Matching, articleâ and the summery of all the dissertation topics in â Network ...... OpenSeesâ, Network for Earthquake Engineering Simulation NEES, 2011.
Ch3 - Off-line NIDS Design (simulation) CHAPTER THREE OF “DESIGN AND IMPLEMENTATION OF NETWORK INTRUSION DETECTION SYSTEM BASED ON EMBEDDED SYSTEM” MASTER DISSERTATION The main subject is published in “Designing of Intrusion Detection System Based on Image Block Matching, article” and the summery of all the dissertation topics in “ Network Intrusion Detection System Based on Embedded System - Off-line and On-line NIDS Based on Embedded System: Design and Implementation, book”. Here you will find more details about the designing of the NIDS in the off-line stage. Abdullah A. Mohammed
Abdullah A. Mohammed MOSUL UNIVERSITY | MOSUL - IRAQ
Ch.3
Off-line NIDS Design (simulation)
3.1 Introduction: In this chapter, new method is used to design off-line NIDS, Simulink Image Block Matching (IBM) and Embedded Matlab Function (EMF) are used in the designing. The used method is very simple and efficient. The IBM is used for pattern matching and the EMF is used for giving the decision. Three types of attacks are used in this system (R2L, DoS and U2R). The result shows that the IBM can give a high detection and classification rate in average equal to 94.9 percent based on NSL-KDD recorders. The chapter opened with some details about NSL-KDD and the reduction of its features.
3.2 Off-line NIDS: When the NIDS designing is classified according to the way in which it receive its input, there are two types on-line and off-line NIDS system. On-line NIDS deals with the network in real-time. It analyses the Ethernet packet and applies it on the some rules to decide if it is attack or not. Off-line NIDS deals with stored data and pass it on some process to decide if it is attack or not [11], Fig. (3.1). The Dataset Selected Features is a test dataset store. It passes the selected features to the System Core. There are standard dataset include most of the well-known attacks. It consist of two parts training data and testing data. These standard datasets like DARPA, KDD-99 and NSL-KDD include cases of the network packet. It focuses on some features, which represent the header fields, and some specific points of the payload in the packet. According to these cases, it classifies the packet as attack or normal frame [26]. System Core is the base of the NIDS that contain the pattern matching process. It usually consist of ANN or GA algorithms. The result of the System Core passed to the Result display to display it as interactive unit.
33
Ch.3
Off-line NIDS Design (simulation)
Data set Selected Features
System Core
Result display
Figure (3.1) off-line NIDS Architecture.
3.3 Dataset and Feature Extracting: 91 To make the system efficient and accurate, it must be designed on specific factors. Extracting features is one of these factors, for that, it must select the effected features that have an important effect on the detection operation [27]. Several foundations produced a dataset showed the effect features to detect the attack types.
3.3.1 KDD-99 and NSL-KDD Dataset: KDD-99 is one of these dataset. It is the mostly and widely used dataset for the anomaly detection. It is built based on the data captured in DARPA'98 that criticized by McHugh [28], for that, some of the existing problems in DARPA'98 remain in KDD-CUP 99. One of the most important deficiencies in the KDD-99 is the huge number of redundant records. Analyzing KDD-99 train and test sets discover that about 78% of the training set and 75% of testing set are duplicated. The researchers found that highly effect on the performance of evaluated systems that result a very poor evaluation of anomaly detection approaches [29], [30]. To solve this problem, they have proposed a new dataset called NSL-KDD. NSL-KDD solved the inherent problems of KDD-99 [31]. It consists of selected records of the complete KDD-99 dataset [29].
34
Ch.3
Off-line NIDS Design (simulation)
The following are the advantages of NSL-KDD over the original KDD-99 dataset [29]: It does not include redundant records in the train set, so the classifiers will not be biased towards records that are more frequent. The number of selected records from each difficulty level group is inversely proportional to the percentage of records in the original KDD-99 dataset. As a result, the classification rates of distinct machine learning methods vary in a wider range, which makes it more efficient to have an accurate evaluation of different learning techniques. The numbers of records in the train and testing sets are reasonable, which makes it affordable to run the experiments on the complete set without the need to randomly select a small portion. Consequently, evaluation results of different research works will be consistent and comparable. NSL-KDD consist of approximately 4,900,000 records each one contains 41 features. The record labeled as either normal or attack type [29]. It represents attack case and give a packet’s summary of the attack. Each attack has related features as shown in Table (3.1), for that, many researchers had a deep study to specifying that relations [31], [32], [33]. For NIDS, not all the 41 features are useful. Some of the features are irrelevant and redundant that results lengthy detection process and degrades the performance of the NIDS [31], [32]. Table (3.1) shows that for DOS, R2L and U2R attacks, 11 features are enough to achieve the NIDS detection [33]. The researchers suggested many methods for features selection and reduction, all these researches involve about enhance the process time, performance and the detection rate. Table 3.1 the most relevant feature for each attack type and normal [33].
