Abstractâ This paper includes the way to track the hackers. We are very much dependent over the networking today, it is widely been used in all fields.
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG
78
Intrusion Detection Using Time-Inhomogeneous Hidden Bernoulli Model Sadaf Tabassum, Malik Sikandar Hayat Khiyal and Aihab Khan Fatima Jinnah Women University, Rawalpindi
Abstract— This paper includes the way to track the hackers. We are very much dependent over the networking today, it is widely been used in all fields. The security of network is also becoming an increasingly important phenomenon. The system is always at the stake due to hackers attack. It is becoming increasingly important for every organization to secure the network system from hackers` attacks. The system is needed to track in such a way that the attacks on the system could be identified. This research is more focused over the detection of attack on the system. This paper focuses on the development of the software which is designed to identify the abnormal behavior of the system. This software will identify intrusion by using probability. Whenever there will be any intrusion the network administrator will be informed by the software that there is an intrusion and any hacker is trying to enter the system. This paper will help in opening the new horizons for the coming researchers as well in order to extend the work in future. And it is concluded that when training is performed the Time‐ inhmogeneous Hidden Bernoulli Model (TI‐HBM) become faster in this phase.Nonrecursively probability is per‐ formed in TI‐HBM.Results shows that probability is decreases when time is increases at the same value of state and when both time and state are changed then probability show different values.
Index Terms— Time‐inhmogeneous Hidden Bernoulli Model, Intrusion Detection, Probablity, Detection of abnormal behavior —————————— ——————————
1 INTRODUCTION As the world is moving towards globalization at a much faster pace than ever before, everyone is getting more dependent on the networking. We need to have network‐ ing everywhere. Each and every field of life may it be education or business is depending upon the networking. It is the source of information and the source of know‐ ledge as well. It is beyond our imagination that how much we are depending over the network in our daily life. Today the most important and readily available source of information is internet, which is itself a collec‐ tion of numerous networks. The dependence of human being on the networking is increasing every day. The in‐ creasing importance of the networks has made them vul‐ nerable. Today most of the thefts are done electronically over the network. The network is most liked place for the hackers and the intruders to attack. ————————————————
The hackers can attack over the system in order to steal the valuable information or in some cases money as well. So it is becoming increasingly important for the organiza‐ tions to make the network secured from hackers. This study is a part of the attempts which are been carried out in order to stop the intrusion. The problem domain is network security. This study will result in the develop‐ ment of a system which aims to identify the intruders and also to make the system administrator alert that the sys‐ tem is endangered. The intrusion problem in the system is solved by the study aims at the usage of a model named as Time‐ inhomogeneous Hidden Bernoulli Model(TI‐HBM). This model uses some statistical techniques such as probability in order to identify the intrusion. This model is specific in its implications and it uses the probability approach in order to measure the behavior of the system statistically.
Sadaf Tabussam is with the Fatima Jinnah Women University, the Mall TI‐HBM is a generalized Bernoulli process it is not Road Rawalpindi. dependent upon Markov process.In TI‐HBM dynamic Malik Sikander Hayat Khiyal is with the Department of Software Engineerprogramming is eliminated and thats makes the ing, Fatima Jinnah Women University, the Mall Road, Rawalpindi. Aihab Khan is with the Software Engineering Department, University of technique simpler.The computational complexity for the Fatimah Jinnah, the Mall, Rawalpindi.
evaluation of the probablity and estimation of state is
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG
lesser in TI‐HBM .The TI‐HBM is simpler and faster. The TI‐HBM can be easily use for the application.[4] This study will contribute towards the existing frame of knowledge in the aspect of its uniqueness of technique which is based on the statistical technique of probability. This technique is used as the vehicle in order to reach the destination i‐e, to stop the intrusion. This study will open up new horizons for the upcoming researchers to explore new dimensions in this existing model of intrusion detec‐ tion.
