Model Based Intrusion Detection System

Abstract

The technological advances have to lead to a more digitized world where data is handled through machines rather than paper. Every day a huge amount of data and information is generated and this needs to be stored for further references and analysis. With this growth in production and storage of information, the issue of security vulnerabilities also rise. The attack on this critical information and data with the intention of misusing it is called intrusion. These intrusions pose a great threat to the data stored, like tampering with the stored information or loss of information which makes the database and the repositories insecure. Therefore, detection of these activities is the need of the hour as it is very important to secure the data especially the user data from any unwanted criminal activity, as misuse of data can lead to serious issues and breaches in the system. The detection of these unwanted activities is called intrusion detection. An intrusion detection model is built using the data mining techniques and the intrusion detection dataset. The NSL-KDD dataset is used for detection which is an intrusion detection database. The dataset is divided into two parts, the training set and testing set. The training set is at the time of model creation and testing set is used to test the model. Various classification and clustering techniques are used. Clustering techniques like K-means clustering and classification techniques like C4.5, naive Bayes, random forest, Ripper K-nearest neighbours are used for building the model. Further two types of model are built which are classification models and hybrid models. The classification model is built using a classification algorithm and the hybrid model is built by using both classification and clustering algorithms. The model detects three types of intrusions which are misuse-based, anomaly-based and hybrid intrusions. Misuse based intrusions are those which the system had already encountered and so are already present in the database. For these attacks models generally, give high true positive rates. Anomaly-based attacks are new attacks or unknown attacks which the system has not seen earlier and so are not present in the database and therefore difficult to detect. The third one is the hybrid attacks which can lead to both types of attacks in the system. A comparison is done between the prediction results of the models built using the above techniques. Ripper algorithm gave the highest accuracy and a good true positive rate for the classification algorithm. C4.5 tree algorithm with K-means gave the best accuracy with a good true positive rate among hybrid models. The Results show that hybrid models which are used to detect both types of attacks outperform other models and classification models as well.