35
Ch.3
Off-line NIDS Design (simulation)
3.3.2 The Effect of Reduction on the Process Time and Detection Accuracy: The 41 features are reduced to 4 features by using three types of Artificial Neural Networks (ANN) and the results show a high reduction in process time and good accuracy in the detection, Fig. (3.2). It shows some deviation in the detection rate at little records, but it very acceptable for 4 features only [34]. Other researchers used 8 features [29]. Their results showed that 80.4% data reduction and approximately 35%-40% reduction in training time and 75%-80% reduction in testing time, Fig. (3.3). It also showed more accuracy in detection rate even with a few records, Fig. (3.4). It's clear that it's more approach from the target with less deviation than the 4 features dependency [34]. Good results showed with 11 features [33], [35]. Other results were better in the false alarm with use 13 and 15 features [36], [37] respectively.
Figure (3.2) Comparison of Number of Detections with LDA and PCA for 4 features [34].
Figure (3.4) Comparison of number of detections before and after feature reduction. (Hidden Layers=25 and Max Steps for Training taken =700) [29].
(a)
(b)
Figure (3.3) Time Taken before and after Reduction [29]: (a) Training Time (b) Testing Time.
36
Ch.3
Off-line NIDS Design (simulation)
Njla and Hana [38] make a good study by using 5, 10, 21 and 41 features. Their results show that high detection rate can be achieved with 5 features, Fig. (3.5). It is clear that depend on less number of features give high detection rate and take little processing time, Fig. (3.6). For importance, it must be mentioned that evaluate high detection rate by depending on a few features drive to increase the false alarm because making the decision based on a part of the features that recognize the packet attack or not. This approach makes the classification confused that classify clean packets as attacks. Therefore, there is a tradeoff between the detection rate with time taken and the false alarm [26].
Figure (3.5) Detection rate for 5, 10, 21 and 41 features [38.]
Figure (3.6) Training time for 5, 10, 21 and 41 features [38].
According to the previous studies that mentioned up, 12 features are chosen to be the target for the proposed NIDS designing in this research. The chosen features include the most effect features on the detection of DOS, U2R and R2L attacks that suggested in the table (3.1) [33], [35]. Table (3.2) shows the selected features and the order number of each feature in the original NSL-KDD dataset. The selection was based on the dependency rate that the attack detection depends on which feature. The selected features related to DOS, R2L and U2R attacks only, the PROBE attack not included.
37
Ch.3
Off-line NIDS Design (simulation) Table 3.2 the selected features based on the dependency ratio for the attack types.
No. 1 2 3
4 5 6 7 8
9
10 11 12
Feature’s order source bytes 5 land 7 source bytes 5 wrong fragment 8 source bytes 5 wrong fragment 8 count 23 Duration 1 failed login 11 service 3 destination bytes 6 count 23 destination bytes 6 service 3 dst host srv serror 39 rate service 3 dst host same 36 srcport rate root shell 14 srv count 24 Feature Name
Dependency Ratio [35] 0.9708 0.9999 0.9328 0.9853 0.7731 0.9913 0.6183 0.5682 0.9622 0.9980 0.9976 0.7898 0.7500 0.6658 0.9997
Attack type
0.6965 0.6279
buffer overflow Load module
0.9994 0.7269
Perl rootkit
Back Land Neptune Pod Smurf teardrop Smurf guess_passwd guess_passwd Imap Phf multihop warezmaster ware client Spy
Attack class DOS
R2L
U2R
3.4 The Proposed Method for NIDS Designing: IBM block is the proposed method for the designing. In this method, we focused on two features of the Block Matching, the ability to estimate the motion between two images or two video frames and the ability to give the mean square errors between two images or two video frames. Estimation, that mean the ability to generalize from incomplete data. Mean square error that mean the ability to classify the data as normal or abnormal (attack). There are two ways to apply the NIDS on the IBM as shown in Fig. (3.7). The first is by forming the testing data as a two dimensional matrix and pass it to sub-matrix block according to the size of the testing records. After that, it passes to the IBM as image under test with another image formed from a matrix that taken from training data.