2. PAPER ORGANIZATION Section 1 of the paper includes introduction of the paaper while section 2 is based on the related work to the topic. Section 3 is based on the proposed frame work of the study while section 4 is of technique which is used in the paper. The next section which is 5 sections is of experimental results and the last section concludes the paper. 2 RELATED WORK
79
in traces has probability less than the threshold. If another threshold is set and the ratio between all the sequence in the trace and mismatches is greater than that value then there is possible intrusion is happened. In the real world online detection can be made by using the proposed me‐ thod. The performance of intrusion detection is enhanced by reducing the false alarm rate. a doubly stochastic process described by an HMMs.Unobservable finite states is contained by HMMs..Set of probabilities called transi‐ tion probabilities contain the transitions among the dif‐ ferent state. The evaluation problem,the learning problem and the decoding problem are three issues in HMMs.Before training we must decide the size of model.
Cho and Han [1] present that Instead of good performance of HMMs applying HMMs in real intrusion detection sys‐ tem there are some problems. The relatively high false‐ positive error rate to model normal behavior large amount of time is required. Conventional HMM‐based IDS errors are remove using the two sophisticated tech‐ niques proposed in this paper. The amount of time which is required for training the HMM can be reduces by mod‐ eled privilege flows. The false positive error rate can be minimizing with the help of combining multiple HMMs.HMMs is most appropriate tool for modeling the sequence information. This model can be in the form of graph and this graph has N nodes (state) and has edges. Given symbol is observed by using observation probabili‐ ties and initial state distribution. The normal behavior is model when anomaly recognition matches the current behavior against it and also calculated the probability with its generation, for this purpose both Forward‐ backward procedure and Viterbi algorithm can be used. For building the normal behavior the required flow time can be reduce by Privilege flow. As compare to conven‐ tional modeling, modeling privilege change data has few‐ er chances of errors. This technique can open new ways for intensive anomaly detection. The reliability can be improved by using HMM‐based intrusion detection sys‐ tems.
Ye and Chang [3] present that the abnormality is detected by using chi‐square statistical technique. This technique is use as that the normal events profile is build in an infor‐ mation system‐ the events are departures from the norm profile in the recent past and large departure are shown in the form of anomalies which is represented as intru‐ sion. The performance of this technique was tested in an information system by differentiating the normal events from intrusive events. In terms of a low false alarm rate and a high detection rate this technique show promising performance for intrusion detection. At very early stage intrusive events are detected. In this paper, detection rate is calculated by using session. Collectively, the results shows that the statistical multivariate technique is based on the chi‐square statistic test that achieve the false alarm rate 0% and rate of detection is 100% by session. In infor‐ mation systems if intrusion will cause small violations of relationships of variable but in some of multiple va‐ riables there is large departures from the mean , then the X2 statistic and the Hotelling’s T 2 statistic can be effective equally for intrusion detection. For intrusion detection a 3 PROPOSED FRAMEWORK technique of multivariate anomaly detection with a low The major steps include the designing the system is fol‐ computation cost is needed. If the upper limit is less than lowing, computed X2 for an audit event then there is anomaly in a) Source Data audit event. Wang et al. [2] has conducted the study that Hidden b) Training Data Markov Model (HMMs) is new method using for intru‐ c) Testing Data sion detection. The probability that the sequence of sys‐ tem calls was computed for abnormality detection which d) Apply Time‐inhomogeneous hidden Bernoulli model is produces by the HMMs.Instead of sequences at each e) Results whether system show abnormal behavior or system call anomaly decisions are made by HMMs. the sequence is flagged as a mismatch if the given sequence not.
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG
80
3. The probability for selected state PS|T (i|t):
Block Diagram:
To select any state i at given time t, the selected probabili‐ ty will be PS|T (i|t).And can be calculated as: ,
Source data
(4)[4] Training data 4. Generation of observation sequence: TI‐HBM generates the sequences which is observed is O={o1, o2 …ot}. If the time sequence is ¶ = {1,2,...,L} and the sequence of the states is represented with S then the surviving proba‐ bility will be up to the time L.
Testing data
Apply TI-HBM
(5)[4] System behavior
Normal
(6) [4]
Abnormal
Fig 1. Intrusion Detection System The Fig1. Show that how the system will workand show the results.
