9
www.semargroups.org, www.ijsetr.com ISSN 2319-8885 Vol.02,Issue.18, December-2013, Pages:2075-2083 Copyright @ 2013 SEMAR GROUPS TECHNICAL SOCIETY. All rights reserved. Efficient Way of Detecting an Intrusion using Snort Rule Based Technique A. SAI CHAND 1 , M. KAVITHA SRAVANTHI 2 1 Research Scholar, Dept of ECE, Malla Reddy Institute of Technology and Science, Hyderabad, AP-India, E-mail: [email protected]. 2 Asst Prof, Dept of ECE, Malla Reddy Institute of Technology and Science, Hyderabad, AP-India, E-mail: [email protected]. Abstract: For the designing of intrusion detection systems, this project proposes a memory-efficient Snort based matching scheme. In order to reduce the number of state transitions, the finite state machine uses Snort based technique. Long target patterns are divided into sub patterns with a fixed length. Deterministic finite automata are built with the sub patterns. Using the pattern dividing, the variety of target pattern lengths can be mitigated, so that memory usage in homogeneous string matchers can be efficient. In order to identify each original long pattern being divided, a two-stage sequential matching scheme is proposed for the successive matches with sub patterns. Experimental results show that total memory requirements, no of LUTs, no of slices and no of flip-flops are reduced drastically when compare with the existing method. Keywords: Flip-flops, Intrusion Detection System. I. INTRODUCTION Intrusion detection is very important aspects of protecting the cyber infrastructure from terrorist attack or from hackers. Intrusion prevention technique such as firewall, filtering router policies fails to stop much type of attacks. Therefore, no matter how secure we try to make our system, intrusion still happens and so they must be detected. Intrusion detection systems are becoming an important part of our computer system, and security. An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files and malware (Viruses, Trojan horses and Worms). An Intrusion detection system can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an Intrusion detection system depending on the type and location of the 2sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance. Intrusion detection can allow for the prevention of certainty, attacks severity relative to different type of attacks and vulnerability of components. Under attack the response may be to kill the connection, install filtering rules and disable user account. A. History of virus Most of the computer viruses written in the early and mid-1980s were limited to self-reproduction and had no specific damage routine built into the code. That changed when more and more programmers became acquainted with virus programming and created viruses that manipulated or even destroyed data on infected computers. There are competing claims for the innovator of the first antivirus product. Possibly the first publicly documented removal of a computer virus in the wild was performed by Bend Fix in 1987. There were also two antivirus applications for the Atari ST platform developed in 1987. The first one was data and second was UVK 2000 Fired Cohen, who published one of the first academic papers on computer viruses in 1984, began to develop strategies for antivirus software in 1988 that were picked up and continued by later antivirus software developers. In 1987, he published a demonstration that there is no algorithm that can perfectly detect all possible viruses. B. Identification methods 1. Introduction One of the few solid theoretical results in the study of computer viruses is Frederick B.Cohne’s 1987 demonstration that there is no algorithm that can perfectly detect all possible viruses. There are several methods which antivirus software can use to identify malware:

Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

  • Upload
    others

  • View
    16

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

www.semargroups.org,

www.ijsetr.com

ISSN 2319-8885

Vol.02,Issue.18,

December-2013,

Pages:2075-2083

Copyright @ 2013 SEMAR GROUPS TECHNICAL SOCIETY. All rights reserved.

Efficient Way of Detecting an Intrusion using Snort Rule Based Technique A. SAI CHAND

1, M. KAVITHA SRAVANTHI

2

1Research Scholar, Dept of ECE, Malla Reddy Institute of Technology and Science, Hyderabad, AP-India,

E-mail: [email protected]. 2

Asst Prof, Dept of ECE, Malla Reddy Institute of Technology and Science, Hyderabad, AP-India,

E-mail: [email protected].