38
Ch.3
Off-line NIDS Design (simulation)
T esting Data
SubMatrix
1st Method Patching Data
IMAGE BLOCK
OR
Video from T esting and Patching Data
MAT CHING
Emb. MAT .
Attack
Fun.
or not
2 nd Method
Figure (3.7) NIDS by using IBM.
The matching result will appear as a matrix of mean square error, this error is passed to the EMF to give the decision if it attacks case or not. The second method is by generating a video file from the testing data and the patch data that is tacked from the training records, then it passed to the IBM and the other steps is the same of the first method. This method is more complicated from the first method, but it's faster than the first because of the reducing in the blocks; it became unstable as the testing records increases, for that it's not recommended [11].
3.4.1 Image Block Matching (IBM): Block Matching is one of the most powerful tools of Video and Image Processing Block-set in SIMULINK program, Fig. (3.8-a). It is used to match between two images or to video frames. There are two modes of matching in the IBM technique, two images and the current frame with the Nth frame back. The mode of matching can be chosen from the block parameters window, Fig (3.8-b). The work of this tool is based on subdividing the image or the frame to a number of sub-blocks of pixels that entered in Block Size [height, width] and overlap [height, width] parameters, Fig. (3.9). So, by moving the block of pixel in the frame k over a search region in the block of pixel in the frame k+1 which is limited by Maximum displacement [height, width] parameter, the mismatching can be computed as a mean square error.
39
Ch.3
Off-line NIDS Design (simulation)
(a)
(b)
Figure (3.8) Image Block Matching (IBM) [39]: (a) Block Matching, (b) Parameter Setting.
There are other tools similar to the Block Matching block and built based on its rules. This tool also able to match matrices and images [39]. Pattern Matching and Template Matching blocks will be discussed below.
Figure (3.9) the work Technique of the IBM [39].
40
Ch.3
Off-line NIDS Design (simulation)
3.4.2 Pattern Matching: Pattern Matching Block is one of Video and Image Processing Block-set in SIMULINK program. It is built based on the block matching rules and used to find and track limited part of image from overall image or frame. It tacks a small part of image as a target and scan all the input image or video frames to find the target matching in them [39]. To understand the work technique of the Pattern Matching block, a simple example will be taken. This example shows how to apply the block on the images and 2D matrices for pattern matching and target tracking. Figure (3.10) shows the Pattern Matching model. From target port, the selected image is fed as input for the Pattern Matching block. In this example, IC image is selected as the target.
Figure (3.10) Pattern Matching model.
41
Ch.3
Off-line NIDS Design (simulation)
The other input for the Pattern Matching is the kit board image, which the target is a part of it. It is a video of the kit and split as frames fed to the Image port [39]. The Pattern Matching scans each frame by moving the target image over it to find the matching area in the input frame or image. The window shows the result of this navigation and comparison between the target template and a video frame. Large values in this window correspond to the locations of the targets in the input image. The Overlay window shows the locations of the targets by highlighting them with rectangular regions of interest (ROIs). These ROIs are present only when the targets are detected in the video frame.
3.4.3 Template Matching: It is one of Video and Image Processing Block-set in SIMULINK program. It is built based on the block matching rules also. The Template Matching block finds the best match of a template within an input image. The block computes match metric values by shifting a template over a region of interest or the entire image, and then finds the best match location. Figure (3.11) shows the Template Matching block.
Figure (3.11) Template Matching block [39].
I (Input Image) is one of the input ports for the block. It supports Double-precision floating point, Single-precision floating point, Fixed point (signed, unsigned or both), Boolean and others Data Types. T (Template) is the second input port for the block and it supports the same data types of the “I” port [39]. Loc (Best match location) is the output port of the block and it represents the best match location between the two input images. ROI can be set from the parameter widow and its work like the ROI in the Pattern Matching block. There are two searching methods Exhaustive and Three-step method similar to the Block Matching block. Search Method can be chose from the parameter window also.
42
Ch.3
Off-line NIDS Design (simulation)
3.5 Rules Generating (Patch Data): 3.5.1 Preprocessing: The Rules or Patching Data are the important content part of the NIDS. According to the Rules, the NIDS recognize and classify the packet as attack or normal. The Rules are generated from the selected features in the Table (3.2). To understand the Rules generating from the selected features, a simple example of NSL-KDD features will be taken. Figure (3.12) shows one of the NSL-KDD records with its whole 41 features. The record belongs to the DoS attack and that is appear clearly through the LAND feature “7th feature” with value one. The selected features in Table (3.2) are shown in Table (3.3) after modification. Each feature replaced with its value from the Fig. (3.12). The replacement is according to its order in the record.
