Using a modified version of the registered ruleset of Snort, experimental results show that the maximum throughput of our IDS system can outperform that of Snort by a factor of 3 under many tested conditions.
This study investigates the performance of two open source intrusion detection systems (IDSs) namely Snort and Suricata for accurately detecting the malicious traffic on computer networks. Snort and ...Suricata were installed on two different but identical computers and the performance was evaluated at 10 Gbps network speed. It was noted that Suricata could process a higher speed of network traffic than Snort with lower packet drop rate but it consumed higher computational resources. Snort had higher detection accuracy and was thus selected for further experiments. It was observed that the Snort triggered a high rate of false positive alarms. To solve this problem a Snort adaptive plug-in was developed. To select the best performing algorithm for Snort adaptive plug-in, an empirical study was carried out with different learning algorithms and Support Vector Machine (SVM) was selected. A hybrid version of SVM and Fuzzy logic produced a better detection accuracy. But the best result was achieved using an optimised SVM with firefly algorithm with FPR (false positive rate) as 8.6% and FNR (false negative rate) as 2.2%, which is a good result. The novelty of this work is the performance comparison of two IDSs at 10 Gbps and the application of hybrid and optimised machine learning algorithms to Snort.
•Two open source intrusion detection systems namely Snort and Suricata were compared.•Snort showed better detection accuracy but with false positive alarms.•Improving rule-based Snort’s accuracy with machine learning was attempted.•A Snort plug-in with SVM and Fuzzy logic produced good detection accuracy.•But the best result was achieved using an optimised SVM with firefly algorithm.
Computer networks are built to achieve the main goal of communicating with each other . During the transmission process, it is expected that information can be conveyed quickly, efficiently and ...safely. Network security serves to avoid damage or even data loss caused by attacker activities during the communication process. Security aspects that need to be maintained in data information are Confidentiality, Integrity and Availability. Intrusion Prevention System is a solution that can maintain network security from various attacks. The Intrusion Prevention System will act as a protector on the network by detecting and preventing suspicious traffic on nodes in a network. The Intrusion Prevention System in its implementation has several tools which are used in this study, namely Snort and IPTables. Testing is done by performing attacks on the Web Server. The attacks carried out are Port Scanning, DDoS attacks and Brute Force. The results of this study are based on the CIA Triad with the three attacks having different characteristics in terms of cause and effect. On the defense side, Port Scanning and Brute Force can be easily prevented by IPS, but in DDoS attacks there are differences in results between drop and reject rule. In a DDoS attack with an action drop rule, it can recover the web server in 160 seconds while the action reject rule can be restored at 145 seconds which normally can be recovered in a DDoS attack in 165 seconds. The IPS server can also reduce resources when there is a DDoS attack by 9.2% .
Over the past decades, the rapid Internet development and the growth in the
number of its users have raised various security issues. Therefore, it is of
great importance to ensure the security of the ...network in order to enable
the safe exchange of confidential data, as well as their integrity. One of
the most important components of network attack detection is an Intrusion
Detection System (IDS). Snort IDS is a widely used intrusion detection
system, which logs alerts after detecting potentially dangerous network
packets. A major challenge in network monitoring is the high volume of
generated IDS alerts. A necessary step in successful network protection is
the analysis of the great amount of logged alerts in search of deviations
from normal traffic that may indicate an intrusion. The goal of this paper
is to design and implement a visualization interface for IDS alert analysis,
which graphically presents alerts generated by Snort IDS. Also, the proposed
system classifies the alerts according to the most important attack
parameters, and allows the users to understand evolving network situations
and easily detect possible traffic irregularities. An environment in which
the system has been tested in real-time is described, and the results of
attack detection and classification are given. One of the detected attacks
is analyzed in detail, as well as the method of its detection and its
possible consequences.