Abstract: For the designing of intrusion detection systems, this project proposes a memory-efficient Snort based matching

scheme. In order to reduce the number of state transitions, the finite state machine uses Snort based technique. Long target

patterns are divided into sub patterns with a fixed length. Deterministic finite automata are built with the sub patterns. Using the

pattern dividing, the variety of target pattern lengths can be mitigated, so that memory usage in homogeneous string matchers

can be efficient. In order to identify each original long pattern being divided, a two-stage sequential matching scheme is

proposed for the successive matches with sub patterns. Experimental results show that total memory requirements, no of LUTs,

no of slices and no of flip-flops are reduced drastically when compare with the existing method.

Keywords: Flip-flops, Intrusion Detection System.

I. INTRODUCTION

Intrusion detection is very important aspects of

protecting the cyber infrastructure from terrorist attack or

from hackers. Intrusion prevention technique such as

firewall, filtering router policies fails to stop much type of

attacks. Therefore, no matter how secure we try to make

our system, intrusion still happens and so they must be

detected. Intrusion detection systems are becoming an

important part of our computer system, and security. An

intrusion detection system is used to detect several types

of malicious behaviors that can compromise the security

and trust of a computer system. This includes network

attacks against vulnerable services, data driven attacks on

applications, host based attacks such as privilege

escalation, unauthorized logins and access to sensitive files

and malware (Viruses, Trojan horses and Worms). An

Intrusion detection system can be composed of several

components: Sensors which generate security events, a

Console to monitor events and alerts and control the

sensors and a central Engine that records events logged by

the sensors in a database and uses a system of rules to

generate alerts from security events received. There are

several ways to categorize an Intrusion detection system

depending on the type and location of the 2sensors and the

methodology used by the engine to generate alerts. In

many simple IDS implementations all three components

are combined in a single device or appliance. Intrusion

detection can allow for the prevention of certainty, attacks

severity relative to different type of attacks and

vulnerability of components. Under attack the response

may be to kill the connection, install filtering rules and

disable user account.

A. History of virus

Most of the computer viruses written in the early and

mid-1980s were limited to self-reproduction and had no

specific damage routine built into the code. That changed

when more and more programmers became acquainted

with virus programming and created viruses that

manipulated or even destroyed data on infected computers.

There are competing claims for the innovator of the first

antivirus product. Possibly the first publicly documented

removal of a computer virus in the wild was performed by

Bend Fix in 1987. There were also two antivirus

applications for the Atari ST platform developed in 1987.

The first one was data and second was UVK 2000 Fired

Cohen, who published one of the first academic papers on

computer viruses in 1984, began to develop strategies for

antivirus software in 1988 that were picked up and

continued by later antivirus software developers. In 1987,

he published a demonstration that there is no algorithm

that can perfectly detect all possible viruses.

B. Identification methods

1. Introduction

One of the few solid theoretical results in the study of

computer viruses is Frederick B.Cohne’s 1987

demonstration that there is no algorithm that can perfectly

detect all possible viruses. There are several methods

which antivirus software can use to identify malware:

Page 2: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

A. SAI CHAND, M. KAVITHA SRAVANTHI

International Journal of Scientific Engineering and Technology Research

Volume.02, IssueNo.18, December-2013, Pages:2075-2083

Signature based detection is the most common

method. To identify viruses and other malware,

antivirus software compares the contents of a file to

a dictionary of virus signatures. Because viruses can

embed themselves in existing files, the entire file is

searched, not just as a whole, but also in pieces.

Fig 1: Malware bytes Anti-Malware version1.46ig

2. Signature-based detection Traditionally, antivirus software heavily relied upon

signatures to identify malware. This can be very effective,

but cannot defend against malware unless samples have

already been obtained and signatures created. Because of

this, signature-based approaches are not effective against

new, unknown viruses. As new viruses are being created

each day, the signature-based detection approach requires

frequent updates of the virus signature dictionary. To

assist the antivirus software companies, the software may

allow the user to upload new viruses or variants to the

company, allowing the virus to be analyzed and the

signature added to the dictionary.