Figure (3.12) NSL-KDD record with its whole 41 features.
Table (3.3) shows that there are two features, Service and Flag appear as nominal values. The nominal must be replaced with numerical values as shown in the Table (3.4). Eleven Flags get eleven values from zero to one with step equal to 0.1. The values set with step 0.1 to be matched with other features values that sit between zero and one. Table (3.3) The Selected Features after preprocessing S elected Features -Order 1
S elected FeaturesValues” from Fig.(3.12)” 0
S elected Features-after Preprocessing 0
3
FTP-data
0.3
5
SF
0.9
6
490
4.9
7
1
1
8
0
0
11
0
0
14
0
0
23
0
0
24
1
1
36
0.17
0.17
39
0
0
43
Ch.3
Off-line NIDS Design (simulation) Table (3.4) The replacement values for Flag and Service features
NSL-KDD depend on 66 types of services. All the services get vales between 0 and 6.5 with step 0.1 also for the same reason. Feature of Source data byte is the number of data’s byte and it is divided by 100 for matching with other feature’s value [40].
3.5.2 Forming of Rules matrices: After the preprocessing is finished, the rule matrices can be formed easily. The first step, splitting the features according to their related attack class Dos, R2L and U2R. From Table (3.2), there are four features for Dos and others for U2R and six features for R2L. Both DoS and U2R rules will consist of 2x2 matrix from their four features. The R2L rules will consist of 2x3 matrix from its six features. These matrices will be the Basic Block for the final form of the rules matrices. The number of the NSL-KDD training records that used in this design was 1500 records, 500 record for each attack class. Each record consists of the selected features from its whole features. Figure (3.13) shows the systematic of the configuration of the rules matrices. The 500 records of each attack class divided to five matrices with 100 records for each one. For DoS and U2R, each record consists of four features represented by the Basic Block, for that the rule matrix will be consist of 400 features and configure as 20x20 matrix (10x10 of Basic Blocks )as shown in Fig. (3.13-a). In this case, there will be five matrices for DoS attack and the same number for U2R. For R2L, each record consists of six features represented by the Basic Block. By depending the same method of the DoS and U2R, the block will be consist of 600 features and configure as 20x30 matrix and 10x10 of Basic Block as shown in Fig. (3.13-b).
44
Ch.3
Off-line NIDS Design (simulation)
No.100 No.1 Basic Block for DoS
F.O. 5
F.O. 7
F.O. 3
F.O. 14
F.O. 8
F.O. 23
F.O. 24
F.O. 36
No.1
Basic Block for U2R
No.20
No.20 (a) F.O. 1
F.O. 3
F.O. 6
F.O. 11
F.O. 23
F.O. 39 Basic Block for R2L
(b)
Figure (3.13) The Forming of the rules matrices: a- for DoS and U2R, b- for R2L (F.O. Feature Order ).
3.6 NIDS Designing: Figure (3.14) shows the designed NIDS. The input of the system is the 12th selected features from the NSL-KDD testing dataset. These features passed to the System Core, which start, by splitting them according to the related attack class to be processed in parallel method that is more speed and efficient. Some features used in more than one attack class, for that, they are copied and sent to the related pattern matching to be shared. Pattern matching in the System Core is divided to three parts DoS, U2R and R2L. Each part consist of the Pattern Matching Engine, the Rules-set Store of the related attack and the Decision Block.
45
Ch.3
Off-line NIDS Design (simulation)
System-Core
Figure (3.14) the designed NIDS structure by using Matlab R10.
The core of Pattern Matching Engine consists of IBM block that receive its inputs as tow matrices, one from the Rules-set and the other from the Test dataset. The IBM scans the rules matrix to find matches with the test dataset matrix. Figure (3.15) shows how the matching operation is done. The IBM tacks the under-test matrix (2x2 for DoS and U2R, 2x3 for R2L) and move it over the rules matrix by comparing them step by step as mentioned in section (3.4.1). If the match not found, the next rules matrix (there are five rules matrices) is tacked to be compared with the Under-test matrix by the same way. The Decision block receives the output of the Pattern Matching Engine, which is the mean squired error matrix produced by the pattern matching operation. The received matrix has the same size of the rules matrix. The Decision block computes the sum of errors for each Basic Block (2x2 for DoS and U2R, 2x3 for R2L) of the mean squired error matrix. If the sum were equal or less than the threshold value, the Decision block alarm an attack case and send signal to the Classifier and Gates blocks.
