Hybrid Approach for Intrusion Detection Using Conditional Random ...

ISSN 2249-6343 International Journal of Computer Technology and Electronics Engineering (IJCTEE) Volume 1, Issue 3

Hybrid Approach for Intrusion Detection Using Conditional Random Fields Sandip Ashok Shivarkar [email protected]

Mininath Raosaheb Bendre [email protected]

Thus, there is a need to safeguard the networks from known vulnerabilities and at the same time take steps to detect new and unseen, but possible, system abuses by developing more reliable and efficient intrusion detection systems. Any intrusion detection system has some inherent requirements. Its prime purpose is to detect as many attacks as possible with minimum number of false alarms, i.e., the system must be accurate in detecting attacks. However, an accurate system that cannot handle large amount of network traffic and is slow in decision making will not fulfill the purpose of an intrusion detection system. We design a system that detects most of the attacks, gives very few false alarms, copes with large amount of data, and is fast enough to make real-time decisions. With the rapid development of Internet, the problem becomes more and more serious that IDS has a low detecting speed and is less efficient in processing massive data streams. Therefore, by studying real-time detecting technology, we present a hybrid intrusion detection model using conditional random fields (CRF) [19], aiming at improving computational efficiency as well as detection accuracy.

Abstract— Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Incidents have many causes, such as malware (e.g., worms, spyware), attackers gaining unauthorized access to systems from the Internet, and authorized users of systems who misuse their privileges or attempt to gain additional privileges for which they are not authorized. Intrusion detection faces a number of challenges; an intrusion detection system must reliably detect malicious activities in a network and must perform efficiently to cope with the large amount of network traffic. In this paper, we address these two issues of Accuracy and Efficiency using Conditional Random Fields for hybrid intrusion detection system. Index Terms— Anomalous activity, Conditional Random Fields, Signature.

I. INTRODUCTION This paper is concerned with accurate and efficient hybrid intrusion detection system. In this paper we combine both the signature based system and anomaly based intrusion detection system. Here we address the two issues of Accuracy and Efficiency using Conditional Random Fields and Encrusted Approach for signature based system and acquiring volatile data once system is turn off For anomaly based system. We demonstrate that high attack detection accuracy can be achieved by using Conditional Random Fields and high efficiency by implementing the Encrusted Approach in signature based system. Intrusion detection is a necessary part of the management cycle. It is pert of knowing what is happening on your network, Intruders can cause harm to the general health of the network. The obvious reason for doing intrusion detection is to detect suspicious activity on your systems. Intrusion detection as defined by the SysAdmin, Audit, Networking, and Security (SANS) Institute is the art of detecting inappropriate, inaccurate, or anomalous activity [5]. Today, intrusion detection is one of the high priority and challenging tasks for network administrators and security professionals. More sophisticated security tools mean that the attackers come up with newer and more advanced penetration methods to defeat the installed security systems [6][7].

II. RELATED WORK A. History The field of intrusion detection and network security has been around since late 1980s after the influential paper from Anderson [8]. Since then, a number of methods and frameworks have been proposed and many systems have been built to detect intrusions. Various techniques such as association rules, clustering, naive Bayes classifier, support vector machines, genetic algorithms, artificial neural networks, and others have been applied to detect intrusions. B. Signature Based Systems Lee et al. introduced data mining approaches for detecting intrusions [12]. In data mining approaches for intrusion detection include association rules and frequent episodes, which are based on building classifiers by discovering relevant patterns of programmed user behavior. Association rules and frequent episodes are used to learn the record patterns that describe user behavior. These methods can deal with symbolic data, and the features can be defined in the form of packet and connection details. 40

ISSN 2249-6343 International Journal of Computer Technology and Electronics Engineering (IJCTEE) Volume 1, Issue 3