3. Intrusion detection systems

Intrusion detection systems (IDSs) are software or

hardware systems that automate the process of monitoring

the events occurring in a computer system or network,

analyzing them dynamically or statically for signs of

compromise to security. As network security breaches

have increased in number and severity in recent times,

intrusion detection systems have become a necessary

addition to the security infrastructure of most

organizations. Intrusions can be defined as “attempts to

compromise the confidentiality, integrity, availability, or

to bypass the security mechanisms of a computer or

network.

II. IDS USING PARALLEL STRING MATCHING

STRING

A. Introduction

Intrusion detection systems (IDSs) are designed to

detect various hazardous contents and alert their existence

in the networks. Most IDSs adopt a rule set that contains

the information about target patterns from hazardous

packet payloads and actions against the target patterns.

Most adopted patterns to be identified are described with

strings. Therefore, the string matching engine is still an

essential component. The string matcher is a processing

unit that detects mapped patterns from packet payloads. A

string matching engine can have multiple string matchers

for parallel string matching. Due to the slow speed of the

software-based string engine, the hardware-based string

matching engine is preferred due to great parallelism for

the high-performance IDSs. The memory-based string

matching engine allows on-the-fly update of memory

contents for high re-configurability. However, there are

several well-known challenges: high throughput,

regularity, scalability, and low memory requirements

especially, in the memory-based on deterministic-finite

automation (DFA) is frequently adopted due to the

deterministic transitions between states according to input

symbols, state transitions can be performed in a fixed

number of cycles, where the throughput can be maintained

unchanged. In addition, due to the fixed number of output

transitions in a state, regularity can be guaranteed in the

DFA-based string matching engine. Scalability can be

supported by the homogeneity of multiple string matchers

where DFAs are mapped. Because of the deterministic

transitions between states, however, memory requirements

are proportional to both the number of states and the

number of transitions in a state. The total cost of a string

matching engine is directly related to memory

requirements therefore, the target pattern information

should be compressed.

The pattern matching algorithm that reduced total

memory requirements by sharing common infixes of target

patterns. For the pattern identification, a state should

contain its own match vector with a set of bits, where each

bit represents a matched pattern in the state. Even though

the information of shared common infixes was stored in

match vectors, the number of shared common infixes was

limited by the size of the match vectors. In addition

throughput could decrease due to the modified state

transition mechanism. The memory requirements for

match vectors were reduced by relabeling states and

eliminating the match vectors of non output states. By

sharing common infixes of target patterns or relabeling

states and eliminating the match vectors of non output

states, the memory usage in the match vectors could be

efficient.

B. Proposed string matching scheme

1. Architecture of FSM Tiles

Multiple string matchers are adopted for parallel

string matching. In a string matcher, several homogeneous

FSM tiles take n bits as an input at every cycle. In the state

of each FSM tile, the pattern identification information is

stored as a partial match vector (PMV), where the ith bit

indicates whether the ith pattern is matched or not in the

state. A pattern can be identified with a full match vector

(FMV), which is obtained with the logical AND

Page 3: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

Efficient Way of Detecting an Intrusion using Snort Rule Based Technique

International Journal of Scientific Engineering and Technology Research

Volume.02, IssueNo.18, December-2013, Pages:2075-2083

operation of PMVs in all FSM tiles. The number in

the angle brackets describes the field width. In the

FSM tile in Fig. 2a, every state can indicate its PMV. A

difference of the FSM tile in Fig. 2a from those in and

is that the FSM memory for storing next-state

pointers can be separated from the PMV table. As

shown in Fig. 2b, if there is no need to have PMVs in

several states, the memory allocation for the states is

not required; only several PMVs are stored in a PMV

table. The stored PMVs are defined as nonzero

PMVs; the PMVs to be reduced are defined as zero

PMVs. When many PMVs can be shared between

multiple states, the FSM tile type in Fig. 2c is beneficial

by adopting separate small PMV table.