The sequence with the length L is generated from P (¶).The probablity P (¶) is a function of probablity PT (t). P (¶) will be considered as constant value.
5. Experimental Results
The Intrusion Detection results are shown in Table (1). It can be seen that the TI-HBM improves the Intrusion Detection accuracy compared to standard HMM.
4 Technique State transition can be modeled by using TI‐HBM which is new acoustic model.The parameters P(i,t) are used in TI‐HBM.The following parameters must be satisfied for TI‐HBM::
TABLE 1 Intrusion Detection accuracy for the test set
NO. 1
(1)[4]
Observation sequence X has maximum length that is represented as Lmax.For applying TI‐HBM in real‐world we need parameters that can be take from P (i, t): 1. Time Distribution probability PT (t): The probablity PT (t) is computed at time t as:
(2) [4]
2 3
Average Threshold Range Result Probability value 0.07 10% 0.06- Intrusion 0.08 0.0 10% 0 No intrusion 0.5 10% 0.45- Intrusion 0.55
The TI-HBM wasalways faster than HMM in training phase in our experiments. Taking different values of state and time we check the results.
probability variation 3.5 3
2. Probablity of survival P (t +1|t):
2.5 Ser ies1
2
Survival probability of time t + 1 is represented as P (t +1|t). Its mean that process will survive till time t+1 and at that time the probability will be P (t +1|t). So the survival probability is computed as:
(3) [4]
Ser ies2 1.5
Ser ies3
1 0.5 0 1
2
3
st a t e s
Fig 2. Probability variation. The results shows that probability values are different by
JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG
taking different values of time and stete.Probablity is increases when state value is increases and time is decreases. Taking different values of time and taking constant nalue of state.
probability variation 3.5 3 2.5
Ser ies1
2
Ser ies2
1.5
Ser ies3
1 0.5 0 st at es
t ime
probabilit y
st a t e s
Fig3. Probability variation. Results shows that probability is decreases when time is increases at the same value of state.So time and probabili‐ ty are inversely propotional.
6
CONCLUSION
Results shows that probability is decreases when time is increases at the same state and when both time and state are changed then probability show different values. For processing, TI‐HBM is considered as theoretical fra‐ meworkFor the sake of making TI‐HBM simpler at state level dynamic Programming is eliminated.When training is performed theTI‐HBM become faster in this phase.Nonrecursively probability is performed in TI‐ HBM. This work will open new horizons in future for the up‐ coming researchers.The new research area could be the comparision between the Hidden Markov Model (HMM) and Time‐inhomogeneous Hidden Bernoulli ModelTI‐ HBM).
REFERENCES [1] Cho S., S. Han, “Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems”, vol # 2, pg # 154-160,May 2002 [2] Wang W., X. Guan, X. Zhang, 2004, “Modeling Program Behaviors by Hidden Markov Model for Intrusion Detection”, paper presented in Third International Conference on Machine Learning and Cybernetics held at 24-26 August 2004, vol # 5, pg # 2830-2835 [3] Ye N. Q. Chang, 2001, “An Anomaly Detection Technique Based on a Chi-square Statistic for Detecting Intrusions into Information Systems”, Quality And Reliability Engineering International, Vol. 17 pp.105- 112 [4] Kabudian J. Homayounpour M. Ahadi2. S.” Timeinhmogenous Hidden Bernoulli Model an Alternative to Hidden Markov Model for Automatic Speech Recognition”: Pg # 4101 - 4104, March 31 2008-April 4 2008 [5] N. Ye, Y. Zhang and C. M. Borror, “Robustness of the Markov chain model for cyber attack detection”, IEEE
81
Transactions on Reliability, Vol. 53, No. 1, pp. 116-121, March 2004 [6] Z. Cai, X. Guan, P. Shao, Q. Peng, G. Sun, “A Rough Set Theory Based Method for Anomaly Intrusion Detection in Computer Networks”, Expert Systems, vol. 18, No. 5, pp. 251-259, Nov 2003.