46
Ch.3
Off-line NIDS Design (simulation)
.
…………………
………………… .
Figure (3.15) the systematic of pattern matching in the Pattern Matching Engine.
The threshold value computed as the better weight gives the better detection rate. The values computed by testing the whole 1500 test records. The threshold values for the three attacks classes were much closed and approached from 0.02 vales as shown in Fig. (3.16).
THE THRES HOLD VALUE DoS
U2R
R2L
120
DETECTION RATE %
100
80 60 40
20 0 0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
THRESHOLD VALUE
Figure (3.16) The best threshold value for DoS, U2R and R2L detection rate.
47
0.09
1
Ch.3
Off-line NIDS Design (simulation)
Detection of DoS is approximately stable with the changing of the threshold value because its depended features have static values expect the “Source byte” which is the count of source data bytes. When the threshold reach value equals to one, the detection rate fall-down because all the differences between the features equal to one or less. U2R has two features with ratio vales, for that it has greater than DoS detection changing with respect to the threshold changing. R2L is greater than DoS and U2R in changing for two reasons, the first, it depends on six features not four as DoS and U2R, the second, it has four dynamic changing features. Gate block controls the passing of the Rules and Under-test matrices. When the signal received from the Decision block, the Gate block interrupts the flow of the Rules matrices and reset their counters to the initial state to restart them from the beginning with other Under-test matrix. If the signal not received, the flow continues until the fifth Rules matrix, which is the last one. Then, it tack the next Under-test matrix and reset the counter of the Rules matrices. The Classifier block receives the signal from the Decision block then, it sends to the Display block the class of the attack, according to which Decision blocks the signal received, and the count number of the attacks. The Display block reports the result and export them to a text file.
3.7 The Results and Discussion: In this design, 1500 testing patterns are used for three classes of attacks (R2L, DoS and U2R) with 500 patterns for each class; the type of the used testing dataset is NSL-KDD. The results are produced as percentage values of successful classifications (PSC) on test dataset. PSC = (number of correctly classified instance / number of instance in the test dataset) The design achieves a good detection rate, PSC for R2L 93.8%, DoS 96.3% and U2R 94.6%, the average classification rate was 94.9 as shown in Table (3.5) and Fig. (3.17). The results show that the IBM is suitable to be the base for the classifying applications and it does not need training fuse just simple initializing fuse to determine the acceptable error and the threshold value in the classification. Figure (3.17) shows that the proposed method more efficient from the ANN methods. The proposed method successes to give high and approached detection rates with small variance between the attack classes.
48
Ch.3
Off-line NIDS Design (simulation)
Table (3.5) Results comparison of the proposed method (IBM) with other works. Owner
Used Method
Vaitsek-hovich [41] 2009
RNN & MLP SOM ANN
Laheeb
Result PSC %
Dataset
[6] 2013
R2L
DoS
U2R
AVG
KDD-99
85.59
94.2
86.54
88.77
KDD-99
91.86
93.61
92.14
92.37
NSLKDD
75.37
79.58
71.6
75.49
Prasanta Gogoi and etal. [42] 2013
Hybrid
NSLKDD
89.14
99.19
66.67
85
Proposed
IBM
NSLKDD
93.8
96.3
94.6
94.9
PSC Comparison of IBM method with other methods 100 90
99.19
94.2 91.8693.6192.1492.37 86.5488.77 85.59
89.14 79.58 75.49 75.37 71.6
80
% PSC
70
93.8 96.3 94.6 94.9 85
66.67
60 50
40 30 20 10 0 NSL-KDD
NSL-KDD
RNN & MLP
KDD-99
KDD-99 SOM ANN
NSL-KDD
HYBRID
IBM
VAIT SEK-HOVICH [41] 2009
LAHEEB [6] 2013
GOGOI [42] 2013
PROPOSED
Compared Methodes
R2L
DoS
U2R
AVG
Figure (3.17) Results comparison of the proposed method (IBM) with other works
DoS attack the easier to detect because most of its types high depend on specific features like ‘Back, Land, Pod’ and other types that depend essentially on the packet header fields. U2R and R2L are more hard to detect, they depend on the behave of the packet that make their types have little dependency on the packet features like 49
Ch.3
Off-line NIDS Design (simulation)
‘gess_passwd’ and the related features almost appear as ratio not static values like ‘dst host same srcport rate’. KDD-99 has a huge repeated records, for that high detection rate can be achieved even for R2L and U2R classes. This records repeating decrease the variance between the detection rates of the DoS attack and the other two attacks, this appear clearly in the “LAHEEB” results which the difference between the detection rate of DoS and R2L less than 2%, Fig. (3.17). When it turn to NSL-KDD, the detection rates variance rise up. This variance came from two points, the first, because the NSL-KDD has abstracted records without repeating which make it more complicated and decrease the detection rate of R2L and U2R with respect to DoS. The second reason belong to the work philosophy of the ANN. The ANN built its rules based on the behavior of the majority but the minority get less caring or ignored. To show this point, a simple example of the ANN rules will be taken. Table (3.6) shows a piece of the generated rules of the ANN for the NIDS with the meaning of each rule. As shown in the table, the ANN based its rules for the ratio values as greater than or equal, less than or equal and so on. It is forming these rules form based on the behavior of the majority of the attacks that it was training on them. These rules designing have many problems with R2L and U2R attack classes because these classes do not have an estimated behavior. In some cases, the value of the feature be less than the rules threshold values when the rule as greater than or equals and the opposite for the less than or equal rule case. Even though these cases are little occurred cases, but they have a strong effect on the detection rates. Table (3.6) example of ANN rules for NIDS [42].