Fig.2: FSM tile architectures

T h e pattern match index (PMI) in each state

indicates a unique PMV for the state. By adopting a

separate PMV table, the memory requirements for storing

repeated PMVs can be eliminated. For example, it is

assumed that four target patterns {“ab,” “abb,”

“abab,” “a”} are mapped on an FSM tile with one input bit

of the the least significant bit (LSB). The fourth pattern

“a” is the prefix of the other patterns. In addition, the

pattern “a” can be an infix of the third pattern “abab.” In

this case, two output states for the pattern “a” can share the

same PMV. In another example, target patterns with same

lengths can share the same PMV. For example, let us

assume that an FSM tile takes two LSBs for input

symbols. The matches with patterns “ab” and “cd” indicate

an identical PMV in the FSM tile. FSM tile where al l

states have their own PMVs. FSM tile that stores only

nonzero PMVs.FSM tile that adopts PMI and separate

PMV table.

2. Divided Pattern Matching

In order to explain the divided pattern matching

with an example, “00,” “j05 00j,” “BN j10 00 02 00j,”

“BN j20 0002 00j,” and “get clients” are assumed to

be a set of target patterns, where the sequence of

two digits between pipe symbols is the sequence of

hexadecimal numbers. The length of the sub patterns

for the quotient vector is fixed as 3. All divided

patterns are ordered as shown in Fig.3, where binary

code values are provided in the right column.

Fig. 3: Example of sub patterns for the divided pattern

matching

3. Sequential Matching with Divided Patterns

The match with a divided target pattern consists

of successive matches with i t s quotient vector and

remnant pattern. If a target pattern is divided by a fixed

length f, the sequential matches with the sub patterns in

the quotient vector should be detected at f different points.

Because the starting points of the sequential matches can

be different, the points when the target pattern is

Page 4: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

A. SAI CHAND, M. KAVITHA SRAVANTHI

International Journal of Scientific Engineering and Technology Research

Volume.02, IssueNo.18, December-2013, Pages:2075-2083

matched can vary. Fortunately, the sequential matches for

the quotient vector can be performed based on the FSM

architecture in Fig. 2c with additional registers. State

pointers and PMVs are held for f cycles and updated

periodically every f cycles. Due to various lengths of

the remnant patterns, the output states in an FSM for

the remnant patterns can be reached at any cycle.

Therefore, the number of string matchers with identical

contents is multiplied by the fixed length f.

4. String Matching Engine Architecture

Based on the sequential matching mentioned

above, architecture of the proposed string matching

engine is illustrated in F i g 4. In this fig f is the fixed

length of sub patterns in the quotient vector. According to

f, the number of the remnant pattern matchers can be

varied.

Fig. 4: An example of the proposed string matching

engine architecture

A character code of one byte from a payload is

inputted in the quotient vector matcher. The quotient

vector matcher consists of v string matchers, where the

width of an FMV is equal to the number of bits in a PMV

of an FSM tile, p. In the quotient vector matcher, only

one bit in total temporary match vectors becomes true

because only one sub pattern can be matched in the

quotient vector matcher per cycle. Therefore, the

temporary match vectors are encoded using v p: dog2 v

per binary encoder, where the encoder output can be the

quotient index.

III. INTRUSION DETECTION USING THE SNORT

RULE SET

A. Introduction

Snort is a cross-platform, network intrusion detection

tool that can be deployed to monitor TCP/IP networks and

detect a wide variety of suspicious network traffic as well

as outright attacks. The program is free software; access

rights to it falls under the terms of the GNU General

Public License.

B. The Snort detection engine Snort maintains its detection rules in a two dimensional

linked list of what are termed Chain Headers and Chain

Options. Chain Headers are lists of rules that have been

Fig. 5: Block diagram of SNORT rule detection

condensed down to a list of common attributes and the

detection modifier options are contained in the Chain

Options. Figure 5 shows the logical structure of the Snort

Rule set.

C. Implementation of Snort Rule set on the DRIDS The DRIDS implements a subset of the Snort Rule set

on each IDE. Each IDE consists of a Master FSM and 14

auxiliary FSMs called the RoptFSMs (Rule Option FSM).