However, mining of features is limited to entry level of the packet and requires the number of records to be large and sparsely populated; otherwise, this approach, tend to produce a large number of rules that increase the complexity of the system [10]. Data clustering methods such as the k-means and the fuzzy c-means have also been applied extensively for intrusion detection [11]. One of the main drawbacks of the clustering technique is that it is based on calculating numeric distance between the observations, and hence, the observations must be numeric. Observations with symbolic features cannot be easily used for clustering; resulting in inaccuracy .In addition, the clustering methods consider the features independently and are unable to capture the relationship between different features of a single record, which further degrades attack detection accuracy. Naive Bayes classifiers have also been used for intrusion detection [12]. However, this system, make strict independence assumption between the features in an observation resulting in lower attack detection accuracy when the features are correlated, which is often the case for intrusion detection. Bayesian network can also be used for intrusion detection [12]. However, this system, tend to be attack specific and build a decision network based on special characteristics of individual attacks. Thus, the size of a Bayesian network increases rapidly as the number of features and the type of attacks modeled by a Bayesian network increases. To detect anomalous traces of system calls in privileged, hidden Markov models (HMMs) have been applied [13]. However, modeling the system calls alone may not always provide accurate classification as in such cases various connection level features are ignored. Further, HMMs are generative systems and fail to model long-range dependencies between the observations.

So far, many anomaly detection methods have been proposed, including probability and statistic method, data mining method, neural network method, fuzzy mathematics theory, artificial immune algorithm, support vector machine method, etc. These methods have both merits and demerits. And, the anomaly detection ability of all these methods is limited and computational complexity is high. The probability and statistic method can be used to detect abnormal real-time data flow, Clustering techniques have been applied successfully to the anomaly detection problem. However, in the traditional clustering-based intrusion detection algorithms, clustering using a simple distance-based metric and detection based on the centers of clusters, which generally degrade detection accuracy and efficiency. In the work Live Computer Forensics on Windows and Linux platform the author focuses on how forensic examiner can acquire volatile and live data from a compromised Windows and Linux system, how to detects all malicious activities running on the system, network [14].The present paper introduces an adaptive approach for anomaly intrusion detection. D. Hybrid Systems In the past, data mining techniques such as using association rules were suggested to build IDS Lazarevic et al. have distinguished the differences between single-connection and multi connection attacks. Both signature-based and anomaly-based IDSs are sensitive to the attack characteristics, system training history, services provided, and underlying network conditions. Data mining techniques are also used to build classification models from labeled attacks. Intrusion detection must be designed to monitor the connection features at the network, transport, and application layers. The concept of frequent episode rules (FERs) was first proposed by Mannila and Toivonen [15] . Subsequently, Lee et al.suggeste a framework to specify FERs for anomaly detection against normal traffic profiles. They developed a level wise data mining algorithm for building ADS. Fan et al.extended Lee et al.’s work to discover accurate boundaries between known attacks and unknown anomalies [16]. Qin and Hwang proposed an adaptive base-support algorithm to mining the normal dataset [17]. Different axis attribute values apply different thresholds. Kaleton Internet built a prototype system by combining the two detection systems, but they work independently without interactions. We consider close cooperation between the two subsystems. In this paper, we propose the Hybrid Intrusion Detection System architecture For signature based system we define features from the observations as well as from the observations and the previous labels and perform sequence labeling via the CRFs to label every feature in the observation. This setting is sufficient for modeling the correlation between different features of an observation.

C. Anomaly Based Systems Anomaly detection problem can be considered as a two-class classification problem (normal versus abnormal) where samples of only one class (normal class) are used for training. Anomaly detection has always been a hot IDS research subject. Anomaly-based IDS establish a baseline of normal usage patterns, and anything that widely deviates from it gets flagged as a possible intrusion [21]. Anomaly detection method can investigate user patterns, such as profiling the programs executed daily or the privileged processes executed with access to resources that are inaccessible to ordinary user [22] [23]. The major advantage of anomaly-based IDS is their ability to detect attempts to exploit new and unforeseen vulnerabilities. Their complexity, due to the inherently dynamic nature of computer networks, is their major disadvantage, as well as their high false alarm rate because the entire scope of the behavior of an information system may not be covered during the learning phase.