Fuzzy rule interpolation (FRI) offers an effective approach for making inference possible in sparse rule-based systems (and also for reducing the complexity of fuzzy models). However, requirements of ...fuzzy systems may change over time and hence, the use of a static rule base may affect the accuracy of FRI applications. Fortunately, an FRI system in action will produce interpolated rules in abundance during the interpolative reasoning process. While such interpolated results are discarded in existing FRI systems, they can be utilized to facilitate the development of a dynamic rule base in supporting subsequent inference. This is because the otherwise relinquished interpolated rules may contain possibly valuable information, covering regions that were uncovered by the original sparse rule base. This paper presents a dynamic fuzzy rule interpolation (D-FRI) approach by exploiting such interpolated rules in order to improve the overall system's coverage and efficacy. The resulting D-FRI system is able to select, combine, and generalize informative, frequently used interpolated rules for merging with the existing rule base while performing interpolative reasoning. Systematic experimental investigations demonstrate that D-FRI outperforms conventional FRI techniques, with increased accuracy and robustness. Furthermore, D-FRI is herein applied for network security analysis, in devising a dynamic intrusion detection system (IDS) through integration with the Snort software, one of the most popular open source IDSs. This integration, denoted as D-FRI-Snort hereafter, delivers an extra amount of intelligence to predict the level of potential threats. Experimental results show that with the inclusion of a dynamic rule base, by generalising newly interpolated rules based on the current network traffic conditions, D-FRI-Snort helps reduce both false positives and false negatives in intrusion detection.
The current technology is changing rapidly, with the significant growth of the internet technology, cyber threats are becoming challenging for IT professionals in the companies and organisations to ...guard their system. Especially when all the hacking tools and instructions are freely available on the Internet for beginners to learn how to hack such as stealing data and information. Tic Timor IP is one of the organisations involved and engaged in the data center operation. It often gets attacks from the outside networks. A network traffic monitoring system is fundamental to detect any unknown activities happening within a network. Port scanning is one of the first methods commonly used to attack a network by utilizing several free applications such as Angry IP Scan, Nmap and Low Orbit Ion Cannon (LOIC). On the other hand, the snort-based Intrusion Detection System (IDS) can be used to detect such attacks that occur within the network perimeter including on the web server. Based on the research result, snort has the ability to detect various types of attack including port scanning attacks and multiple snort rules can be accurately set to protect the network from any unknown threats.
Web Exploit Kits (EKs) are designed to exploit browsers and browsers plugins vulnerabilities, in order to serve malware without drawing user’s attention. Despite their longevity, EKs have adapted ...their modus operandi to new malware trends and pose an imminent threat to individual and organizations. This paper proposes EKnad, a methodology to detect EK exclusively from network-level traces using machine learning algorithms. To capture the network-level behavior of EK, a comprehensive set of features from the network traffic is presented. Moreover, HTTP flows are suitably grouped into the so-called potential EK sessions, in order to improve the detection accuracy and reduce the training time. Using various well-known machine learning algorithms, a comparative experimental study is performed, employing real-world, publicly available network traffic files from 26 different EK families. Numerical results show that the Multilayer Perceptron algorithm outperforms all other machine learning algorithms yielding F1-score equal to 0.983 and at the same time outweighs the detection capabilities of rule-based intrusion detection systems including Snort and Suricata.
•A Machine Learning methodology for EK network activity detection.•The Potential EK Session method groups HTTP flows based on the attack pattern of EKs.•A comprehensive feature set that captures the network-level behavior of EKs.•Evaluation rules and guidelines for ML classifiers to avoid biased results.•A thorough assessment shows EKnad’s high detection performance.
The use of the Intrusion Detection Systems (IDS) still has unresolved problems, namely the lack of accuracy in attack detection, resulting in false-positive problems and many false alarms. Machine ...learning is one way that is often utilized to overcome challenges that arise during the implementation of IDS.. We present a system that uses a machine learning approach to detect network attacks and send attack alerts in this study. The CSE-CICIDS2018 Dataset and Model-Based Feature Selection technique are used to assess the performance of eight classifier algorithms in identifying network attacks in order to determine the best algorithm. The resulting XGBoost Model is chosen as the model that provides the highest performance results in this comparison of machine learning models, with an accuracy rate of 99 percent for two-class classification and 98.4 percent for multi-class classification.