IJARCCE - Computer and Communication Engineering

Abstract

2 Abstract: An intrusion is essentially an attack on security layer in a TCP/IP protocol stack. Such attacks have definite signature for instance specific ports or RTT. Hence such attacks can be detected by cross verifying current communication signature with attack signatures. However attack signatures are evolutionary. Therefore using a string matching technique is neither robust nor fast. Hence several machine learning techniques are developed which are mainly based on classifier. These classifiers lack generalization capabilities which result in less performance leading to high false positives. However a specific attack can have wide range of signatures and a signature may of wide range of attacks. Therefore conventional classifiers like Neural Network needs frequent training when a new signature is discovered. Again discovery of such new signature also needs a regression with existing signature database. In order to avoid exploding the training nodes of Neural Network, it is important that a benchmark is set of introduce new nodes. In this paper we use Artificial Immune System mark the signatures as genes. A packet or network level signature is verified for closeness with existing model. In case of significant diversification is detected, the signature is marked as new which is regressed with the existing signature model to automate the grouping of the signature. Signature similar to existing ones is subjected to regression using PLS method and is then classified by neural network. This paper evaluates the performance of technique using the publicly available KDD Cup dataset and compares the result with conventional Neural Network Based Classifier, Support Vector Machine based Classifier, pure regression based technique and conventional string matching technique. Further we investigate the real time applicability of the technique by using PLS Regression to detect anomaly in CIT college router dataset. We consider that the connections by peer clients should only be accessing internet. Other activities like using Bittorrent are considered as anomaly. First we take router log and extract the features. We then select a specific data row and classify it using auto regression.