41

ISSN 2249-6343 International Journal of Computer Technology and Electronics Engineering (IJCTEE) Volume 1, Issue 3 This system, also integrate the Encrusted Approach with the CRFs to gain the benefits of computational efficiency and high accuracy of detection in a single system.For anomaly-based system we investigate user patterns, such as profiling the programs executed daily or the privileged processes executed with access to resources that are inaccessible to ordinary user by collecting the volatile data from the system. Then we train our system by using conditional random fields, which reduces the false alarm rate.

Having a low FAR is very important for any intrusion detection system. Further, feature selection by using conditional random field and implementation of the Encrusted Approach significantly reduce the time required to train and test the model. Even though we used a relational data set for our experiments, we showed that the sequence labeling methods such as the CRFs can be very effective in detecting attacks and they outperform other methods that are known to work well with the relational data. Anomaly-based IDS establish a baseline of normal usage patterns, and anything that widely deviates from it gets flagged as a possible intrusion. Anomaly detection method can investigate user patterns, such as profiling the programs executed daily or the privileged processes executed with access to resources that are inaccessible to ordinary user. The major advantage of anomaly-based IDS is their ability to detect attempts to exploit new and unforeseen vulnerabilities. Their complexity, due to the inherently dynamic nature of computer networks, is their major disadvantage, as well as their high false alarm rate because the entire scope of the behavior of an information system may not be covered during the learning phase. For the Anomaly based detection we acquire the volatile data when the system is running. From this data we train system and once training is over we are moving for the intrusion detection with conditional random fields and its prevention. We give the authorization to admin to block the anomalous activity. The admin may login on system locally or remotely.

III. ISSUES IN EXISTING INTRUSION DETECTION SYSTEM Intrusion detection technology is still a young technology, not fully mature. Existing intrusion detection techniques still have numbers of issues [18]. 1) The problems of detection in High-speed network environment.The current network speed of data transmission have exceeded the computing detection speed. Detection system will miss some of the network data packets, which result in omission so as to influence the system's accuracy and effectiveness. 2) Attack means update fast and become more diverse, complex and intelligent. Existing real-time intrusion detection system has not enough capacity to detect the covert and complex attacks in technically, which will result in omit and false positive behavior problems. Currently, this is the biggest problem that Intrusion Detection System facing. 3) Expansibility problem-Including time and space expansibility, for the intrusion behaviors that have large time span and under distributed environment, mature solutions are still lacking today. 4) Lots of flooding data from all sources and system messages, etc. are often not very good and timely handled, which waste and reduce the processing power of intrusion detection systems and detection performance. 5) The complexity of anomaly detection, due to the inherently dynamic nature of computer networks, is major disadvantage of anomaly detection, as well as their high false alarm rate because of the entire scope of the behavior of an information system may not be covered during the learning phase.

V. CONDITIONAL RANDOM FIELDS CRF was firstly proposed by Lafferty and his colleagues in 2001, whose model idea mainly came from MEMM (Maximum Entropy Markov Model). Just like the MEMM, CRFs models are also index value style which have strong inference power and can be mixed with all kinds of features. CRFs calculate the probability distribution of the whole sequence, when the observing sequence waiting for marking are given, but not to define the next state distribution under current state condition. This distributed conditional property of label sequence makes CRFs well fit to the real world’s data. In these data, condition probability of label sequence is rely on the dependent, mutual effect features in observing sequence, and by giving these features different Weight values to show the variety importance of them. Let X be the random variable over data sequence to be labeled and Y the corresponding label sequence. In addition, let G=(V,E) be a graph such that Y=(Yν|x)ν ∊ (v)’,so that Y is indexed by the vertices of G. Then, (X,Y) is a CRF, when conditioned on X, the random variables Yν obey the Markov property with respect to the graph : p(Yν|x,Yω, ω ≠ ν)= p(Yν|x,Yω, ω ∾ ν)where ω ∾ ν means that w and v are neighbors in G, i.e., a CRF is a random field globally conditioned on X.