The proposed method (IBM) provides a good solution for these problems through the philosophy of its rules designing that takes wide attack cases without ignoring the minority cases (little occurred cases ). It takes a range of threshold errors for the 50
Ch.3
Off-line NIDS Design (simulation)
computed mean squared error which mean that the value of the threshold ranged to plus minus the specified threshold value. This property makes the designed NIDS give high detection rate for U2R and R2L classes approaching from the DoS detection rate and overcome the complicated of the NSL-KDD dataset with result not far from those get from KDD-99, Fig. (3.17). What must be mentioned, the NIDS based on ANN can get experience from the succeeded classification (detection cases) but the proposed NIDS cannot in this form, it maybe can if some functions are added to the design, but they are not attempted in this research.
51
Ch.3
Off-line NIDS Design (simulation)
References: [1] Abdullah A. Mohamed and Dia M. Ali, “Challenges Of Designing And Implementing Intrusion Detection System”, The International Conference on Computer Related Knowledge (ICCRK'2013), Sousse-Tunisia, Jun-2014. [2] Moradi M. and Zulkernine M.," A Neural Network Based System for Intrusion Detection and Classification of Attacks", School of computing, Queen University Canada, 2004. [3] Yacine Bouzida, "Neural Networks vs. Decision Trees for Intrusion Detection", Mitsubishi Electric ITE-TCL, Rennes, Department RSM GET/ENST Bretagne, France, 2006. [4] Wafa' S. Al-Sharafat, Reyadh Sh.Naoum, "Adaptive Framework for Network Intrusion Detection by Using Genetic-Based Machine Learning Algorithm", Al Al-Bayt University, Information Technology College, Jordan, 2009. [5] Shilpa l., Sini J., B. verma, ''Feature Reduction using Principal Component Analysis for Effective Anomaly–Based Intrusion Detection on NSLKDD'', International Journal of Engineering Science and Technology, Vol. 2(6), pp.1790-1799, 2003. [6] Laheeb M. and etal, “A Comparison Study For Intrusion Database (Kdd99, Nsl-Kdd) Based On Self Organization Map (Som) Artificial Neural Network “, School of Engineering, Taylor’s University, Journal of Engineering Science and Technology, Vol. 8(1), pp 107-119, 2013. [7] RONG-TAI LIU and etal, “A Fast String-Matching Algorithm for Network Processor-Based Intrusion Detection System” International Conference on Performance, Computing, and Communications, IEEE, 2004. [8] Seungho Ryu, etal '' Incorporating Intrusion Detection Functionality into 1XP2800 Network Processor based Route'' The 8th International Conference in Advanced Communication Technology, 2006. [9] Chris Clark and etal, “A Hardware Platform for Network Intrusion Detection and Prevention’’, Center for Experimental Research in Computer Systems (CERCS), Georgia Institute of Technology, Atlanta, GA, USA, 2010. [10] Sahar Lazem Kadoory,” Design and Implementation of an Embedded Intrusion Detection System (IDS) for Wireless Applications“, Master Thesis, Mosul University, 2010.
