This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system(HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system(IDS) and the ability of anomaly detection system(ADS) to detect novel unknown attacks. By mining anomalous traffic episodes from Internet connections, we build an ADS that detects anomalies beyond the capabilities of signature-based SNORT or Bro systems. A weighted signature generation scheme is developed to integrate ADS with SNORT by extracting signatures from anomalies detected. HIDS extracts signatures from the output of ADS and adds them into the SNORT signature database for fast and accurate intrusion detection. By testing our HIDS scheme over real-life Internet trace data mixed with 10 days of Massachusetts Institute of Technology/Lincoln Laboratory (MIT/LL) attack data set, our experimental results show a 60 percent detection rate of the HIDS, compared with30 percent and 22 percent in using the SNORT and Bro systems, respectively. This sharp increase in detection rate is obtained with less than 3 percent false alarms. The signatures generated by ADS upgrade the SNORT performance by 33 percent. The Approachable proves the vitality of detecting intrusions and anomalies, simultaneously, by automated data mining and signature generation over Internet connection episodes. Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes(HID)
EXISTING SYSTEM:
signature-based Ids like SNORT employs a prior knowledge of attack signatures. The signatures are manually constructed by security experts analyzing previous attacks.The collected signatures are used to match with incoming traffic to detect intrusions. These are conventional systems that detect known attacks with low false alarms. However, the signature-based IDS cannot detect unknown attacks without any recollected signatures or lack of attack classifiers. Furthermore, signature matching performs well only for single-connection attacks. With the sophistication of attackers, more attacks involve multiple connections. This limits the detection range by signature matching.
PROPOSED SYSTEM:
An anomaly–based system uses a different philosophy A network anomaly is detected if the incoming traffic pattern deviates from the normal profiles significantly.This system combines the positive features of both intrusion detection models to achieve higher detection accuracy, lower false alarms, and, thus, a raised level of cyber trust.This system combines the positive features of both intrusion detection models to achieve higher detection accuracy, lower false alarms, and, thus, a raised level of cyber trust. Our HIDS is network–based, which should not be confused with the host–based IDS with the same abbreviation by other authors. An adaptive base support threshold is applied on selected axis attributes in mining the Internet episode rules. The episode rules are used to build the HIDS, which detects not only known intrusive attacks but also anomalous connection sequences.