IV. PROPOSED SYSTEM To overcome the drawbacks of the existing intrusion detection systems we proposed Hybrid system. This system uses conditional random fields for signature based intrusion detection and for anomaly based intrusion detection and at the same time we are going for intrusion prevention. The conditional random fields are very effective in improving the attack detection rate and decreasing the FAR (False Alarm Rate). 42

ISSN 2249-6343 International Journal of Computer Technology and Electronics Engineering (IJCTEE) Volume 1, Issue 3

For a simple sequence (or chain) modeling, as in our case, the joint distribution over the label sequence Y given X has the following form: pθ (y∣x) ∝ exp

k f k (e,y∣e,x)+

Observation

A

B

C

D

N

N

N

N

k g k (ν,y∣ν,x)

Where x is the data sequence, y is a label sequence, and y js the set of components of y associated with the vertices or edges in sub graph S. In addition, the features fk and gk are assumed to be given and fixed.

Label

A. Descriptions of Feature Sets Experimental data used in signature based detection using CRFs are KDD Cup 1999 data sets from standard database [4]. Among them there are large numbers of normal network flow and various attack and have strong representative factors.

Fig.1: Graphical Representation of CRF. Another advantage of using CRFs is that every element in the sequence is labeled such that the probability of the entire labeling is maximized, i.e. all the features in the observation collectively determine the final labels. Hence, even if some data is missing, the observation sequence can still be labeled with less number of features. Our first goal is to improve the attack detection accuracy. We considered all the 41 features in the data set for each of the four attack group separately. As we shall observe, the CRFs outperform other methods for detecting ―Unauthorized access to Root‖ (U2R) attacks. They are also effective in detecting the Probe, ―Remote to Local‖ (R2L), and ―Denial of Service‖ (DoS) attacks..

B. Example The data set used in our experiments represents features of every session in relational form with only one label for the entire record. In this case, using a conditional model would result in a simple maximum entropy classifier .However; we represent the data in the form of a sequence and assign a label to every feature in the sequence using the first-order Markov assumption instead of assigning a single label to the entire observation. Though, this increases the complexity but it also increases the attack detection accuracy. Each record represents a separate connection, and hence, we consider every record as a separate sequence. We aim to model the relationships among features of individual connections using a CRF, as shown in Fig.1. In the figure, features such as A, B, C and D take some possible value for every connection. During training, feature weights are learnt, and during testing, features are evaluated for the given observation, which is then labeled accordingly. As it is evident from the figure, every label is connected to every input feature, which indicates that all the features in an observation help in labeling, and thus, CRF can model dependencies among the features in an observation. Present intrusion detection systems do not consider such relationships among the features in the observations. They either consider only one feature, such as in the case of system call modeling, or assume conditional independence among different features in the observation as in the case of a naive Bayes classifier. As we will show from our experimental results, the CRFs can effectively model such relationships among different features of an observation resulting in higher attack detection accuracy.

VI. SYSTEM ARCHITECTURE Hybrid intrusion detection is a novel kind of model combining the advantages of anomaly based intrusion detection and signature based intrusion detection. Intrusion and anomalies are two different kinds of abnormal traffic events in an open network environment [24]. An intrusion takes place when an unauthorized access of a host computer system is attempted. An anomaly is observed at the network connection level. Both attack types may compromise valuable hosts, disclose sensitive data, deny services to legitimate users, and pull down network based computing resources. The intrusion detection system (IDS) offers intelligent protection of networked computers or distributed resources much better than using fixed-rule firewalls. Existing IDSs are built with either signature-based or anomaly-based systems. Signature matching is based on a misuse model, whereas anomaly detection is based on a normal use model. The design philosophies of these two models are quite different, and they were rarely mixed up in existing IDS products from the security industry. The signatures are manually constructed by security experts analyzing previous attacks [24]. The collected signatures are used to match with incoming traffic to detect intrusions. These are conventional systems that detect known attacks with low false alarms. However, the signature-based IDS cannot detect unknown attacks without any precollected signatures or lack of attack classifiers [25]. 43