52
Ch.3
Off-line NIDS Design (simulation)
[11] Abdullah A. Mohamed, “Design Intrusion Detection System Based On Image Block Matching”, International Journal of Computer and Communication Engineering, IACSIT Press, Vol. 2, No. 5, September 2013. [12] William Stallings, '' Network Security Essentials: Applications and Standards'', Prentice Hall, fourth edition, pp. 1-20, 2011. [13] Mattord, verma “Principles of Information Security”, Course Technology, pp. 290–301, 2008. [14] Intel, ''IXP2400/IXP2800 Network Processor Programmer’s Reference Manual'', Intel Corporation, 2003. [15] Intel, ''IXP2800 Network Processor Product Brief'', Intel Corporation, 2002. [16] Intel, ''Internet Exchange Architecture (Intel IXA) Software Developers Kit 3.0 SDK_3_Product_Brief'', Intel Corporation, 2002. [17] Erik J. Johnson and Aaron R. Kunze, "IXP2400/2800 Programming the Complete Microengine Coding Guide'', Intel Press, 2003. [18] Wen Cheng-yu and etal ,’’ Research and implementation of NIDS based on IXP2400’’, Second International Conference on Future Information Technology and Management Engineering, 2009. [19] George E. Brown, “Real-time Applications Using Simulink and OpenSees”, Network for Earthquake Engineering Simulation NEES, 2011. [20] C. R. Clark and C. D. Ulmer, “Network intrusion detection systems on FPGAs with on-chip network interfaces”, Sandia National Laboratories,Sandia Corporation, 2005. [21] M. Roesch, ''Snort: Lightweight intrusion detection for networks'', USENIX LISA Systems Conference, snort org., 1999. [22] Chris Clark and etal , “A Hardware Platform for Network Intrusion Detection and Prevention’’, Center for Experimental Research in Computer Systems (CERCS), Georgia Institute of Technology, Atlanta, USA, 2005. [23] Eivind Naess, '' Configurable Middleware-Level Intrusion Detection Support For Embedded Systems'', thesis, Washington State University-School of Electrical Engineering and Computer Science, May 2004. [24] NOROC Comp., NA-813 data-sheet, Desktop Network Appliance Platform with Intel Atom Processor, www.axiomtek.com. [25] Yocto Project,''Yocto Project Quick Start'', Linux Foundation, 2011.
53
Ch.3
Off-line NIDS Design (simulation)
[26] Abdullah A. Mohamed and Dia M. Ali, " Packet Features Extractor for Network Security Systems: Design and Implementation", International Journal of Engineering and Innovative Technology (IJEIT), Vol 3(10), April 2014. [27] J. McHugh, “Testing Intrusion Detection Systems A Critique of The 1998 And 1999 DARPA Intrusion Detection”, ACM Transactions on Information and System Security, pp. 262–294, 2000. [28] Hung-Jen Liao and etal, “Intrusion detection system: A comprehensive review”, Journal of Network and Computer Applications, Elsevier, Vol. 36(1), PP. 16–24, January 2013. [29] S. Lakhina, Sini J. and B Verma, “Feature Reduction using Principal Component Analysis for Effective Anomaly–Based Intrusion Detection on NSLKDD”, International Journal of Engineering Science and Technology,Vol. 2(6), pp. 1790-1799, 2010. [30] Oatley and etal. “SMART software for decision makers KDD experience”, Knowledge-Based System, Elsevier, Vol. 15(5), PP. 323–333, Jul. 2002. [31] Hee C., B. Jo, S. Choi and T. Park, “Feature Selection for Intrusion Detection using NSL-KDD”, Recent Advances in Computer Science, pp. 184-187, 2013. [32] Shaheen A., “A Comparative Analysis Of Intelligent Techniques For Detecting Anomalous Internet Traffic”, MSc. Thesis, King Fahd University. 2010. [33] Olusola., Adeola S. and D. Abosede, “Analysis of KDD ’99 Intrusion Detection Dataset for Selection of Relevance Features”, Proceedings of the World Congress on Engineering and Computer Science, San Francisco, USA, October, 2010. [34] Rupali D.and Shilpa L., “Performance Comparison of Features Reduction Techniques for Intrusion Detection System”, International Journal of Computer Sience and Techenology”, Vol. 3(1), 2012. [35] Hafiz M. Imran and etal., “Intrusions Detection based on Optimum Features Subset and Efficient Dataset Selection”, International Journal of Engineering and Innovative Technology, Vol. 2(6), 2012. [36] Taisir E., Mohammad K. and Aws K., “On The Kdd'99 Dataset Statistical Analysis For Feature Selection”, Journal of Data Mining and Knowledge Discovery, Vol. 3(3), pp. 88-90, 2012. [37] Ricardo A. and Rajesh S., “Feature Ranking and Support Vector Machines Classification Analysis of the NSL-KDD Intrusion Detection Corpus”,
