A Hybrid approach using Signature and Anomaly Detection to detect network Intrusions

Abstract

Network Security has become a crucial issue for most organizations in the recent past. Mostly discussions on security include the tools and methods that can be deployed to protect and defend the networks. The use of network security tools have increased over the years due to increase in security threats. Many methods have been developed to secure computer networks and communication over the Internet. Intrusion detection method is one such method which has gained importance over the past few years. An Intrusion Detection System gathers and analyzes information from various areas within a computer or a network to identify possible security breaches. There are different techniques to detect intrusions and these techniques are discussed in the thesis. On the broader level, there are two techniques that are for detecting Intrusions viz. signature detection and anomaly detection. Signature detection detect intrusions by matching the network traffic with database of stored signatures and anomaly detection looks for behaviour deviating from normal or common behaviour for detecting intrusions. The signature detection can detect well known attacks giving low false positives whereas anomaly detection can detect new attacks but also has high false positive rate. The primary objective of the thesis work is to combine both these techniques. A combined approach of anomaly detection and signature detection is compared with signature detection. The DARPA IDS Evaluation dataset is used for this purpose. The pros and cons of using the DARPA IDS Evaluation dataset are also discussed. Experimental evaluation shows that the combined approach of anomaly and signature detection gives better performance. Furthermore, the attack related information stored by the systems during the experimentation is used to classify the network packets in the DARPA IDS Evaluation dataset. This is done to achieve the next goal of the thesis which comprises of analyzing this data on a machine learning tool. Finally the data is processed on a classification algorithm to obtain the results. The results show high percentage of correct classification.