ISSN 2249-6343 International Journal of Computer Technology and Electronics Engineering (IJCTEE) Volume 1, Issue 3 Furthermore, signature matching performs well only for single-connection attacks. With the sophistication of attackers, more attacks involve multiple connections. This limits the detection range by signature matching. On the other hand, an anomaly-based system uses a different philosophy. It treats any network connection violating the normal profile as an anomaly [26] [27]. A network anomaly is revealed if the incoming traffic pattern deviates from the normal profiles significantly. Through a data mining approach, anomaly detection discovers temporal characteristics of network traffic. This system can detect unknown attacks and handles multi connection attacks well. However, anomaly detection may result in higher false alarms [24]. The newly proposed HIDS is designed to solve these problems with much enhanced performance. In this paper, we propose the Hybrid Intrusion Detection System architecture and prove its effectiveness through simulation experiments. KDD Data

KDD Data Interface

System Training

In this hybrid approach we design both the anomaly based detection system and signature based detection system. Here the system is running parallel. The system overview is as shown in Fig.2 In this system we have two main blocks one is signature based detection and other is anomaly based detection. For the signature based intrusion detection we have the standard KDD dataset, which is used for the analysis and for anomaly based intrusion detection we collect data from the system when there is no anomalous activity. This data is used for the system learning. In the signature based system we use Weka tool for KDD dataset interfacing with our system. In this we select layers which are corresponds to the particular attacks and for these attacks again we select features from the KDD dataset. Then during the system training we use conditional random fields for labelling these features as normal or attack. Finally we perform the testing. In the anomaly based intrusion detection the system is learning from the data collected when there is no any anomalous activity. For this we collect the volatile data from the system when there is no any anomalous activity. For this data collection we investigate user patterns, such as profiling the programs executed daily or the privileged processes executed with access to resources that are inaccessible to ordinary user. Once we have data then we train our system using conditional random fields.Hybrid intrusion detection is a novel kind of model combining the advantages of anomaly based intrusion detection and signature based intrusion detection.

Training Data When Normal Traffic

Data collected to when there is no anomalous activity

VII. SIGNATURE BASED INTRUSION DETECTION SYSTEM A signature-based intrusion detection system employs a priori knowledge of attack signatures. The signatures are manually constructed by security experts by analyzing previous attacks. The collected signatures are used to match with incoming traffic to detect intrusions. These are conventional systems that detect known attacks with low false alarms. However, the signature-based IDS cannot detect unknown attacks without any precollected signatures or lack of attack classifiers. In this system we consider four different attacks. 1. Probe Layer: The probe attacks are aimed at acquiring information about the target network from a source that is often external to the network. e.g. port scanning. 2. DoS: Denial of service attacks are meant to force the target to stop the service(s) that is (are) provided by flooding it with illegitimate requests. e.g. SYN flood, land attack. 3. R2L Layer: The Root to Local attacks are one of the most difficult to detect as this system, involve the network level and the host level features. e.g. guessing password.

System learning by using CRF

System Testing

Testing

Known detected Attack

Unknown detected Attack

Fig.2: System Overview. The Hybrid Intrusion Detection System integrates the flexibility of Anomalous Detection System with the accuracy of a signature-based Intrusion Detection System. Anomalous Detection System is designed by acquiring the volatile data when there is no any anomalous activity. Here we train our system using conditional random field for the anomalous activity. This new approach automatically enables HIDS to detect similar anomalous attacks in the future. 44

ISSN 2249-6343 International Journal of Computer Technology and Electronics Engineering (IJCTEE) Volume 1, Issue 3

4.

U2R Layer: The U2R attacks involve the semantic details that are very difficult to capture at an early stage. Such attacks are often content based and target an application e.g. various buffer overflow attacks. The experimental data used in signature based detection using CRFs are KDD Cup 1999 data sets from standard database. Among them there are large numbers of normal network flow and various attack and have strong representative factors.

