Click here to load reader

Enhanced Solutions for Misuse Network Intrusion Detection ... · PDF file 2.3 Intrusion Detection (ID) 7 2.4 Intrusion Detection System (IDS) 8 2.5 Intrusion Detection Systems Classifications

  • View
    3

  • Download
    0

Embed Size (px)

Text of Enhanced Solutions for Misuse Network Intrusion Detection ... · PDF file 2.3 Intrusion...

  • Enhanced Solutions for Misuse Network

    Intrusion Detection System using SGA and

    SSGA

    �ام ا �ارز��� ��� ���

    ���م آ�� ا ����� ��ل ا� ا � �� ����� ا ����� ا ���� وا �ارز��� ا

    #"ةا�� ا

    By:

    Sabah Abdulazeez Jebur

    Supervisor:

    Dr. Hebah H. O. Nasereddin

    A Thesis Submitted In Partial Fulfillment of the Requirements of the

    Master Degree in Computer Information Systems

    Faculty of Information Technology

    Middle East University

    June, 2015

  • II

    ����ت او � ���� �ق ا�و � ���و�� ���� �� ر�� ا"!ض ����� ا��� ����ا�� %��ح #��ا�

    �&� .ا� , ��ت او ا�&+*�ت او ا�"�اد #)� '

    :ا��!/+.

  • III

  • IV

    Acknowledgments

    All credit and success is due to the Merciful Allah always and forever.

    I would like to extend my deepest gratitude to my supervisor Dr. Hebah

    Nasereddin for all of her helpful comments and guidance's throughout

    this work.

    I am grateful to my parents and family who always provided help and

    support throughout my academic life and career.

    I would like to express my heart-felting gratitude to my wife for her love,

    concern, support, encouragement and inspiration throughout my

    research work and life.

    I am thankful to my brother and true friend Ward Ahmed for his

    illuminating views and support throughout the work of this thesis.

    Last but not least, I would like to express my sincere appreciation to the

    Iraqi Government for giving me the opportunity to complete my Masters

    Degree in Jordan.

  • V

    Dedication

    To my father and mother

    To my beloved Wife

    To my brothers and sisters

    No words can make me express my gratitude and love.

    To the martyrs' souls of Iraq.