Each RoptFSM deals with a particular rule option. With

the arrival of a new packet, the Master FSM reads in the

first rule from the SRAM and passes control to RoptFSM

that deals with the first rule option that occurs. When the

RoptFSM completes its rule option, it returns control to

the Master FSM which then proceeds to check the next

rule option. The first heuristic it uses is commonly referred

to as a bad character heuristic. If a character is seen that

does not exist in the keyword to search for, the keyword

can be shifted forward N characters where N is the length

of the given keyword. The second heuristic uses

knowledge of repeated substrings in the keyword. Thus if

a mismatch occurs and repeated patterns exist in a given

keyword, it is able to shift the keyword to the next

occurrence of a substring that matches what has already

been successfully matched. Figure 6 depicts the

implementation of an Exact Pattern Match using the

Boyer-Moore Algorithm. The figure 7 shows IDE master

Page 5: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

Efficient Way of Detecting an Intrusion using Snort Rule Based Technique

International Journal of Scientific Engineering and Technology Research

Volume.02, IssueNo.18, December-2013, Pages:2075-2083

FSM Master FSM has 5 possible states.

1. Reset/Initial State

As shown in Figure 6 is the Master FSM has 5 possible

states. Upon Reset the FSM enters into state S0. In this

state it maintains the IDE_RDY signal at ‘1’ saying that

the IDE is not currently processing a packet. It also

initializes the Read Pointer to the location of the first Rule

in the SRAM. In this state, the FSM is sampling the Sram

State signal from the controller for this pipe stage, and

remains in this stage as long as the Sram State is “Invalid”.

The FSM transitions to state S1 when Sram State changes

to “Exclusive”. This state checks against the rule option

read in from the SRAM and passes control to the

RoptFSM that handles it. This state also deduces the

number of bytes by which to increment the Read Pointer

from the current option being handled by the RoptFSM.

But this value cannot be deduced upon a content match

option and this triggers a transition to state S2. For all

other options, the FSM transitions to state S3. State S2 is

an intermediate state where the Master FSM determines

the size of the content match pattern from the following

byte in the SRAM. This is possible because of the format

Fig. 6: IDE Master FSM.

of the rules on the SRAM as shown in Figure. After

incrementing the Read Pointer to point to the next valid

rule in SRAM, the FSM transitions to State S3. S3 is a

stalled state where the FSM waits for return of control

from the RoptFSM. The RoptFSM could return with either

a “Pass” or a “Fail” message. If a Rule option fails, the

Master FSM updates the Scoreboard saying that the

particular rule has failed and moves on to the next Rule in

the SRAM. However, in order to find the next rule in the

SRAM, the FSM needs to find the rule delimiter for the

current rule and hence enters sate S4 where it increments

the ReadPointer until the rule delimiter is found at which

point it return to state S1.On a passing rule option in state

S3, i.e. the RoptFSM returns control with a “PASS”

signal, the Master FSM transitions to state S1 where it

proceeds to read the next rule option from the SRAM.

Upon finding a rule delimiter, state S1 updates the

Scoreboard. Figure 8 from illustrates the design approach

adopted for the DRIDS IDE.

D. Serial Front Panel Protocol

Serial FPDP, originally developed by Systran

Corporation in its Simplex Link and Fiber Extreme

products, is defined in the specification. It is a serial

encapsulation of the Front Panel Data Port (FPDP)

protocol Serial Front Panel Data Port (SFPDP) is a high-

speed, low-latency, data- streaming, serial

communications protocol used for high-speed real-time

data transfer applications. Serial FPDP, originally

developed by Systran Corporation in its Simplex Link

and Fiber Extreme products, is defined in the

specification. It is a serial encapsulation of the Front Panel

Data Port (FPDP) protocol Serial Front Panel Data Port

(SFPDP) is a high-speed, low-latency, data- streaming,

serial communications protocol used for high-speed real-

time data transfer applications.