A. Analysis of Activities The analysis is the heart of the anomaly intrusion detection system. In this system we investigate user patterns, such as profiling the programs executed daily or the privileged processes executed with access to resources that are inaccessible to ordinary user. For this we collect the volatile data from the system. To collect this data we use system log file which gives us the number of processes which are running on the system, the number of resources which are assigned to the user, and the system privileged. We train our system by using conditional random fields, which reduces the false alarm rate. Then the system is deployed at real working environment. If the anomalous activity occurs then we alerts the admin by sending SMS that the anomalous activity is running.

VIII. ANOMALY DETECTION Intrusion Detection System (IDS) plays key role of detecting various kinds of attacks and secures the applications and networks in the pervasively connected network environment [20]. Intrusion detection is the process of monitoring computers or networks for unauthorized entrance, activity, or file modification. Anomaly-based IDS establish a baseline of normal usage patterns, and anything that widely deviates from it gets flagged as a possible intrusion [21]. Anomaly detection method can investigate user patterns, such as profiling the programs executed daily or the privileged processes executed with access to resources that are inaccessible to ordinary user [22] [23]. The major advantage of anomaly-based IDS is their ability to detect attempts to exploit new and unforeseen vulnerabilities. Their complexity, due to the inherently dynamic nature of computer networks, is their major disadvantage, as well as their high false alarm rate because the entire scope of the behavior of an information system may not be covered during the learning phase. To overcome this drawback we train our system using conditional random fields as they are more accurate and due to this false alarm rate goes on decreasing. This system we focus on to acquiring volatile data which leave no trails once the system is power off. The volatile data can be in the form of RAM Contents, temporary data used by the OS, data in registers, buffers, unlinked file and unsaved files; and these volatile data may contains information about all running processes, active and recent network connections, open ports and sockets, processes running in background, open files and applications, loaded DLLs, OS kernel module, and active users. These volatile data can have enough information about the anomalous activities on running system. By collecting this volatile data we train our system using conditional random fields which are more accurate and results in decreasing false alarm rate. In this system we have analysis and prevention as two main blocks. The analysis block is responsible for the system learning and testing. It also alerts the admin by sending SMS if there is anomalous activity. The prevention block is responsible for preventing the anomalous activity. In this the admin can stop that anomalous activity, start new activity, shutdown or reboot system or can perform the scanning of the system. The admin may log on to the system locally or remotely. For remote login the user can use Internate or GPRS.

B. Prevention of Anomalous Activity: Once the anomalous activity occurs, we can prevent it. The admin may log on to the system locally or remotely. If the admin is at local level then he/she can view the running activities, or he/she can stop the anomalous activity and if the admin is at remote level then he/she can log on to the system using Internate or GPRS using cell phone. After that the user can stop anomalous activity, or start new activity. But if the controlling of the anomalous activity is not possible then admin may shutdown or reboot that system. IX. EXPERIMENTS AND RESULTS For this architecture we consider KDD dataset for signature based intrusion detection. From this dataset we select the particular features corresponding to the attack. And in anomaly based detection we collect the volatile data from the system which is used for the system learning. If we consider all the 41 features given in the data set, we find that the time required to train and test the model is high [1]. To address this, we performed experiments with our integrated system by implementing a four-layer system. The four layers correspond to Probe, DoS, R2L, and U2R. For each layer, we then selected a set of features that is sufficient to detect attacks at that particular layer. Feature selection for each layer enhances the performance of the signature based detection. As per the analysis we have the results as shown in the Table 1. Table 1: Result on Different Features and Attacks Sr. No.

Layer

Sample Record set

False Alarm

1 2 3 4

Probe DoS R2L U2R

363 462 325 355

15 27 17 17

% Attack Detection Rate 95.87 94.16 94.77 95.21

We also perform the analysis of the system for sample values. For this analysis we consider ten record set and results for this is as shown in Table 2. 45

ISSN 2249-6343 International Journal of Computer Technology and Electronics Engineering (IJCTEE) Volume 1, Issue 3 From these values we plot the graph for the false alarm rate which is as shown in Fig.3 to Fig.6 Table 2: Result on Different Features and Attacks Sr. No.