54
Ch.3
Off-line NIDS Design (simulation)
Proceedings of the Twenty-Sixth International Florida Artificial Intelligence Research Society Conference, 2013. [38] Hana M. and Najla B., “Analysis of Basic Compounds in Network Intrusion Detection System Based On NSL-KDD Dataset”, Journal of Al-Rafidain for Computer Science and Mathematics”, vol. 10(1), 2013. [39] Emeka Eyisi and etal, “An integrated modeling and simulation tool for networked control systems”, Simulation Modelling Practice and Theory, Elsevier, Vol. 27, 2012. [40] Bhavsar, Yogita B.and Kalyani C. Waghmare. "Intrusion Detection System Using Data Mining Technique: Support Vector Machine." International Journal of Emerging Technology and Advanced Engineering, Vol. 3, pp. 581-586, 2013. [41] Vaitsekhovich L. “Intrusion Detection in TCP/IP Networks Using Immune Systems Paradigm and Neural Network Detectors”. Brest State Technical University, XI International PhD Workshop, OWD, 2009. [42] Prasanta Gogoi and etal., “MLH-IDS: A Multi-Level Hybrid Intrusion Detection Method”, The Computer Journal Advance Access, Published by Oxford University Press on behalf of The British Computer Society, 2013. [43] Lee, Wenke, and Salvatore J. Stolfo. "A framework for constructing features and models for intrusion detection systems.", ACM transactions on Information and system security (TiSSEC), Vol 3, pp. 227-261, 2000. [44] Alistair Croll and Sean Power, "Complete Web Monitoring", O’Reilly Media, Inc., Vol. 1, Ch-10, PP 353-376, June 2009. [45] Richard Zurawski, " Embedded Systems Handbook", CRC press, Vol. 2, pp. 72-85, July 2009. [46] Vyatta Inc., "Why Vyatta is Better than Cisco", Vyatta Inc., 2007. [47] Super Micro Computer Inc., "Supermicro L2/L3 Switches VLAN Configuration Guide", Super Micro Computer Inc., Vol 1, January 2013. [48] RedNectar Chris Welsh, "GNS3 Network Simulation Guide", Packt Publishing, Vol 1, PP 22-28, October 2013. [49] Vyatta Inc., "Vyatta System Quick Start Guide", Vyatta Inc., Vol 2, August 2008. [50] NORCO Intelligent Technology Co., "BIS-6660 Datasheet", NORCO Intelligent Technology Co., Novmber 2012. [51] NORCO Intelligent Technology Co., "BIS-6660 User's Manual", NORCO Intelligent Technology Co., 2011. 55
Ch.3
Off-line NIDS Design (simulation)
[52] Cisco Systems Inc., "Cisco Catalyst 2950 Series Intelligent Ethernet Switches", Cisco Systems Inc., 2013. [53] MikroTikls SIA Inc., " RouterBOARD 1100/AH Series User's Manual", MikroTikls SIA Inc, jun 2013. [54] NORCO Intelligent Technology Co., "BIS-6370 Datasheet", NORCO Intelligent Technology Co., January 2013. [55] Anton Cervin, “Integrated Control and Real-Time Scheduling”,PhD. Thesis, Department of Automatic Control, Lund Institute of Technology, Lund, Sweden, pp. 139-161, April 2003. [56] Emeka Eyisi and etal, “An integrated modeling and simulation tool for networked control systems”, Simulation Modelling Practice and Theory, Elsevier, 2012. [57] Stefan Molyneux, “Real-Time Relationships-The Logic of Love", Freedomain Library, Volume 4 Version 1.0 Extended Edition, pp. 205-230, January 2008. [58] Abdullah A. Mohamed, Dia M. Ali, “Creating Real-Time operation System Based on xPC Target Kernel”, International Journal of Recent Technology and Engineering, Volume-2, Issue-4, September 2013 [59] The MathWorks Inc., “xPC Target”, The MathWorks Inc., 2012. [60] The MathWorks Inc., “xPC Target Getting Started Guide”, The MathWorks Inc., pp. 10-31, 2010. [61] The MathWorks Inc., “xPC Target Supported Ethernet Chipsets”, The MathWorks Inc., 2010. [62] The MathWorks Inc., “xPC Target User’s Guide for Use with Real-Time Workshop”, The MathWorks Inc., pp. 85-92, 2000. [63] Mahmod S. Bashi and Najla B. Abrahim, ''Using of Ants Maps and SelfRegulation Algorithms in the Intrusion Detection and Classification in the Computer Networks'', Computer Science, Thesis, Mosul University, 2011.
56