Fig. 7: Top down control in FSM design

Fig.8: Block diagram of typical Application of SFPDP

Protocol

The typical application of SFPDP Protocol in the

Radar Systems is as shown in figure 8.Processed data

from signal processor is acquired by the interface module

and then transferred using this protocol as implemented in

the FPGA. This module provides interface to Digital

Signal Processors (DSP) for acquiring the processed data.

Page 6: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

A. SAI CHAND, M. KAVITHA SRAVANTHI

International Journal of Scientific Engineering and Technology Research

Volume.02, IssueNo.18, December-2013, Pages:2075-2083

Interface module receives processed data from DSP

processors on parallel link and serializes the data of each

channel and sends it over the XAUI following the SFPDP

protocol. This can be used to send the data through

SFPDP protocol to a distance extending up to10KM for

presentation on display terminal for radar systems. Field

data can be recorded & replayed as and when required to

further analyze the data in the control room to test the

performance of the radar. The SFPDP data is sent through

XAUI (extended Attachment Unit Interface), the serial

interface. The data in the XAUI is looped back using

fiber optic cable. Serial FPDP extends the maximum

distance of FPDP connections by serializing the FPDP

data stream and transmitting it over extended distance

using fiber optic cable. Serial FPDP is basically a point-

to-point, simplex protocol designed to transfer data from

a sender to a receiver. The connection between a sender

and a receiver is established and remains in effect for

relatively lengthy periods of time. Serial FPDP extends

the maximum distance of FPDP connections by

serializing the FPDP data stream and transmitting it over

extended distance using fiber optic cable. Serial FPDP is

basically a point-to-point, simplex protocol designed to

transfer data from a sender to a receiver. The connection

between a sender and a receiver is established and

remains in effect for relatively lengthy periods of time

Sequence of format is as given in following section.

Each Frame is recognized by a specified 32 bit

pattern as given below in hex:

III. SOF : BCB51717

IV. FEOF : BC8A9595

V. SEOF : BC957575

VI. Go/Stop : BC85B5B5

VII. MEOF : BC8AD5D5

Figure 9: Normal Data Fiber Frame

Figure 10: Sync without Data Fiber Frame

Fig. 11: data flow with the system

The main objective of this work is to transmit the data

through SFPDP protocol. The transmitted data is stored

in buffer & then received at the receiver. The output

at the receiver is of the form as shown in figure 9 which

meets the requirement of the designed model. The above

results are excellent & justify the designed SFPDP

protocol for high speed data transfer. The received data is

as same as the transmitted data with the same values.

Fig.12: serial communication system

IV. APPLICATIONS AND ADVANTAGES

The real benefit of anti-virus protection is directly

related to the consequences of not having anti-virus

software. The internet is not a secure place by any means,

and even the most tech-savvy users have a relatively high

likelihood of downloading some form of malware or

becoming the victim of an identity-stealing scam just by

going online occasionally. Learning just a little bit about

the consequences of not having anti-virus protection

should be enough to convince everyone they need it. Here

are a few important reasons to get top-quality anti-virus

protection for your computer:

Protection from Viruses

Protection from Spyware and Identity Theft

Protection from Spam

V. RESULTS

A. Device utilization summary

TABLE I: DEVICE UTILIZATION SUMMARY FOR

THE DEVICE XC3S500E-4FG320

B. Synthesis Report

Total latency 13.083ns (7.355ns logic, 5.728ns route)

Total memory usage is 193244 kilobytes

C. Waveforms

The figure 13 shows the input data and input data is in

the form of binary values. The figure 14 shows the output

of serial communication.

Page 7: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

Efficient Way of Detecting an Intrusion using Snort Rule Based Technique

International Journal of Scientific Engineering and Technology Research

Volume.02, IssueNo.18, December-2013, Pages:2075-2083

Fig 12: input data

Fig 13: Serial communication

FIG. 14: Snort output

Page 8: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

A. SAI CHAND, M. KAVITHA SRAVANTHI

International Journal of Scientific Engineering and Technology Research

Volume.02, IssueNo.18, December-2013, Pages:2075-2083

Fig 15: Address of virus file

The figure 15 shows the address of virus file and it

shows the addresses of virus files that are present in given

input data. As shown in the figure 16 the purpose of RTS

module builder is to build, or acquire from a library of

predefined components, each of the required RTL blocks

in the user-specified target technology.