Layer

Sample Record set

False Alarm

1 2 3 4

Probe DoS R2L U2R

10 10 10 10

03 00 00 00

% Attack Detection Rate 70 100 100 100

Fig.6: U2R Attack X. CONCLUSION In this paper, we have addressed the dual problem of Accuracy and Efficiency for building robust and efficient intrusion detection systems. In this paper we proposed hybrid intrusion detection system which is accurate for the intrusion detection. It detects the known as well as unknown attack. CRFs are very effective in improving the attack detection rate and decreasing the false alarm rate. Our system can help in identifying an attack once it is detected at a particular layer, which expedites the intrusion response mechanism, thus minimizing the impact of an attack. Our results show that this system is more accurate and efficient one. The attack detection rate for R2L is increased which is 94.77 %and for U2R also it is increased which is 95.21%. The areas for future research include the use of our method for extracting features of signatures for signature-based systems. The hybrid systems can be deployed at the periphery of a network to filter out attacks frequently occurs.

Fig.3: Probe Attack

REFERENCES Fig.4: DoS Attack

[1] Kapil Kumar Gupta, Baikunth Nath, Senior Member, IEEE, and Ramamohanarao Kotagiri, Member, IEEE, ―Layered Approach Using Conditional Random Fields for Intrusion Detection‖, ieee transactions on dependable and secure computing, vol. 7, no. 1, January -march 2010 [2] Ram Soni, Navneet Kour, Alka Kushwaha, Satyendra Singh, Abhishek Vaish Live Computer Forensics on Windows and Linux platform IJSDIA International Journal of Secure Digital Information Age, Volume 2, No.1, 2010 [3] CRF++: Yet Another CRF Toolkit, http://crfpp.sourceforge.net/, 2010. [4] KDD Cup 1999 Intrusion Detection Data, http://kdd.ics.uci.edu/ databases/ kddcup99/ kddcup99.html, 2010. [5] SANS Institute—Intrusion Detection FAQ, http://www.sans.org/ resources/ idfaq/, 2010. [6] K.K. Gupta, B. Nath, R. Kotagiri, and A. Kazi, ―Attacking Confidentiality: An Agent Based Approach,‖ Proc. IEEE Int’l Conf. Intelligence and Security Informatics (ISI ’06), vol. 3975, pp. 285-296,2006 [7] Overview of Attack Trends, http://www.cert.org/archive/pdf/ attack_trends.pdf, 2002. [8] J.P. Anderson, Computer Security Threat Monitoring and Surveillance, http://csrc.nist.gov/publications/history/ande80.pdf, 2010

