Click here to load reader

Efficient Way of Detecting an Intrusion using Snort Rule ... · PDF file Efficient Way of Detecting an Intrusion using Snort Rule Based Technique International Journal of Scientific

  • View

  • Download

Embed Size (px)

Text of Efficient Way of Detecting an Intrusion using Snort Rule ... · PDF file Efficient Way of...


    ISSN 2319-8885




    Copyright @ 2013 SEMAR GROUPS TECHNICAL SOCIETY. All rights reserved.

    Efficient Way of Detecting an Intrusion using Snort Rule Based Technique A. SAI CHAND



    1 Research Scholar, Dept of ECE, Malla Reddy Institute of Technology and Science, Hyderabad, AP-India,

    E-mail: [email protected] 2

    Asst Prof, Dept of ECE, Malla Reddy Institute of Technology and Science, Hyderabad, AP-India,

    E-mail: [email protected]

    Abstract: For the designing of intrusion detection systems, this project proposes a memory-efficient Snort based matching

    scheme. In order to reduce the number of state transitions, the finite state machine uses Snort based technique. Long target

    patterns are divided into sub patterns with a fixed length. Deterministic finite automata are built with the sub patterns. Using the

    pattern dividing, the variety of target pattern lengths can be mitigated, so that memory usage in homogeneous string matchers

    can be efficient. In order to identify each original long pattern being divided, a two-stage sequential matching scheme is

    proposed for the successive matches with sub patterns. Experimental results show that total memory requirements, no of LUTs,

    no of slices and no of flip-flops are reduced drastically when compare with the existing method.

    Keywords: Flip-flops, Intrusion Detection System.


    Intrusion detection is very important aspects of

    protecting the cyber infrastructure from terrorist attack or

    from hackers. Intrusion prevention technique such as

    firewall, filtering router policies fails to stop much type of

    attacks. Therefore, no matter how secure we try to make

    our system, intrusion still happens and so they must be

    detected. Intrusion detection systems are becoming an

    important part of our computer system, and security. An

    intrusion detection system is used to detect several types

    of malicious behaviors that can compromise the security

    and trust of a computer system. This includes network

    attacks against vulnerable services, data driven attacks on

    applications, host based attacks such as privilege

    escalation, unauthorized logins and access to sensitive files

    and malware (Viruses, Trojan horses and Worms). An

    Intrusion detection system can be composed of several

    components: Sensors which generate security events, a

    Console to monitor events and alerts and control the

    sensors and a central Engine that records events logged by

    the sensors in a database and uses a system of rules to

    generate alerts from security events received. There are

    several ways to categorize an Intrusion detection system

    depending on the type and location of the 2sensors and the

    methodology used by the engine to generate alerts. In

    many simple IDS implementations all three components

    are combined in a single device or appliance. Intrusion

    detection can allow for the prevention of certainty, attacks

    severity relative to different type of attacks and

    vulnerability of components. Under attack the response

    may be to kill the connection, install filtering rules and

    disable user account.

    A. History of virus

    Most of the computer viruses written in the early and

    mid-1980s were limited to self-reproduction and had no

    specific damage routine built into the code. That changed

    when more and more programmers became acquainted

    with virus programming and created viruses that

    manipulated or even destroyed data on infected computers.

    There are competing claims for the innovator of the first

    antivirus product. Possibly the first publicly documented

    removal of a computer virus in the wild was performed by

    Bend Fix in 1987. There were also two antivirus

    applications for the Atari ST platform developed in 1987.

    The first one was data and second was UVK 2000 Fired

    Cohen, who published one of the first academic papers on

    computer viruses in 1984, began to develop strategies for

    antivirus software in 1988 that were picked up and

    continued by later antivirus software developers. In 1987,

    he published a demonstration that there is no algorithm

    that can perfectly detect all possible viruses.

    B. Identification methods

    1. Introduction

    One of the few solid theoretical results in the study of

    computer viruses is Frederick B.Cohne’s 1987

    demonstration that there is no algorithm that can perfectly

    detect all possible viruses. There are several methods

    which antivirus software can use to identify malware:


    International Journal of Scientific Engineering and Technology Research

    Volume.02, IssueNo.18, December-2013, Pages:2075-2083

     Signature based detection is the most common method. To identify viruses and other malware,

    antivirus software compares the contents of a file to

    a dictionary of virus signatures. Because viruses can

    embed themselves in existing files, the entire file is

    searched, not just as a whole, but also in pieces.

    Fig 1: Malware bytes Anti-Malware version1.46ig

    2. Signature-based detection Traditionally, antivirus software heavily relied upon

    signatures to identify malware. This can be very effective,

    but cannot defend against malware unless samples have

    already been obtained and signatures created. Because of

    this, signature-based approaches are not effective against

    new, unknown viruses. As new viruses are being created

    each day, the signature-based detection approach requires

    frequent updates of the virus signature dictionary. To

    assist the antivirus software companies, the software may

    allow the user to upload new viruses or variants to the

    company, allowing the virus to be analyzed and the

    signature added to the dictionary.

    3. Intrusion detection systems

    Intrusion detection systems (IDSs) are software or

    hardware systems that automate the process of monitoring

    the events occurring in a computer system or network,

    analyzing them dynamically or statically for signs of

    compromise to security. As network security breaches

    have increased in number and severity in recent times,

    intrusion detection systems have become a necessary

    addition to the security infrastructure of most

    organizations. Intrusions can be defined as “attempts to

    compromise the confidentiality, integrity, availability, or

    to bypass the security mechanisms of a computer or




    A. Introduction

    Intrusion detection systems (IDSs) are designed to

    detect various hazardous contents and alert their existence

    in the networks. Most IDSs adopt a rule set that contains

    the information about target patterns from hazardous

    packet payloads and actions against the target patterns.

    Most adopted patterns to be identified are described with

    strings. Therefore, the string matching engine is still an

    essential component. The string matcher is a processing

    unit that detects mapped patterns from packet payloads. A

    string matching engine can have multiple string matchers

    for parallel string matching. Due to the slow speed of the

    software-based string engine, the hardware-based string

    matching engine is preferred due to great parallelism for

    the high-performance IDSs. The memory-based string

    matching engine allows on-the-fly update of memory

    contents for high re-configurability. However, there are

    several well-known challenges: high throughput,

    regularity, scalability, and low memory requirements

    especially, in the memory-based on deterministic-finite

    automation (DFA) is frequently adopted due to the

    deterministic transitions between states according to input

    symbols, state transitions can be performed in a fixed

    number of cycles, where the throughput can be maintained

    unchanged. In addition, due to the fixed number of output

    transitions in a state, regularity can be guaranteed in the

    DFA-based string matching engine. Scalability can be

    supported by the homogeneity of multiple string matchers

    where DFAs are mapped. Because of the deterministic

    transitions between states, however, memory requirements

    are proportional to both the number of states and the

    number of transitions in a state. The total cost of a string

    matching engine is directly related to memory

    requirements therefore, the target pattern information

    should be compressed.

    The pattern matching algorithm that reduced total

    memory requirements by sharing common infixes of target

    patterns. For the pattern identification, a state should

    contain its own match vector with a set of bits, where each

    bit represents a matched pattern in the state.