D. RTL Schematic

Fig. 16: RTL Schematic

VI. CONCLUSION AND FUTURE SCOPE

Intrusions are the activities that violate the security

policy of system. Intrusion Detection is the process used to

identify intrusions. An intrusion detection system (IDS)

inspects all network activity and identifies suspicious

patterns that may indicate a network or system attack from

someone attempting to break into or compromise a system.

In this work the design for detecting an intrusion is

presented. The incoming packets are comparing with the

virus database and then based on the database; the

identification of intrusion is done. In the present work an

IDS evaluates a suspected intrusion once it has taken place

and also watches for attacks that originate from within a

system and proves the Utilization is very less when

compare with the previous one. There are several ways to

categorize IDS. Among those misuse detection is chosen

for the presented work. The IDS analyzes the information

it gathers and compares it to large databases of attack

signatures. Essentially, the IDS look for a specific attack

that has already been documented. The misuse detection

software is as good as the database of attack signatures

that it uses to compare packets against. In future Intrusion

detection and prevention systems (IDPS) are primarily

focused on identifying possible incidents, logging

information about them, and reporting attempts. In

addition, organizations use IDPSs for other purposes, such

as identifying problems with security policies,

documenting existing threats and deterring individuals

from violating security policies. IDPSs have become a

necessary addition to the security infrastructure of nearly

every organization.

Page 9: Efficient Way of Detecting an Intrusion using Snort Rule ... · Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific Engineering

Efficient Way of Detecting an Intrusion using Snort Rule Based Technique

International Journal of Scientific Engineering and Technology Research

Volume.02, IssueNo.18, December-2013, Pages:2075-2083

VII. REFERENCE

[1] C. Lin, Y.-D. Lin, T.-H. Lee, and Y.-C. Lai, “Using

String Matching for Deep Packet Inspection,” IEEE

Computer, vol. 41, no. 4, pp. 23-28, Apr. 2008.

[2] Snort, Ver.2.8, Network Intrusion Detection System,

http://www.snort.org., 2011.

[3] Clam AntiVirus, Ver.0.95.3. http://www.clamav.net.,

2011.

[4] C.-H. Lin, Y.-T. Tai, and S.-C. Chang, “Optimization

of Pattern Matching Algorithm for Memory Based

Architecture,” Proc. Third ACM/IEEE Symp. Architecture

for Networking and Comm. Systems, pp. 11-16, 2007.

[5]S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J.

Turner, “Algorithms to Accelerate Multiple Regular

Expressions Matching for Deep Packet Inspection,” Proc.

Conf. Applications, Technologies, Architectures, and

Protocols for Computer Comm., pp. 339-350, 2006.

[6] F. Yu, Z. Chen, Y. Diao, T.V. Lakshman, and R.H.

Katz, “Fast and Memory-Efficient Regular Expression

Matching for Deep Packet Inspection,” Proc. Second

ACM/IEEE Symp. Architecture for Networking and

Comm. Systems, pp. 93-102, 2006.

[7] A.V. Aho and M.J. Corasick, “Efficient String

Matching: An Aid to Bibliographic Search,” Comm.

ACM, vol. 18, no 6, pp. 333-340, 1975.

[8] L. Tan and T. Sherwood, “A High Throughput String

Matching Architecture for Intrusion Detection and

Prevention,” Proc. 32nd

IEEE/ACM Int’l Symp. Computer

Architecture, pp. 112-122, 2005.

[9] L. Tan, B. Brotherton, and T. Sherwood, “Bit-Split

String-Matching Engines for Intrusion Detection and

Prevention,” ACM Trans. Architecture and Code

Optimization, vol. 3, no. 1, pp. 3-34, Mar. 2006.