Fig.5: DoS Attack

46

ISSN 2249-6343 International Journal of Computer Technology and Electronics Engineering (IJCTEE) Volume 1, Issue 3 [9] W. Lee, S. Stolfo, and K. Mok, ―A Data Mining Framework for Building Intrusion Detection Model,‖ Proc. IEEE Symp. Security and Privacy (SP ’99), pp. 120-132, 1999. [10] T. Abraham, IDDM: Intrusion Detection Using Data Mining Techniques, http://www.dsto.defence./gov.au/publications/ 2345/ DSTO-GD-0286.pdf, 2008. [11] H. Shah, J. Undercoffer, and A. Joshi, ―Fuzzy Clustering for Intrusion Detection,‖ Proc. 12th IEEE Int’l Conf. Fuzzy Systems (FUZZ-IEEE ’03), vol. 2, pp. 1274-1278, 2003. [12] N.B. Amor, S. Benferhat, and Z. Elouedi, ―Naive Bayes vs. Decision Trees in Intrusion Detection Systems,‖ Proc. ACM Symp. Applied Computing (SAC ’04), pp. 420-424, 2004. [13] W. Wang, X.H. Guan, and X.L. Zhang, ―Modeling Program Behaviors by Hidden Markov Models for Intrusion Detection,‖ Proc. Int’l Conf. Machine Learning and Cybernetics (ICMLC ’04), vol. 5, pp. 2830-2835, 2004. [14] Ram Soni, Navneet Kour, Alka Kushwaha, Satyendra Singh, Abhishek Vaish ―Live Computer Forensics on Windows and Linux platform ― IJSDIA International Journal of Secure Digital Information Age, Volume 2, No.1, 2010 [15] H. Mannila and H. Toivonen. ―Discovering Generalized Episodes Using Minimal Occurrences‖. Proc. Second Int’l Conf. Knowledge Discovery and Data Mining, Aug. 1996 [16] W. Fan, M. Miller, S. Stolfo. ―Using Artificial Anomalies to Detect Unknown and Known Network Intrusions‖. Proc. First IEEE Int’l Conf. Data Mining, Nov. 2001 [17] M. Qin and K. Hwang. ―Frequent Episode Rules for Internet Traffic Analysis and Anomaly Detection‖. Proc. IEEE Network Computing and Applications (NAC ’04), Sept. 2004 [18] Qingqing Zhang, Hongbian Yang, Kai Li ―Research on the Intrusion Detection Technology with Hybrid Model‖,2010 2nd Conference on Environmental Science and Information Application Technology,978-1-4244-7388-5/10 ,ESIAT,pp. 646-649,2010 [19] K.K. Gupta, B. Nath, and R. Kotagiri, ―Conditional Random Fields for Intrusion Detection,‖ Proc. 21st Int’l Conf. Advanced Information Networking and Applications Workshops (AINAW ’07), pp. 203-208, 2007 [20] Evgeniya Nikolova, Veselina Jecheva,Burgas Free University, Faculty of Computer Science and Engineering‖ Anomaly Based Intrusion Detection Using Data Mining and String Metrics‖, Proc. Int’l Conf. on Communications and Mobile Computing,pp.440-444. [21] Leung K., C. Leckie, Unsupervised anomaly detection in network intrusion detection using clusters, In Proceedings of the Twenty-eighth Australasian conference on Computer Science Volume 38, Newcastle, Australia, 2005, pp. 333 – 342. [22] Feng H. H., O. M. Kolesnikov, P. Fogla, W. Lee, W. Gong, Anomaly detection using call stack information, In Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, CA, 2003, pp. 62-76. [23] Sekar R., M. Bendre, P. Dhurjati, D. Bullineni, A fast automaton-based method for detecting anomalous program behaviours, IEEE Symposium on Security and Privacy, 2001, S&P 2001, pp. 144 – 155. [24] Kai Hwang, Fellow, IEEE, Min Cai, Member, IEEE, Ying Chen and Min Qin,‖ Hybrid Intrusion Detection with WeightedSignature Generation over Anomalous Internet Episodes‖, IEEE Transactions On Dependable and SecureComputing,Vol.4,No.1, pp.41-55, JAN-MAR 2007. [25] G.B. White, E.A. Fisch, and U.W. Pooch, ―Cooperating Security Managers: A Peer-Based Intrusion Detection System,‖ IEEE, Network, pp. 20-23, Jan. 1996. [26] K.S. Killourhy and R.A. Maxion, ―Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits,‖ Proc.Int’l Symp. Recent Advances in Intrusion Detection (RAID ’02), pp. 54-73, Sept. 2002. [27] A. Lazarevic, L. Ertoz, V. Kumar, A. Ozgur, and J. Srivastava, ―A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection,‖ Proc. Third SIAM Conf. Data Mining, 2003, http://www.users.cs.umn.edu/~kumar/papers.

Sandip Ashok Shivarkar received B.E. degree in Information Technology from University of Pune , Pune, India in 2006 and pursuing M.Tech. in Computer Science and Engineering from R.G.P.V. Bhopal, India.

Mininath Raosaheb Bendre received B.E. degree in Information Technology from University of Pune, Pune, India in 2007 and pursuing M.Tech. in Computer Science and Engineering from R.G.P.V. Bhopal, India.

47