  • VI

    Table of Contents

    Authorization Statement II

    Examination Committee Decision III

    Dedication IV

    Acknowledgments V

    Table of Contents VI

    List of Tables IX

    List of Figures XI

    List of Abbreviations XII

    Abstract XIII

    XV ا���%1

    Chapter One: Introduction

    1.1 Preface 1

    1.2 Problem Statement 3

    1.3 Contribution 4

    1.4 Objectives 4

    1.5 Limitations 4

    1.6 Thesis Outline 5

    Chapter Two: Theoretical Background & Literature Review

    2.1 Overview 6

    2.2 Computer Security 6

    2.2.1 Threats & Attacks 7

    2.2.2 Intruders & Viruses 7

    2.3 Intrusion Detection (ID) 7

    2.4 Intrusion Detection System (IDS) 8

    2.5 Intrusion Detection Systems Classifications 8

    2.5.1 Misuse-based Detection Technique 9

    2.5.2 Anomaly-based Detection Technique 9

    2.5.3 Host-based Intrusion Detection System (HIDS) 9

    2.5.4 Network-based Intrusion Detection System (NIDS) 10

    2.6 Network Attacks 11

  • VII

    2.6.1 Denial of Service Attack (DoS) 11

    2.6.2 Probing 11

    2.6.3 Remote to Local Attack (R2L) 12

    2.6.4 User to Root Attack (U2R) 12

    2.7 Genetic algorithm (GA) 12

    2.8 Working mechanism of Genetic Algorithm 13

    2.8.1 Population 13

    2.8.2 Evaluation 13

    2.8.3 Encoding 14

    2.8.4 Selection 14

    2.8.5 Crossover Operator 16

    2.8.6 Mutation Operator 19

    2.8.7 Replacement 19

    2.8.8 Stopping Criteria 20

    2.9 GA Categories 20

    2.9.1 Simple Genetic Algorithm (SGA) 20

    2.9.2 Steady State Genetic Algorithm (SSGA) 21

    2.10 SGA versus SSGA 22

    2.11 Network Intrusion Detection Dataset 23

    2.12 Literature Review 27

    Chapter Three: Methodology & Proposed Model

    3.1 Methodology 32

    3.2 Processing Phase 35

    3.2.1 NSL-KDD dataset 35

    3.2.2 Encoding of Features 35

    3.2.3 Features Selection 36

    3.2.4 Rules Filtering 37

    3.3 Genetic Algorithm Phase 37

    3.3.1 Evaluation 38

    3.3.2 Selection 39

    3.3.3 Crossover Operator 40

    3.3.4 Mutation Operator 40

  • VIII

    3.3.5 Replacement 40

    3.3.6 Stopping Criteria 40

    3.4 Testing Phase 41

    3.5 Proposed Models Evaluation 41

    Chapter Four: Systems Structure & Experimental Results

    4.1 Overview 42

    4.2 Processing Phase 43

    4.2.1 NSL-KDD Dataset 43

    4.2.2 Encoding of Features 45

    4.2.3 Features Selection 48

    4.2.4 Rules Filtering 50

    4.3 Genetic Algorithm Phase 52

    4.3.1 Evaluation 52

    4.3.2 Selection 54

    4.3.3 Crossover 55

    4.3.4 Mutation 56

    4.3.5 Replacement 57

    4.4 Testing Phase and Experimental Results 58

    4.4.1 Experimental Results for SGA based IDS 58

    4.4.2 Experimental Results for SSGA based IDS 60

    4.5 Results Discussion and Analysis 62

    4.6 Comparing the Proposed Research Results against other Studies 66

    Chapter Five: Conclusion & Future Work

    5.1 Conclusion 68

    5.2 Future Work 69

    References 70

  • IX

    List of Tables

    2.1 List of KDD99 Dataset features with their descriptions and data types 25

    3.1 The most suitable features for each attack category 36

    4.1 Details information about training dataset 44

    4.2 Details information about testing dataset 45

    4.3 The encoding of the string features of NSL-KDD dataset 47

    4.4 Results of DR and FPR for each attack using the selected features by

    Mukkamala 48

    4.5 Results of DR and FPR for each attack using the selected features by

    Chou 48

    4.6 Results of DR and FPR for each attack according to Amiri using the

    selected features by FFSA 49

    4.7 Results of DR and FPR for each attack according to Amiri using the

    selected features by MMIFS 49

    4.8 The selected features sets for this research 50

    4.9 Number of rules before and after filtering for Dos attacks category 51

    4.10 Number of rules before and after filtering for Probe attacks category 51

    4.11 Number of rules before and after filtering for U2R attacks category 51

    4.12 Number of rules before and after filtering for R2L attacks category 52

    4.13 Working of Support Confidence Framework 53

    4.14 Rootkit attack rules with reduced features and fitness values (actual data) 54

    4.15 The selected individuals from Rootkit attack using SUS selection (Actual data) 55

    4.16 Results of applying Uniform crossover over Rootkit attack dataset (actual

    data) 56

    4.17 Results of applying TTR over Neptune attack individuals (actual data) 57

    4.18 The parameters used in the experiments 58

    4.19 Experimental results for Dos attack types using SGA based IDS 59

    4.20 Experimental results for Probe attack types using SGA based IDS 59

    4.21 Experimental results for U2R attack types using SGA based IDS 59

    4.22 Experimental results for R2L attack types using SGA based IDS 60

    4.23 Experimental results for Dos attack types using SSGA based IDS 60

  • X

    4.24 Experimental results for Probe attack types using SSGA based IDS 61

    4.25 Experimental results for U2R attack types using SSGA based IDS 61

    4.26 Experimental results for R2L attack types using SSGA based IDS 61

    4.27 Experimental results for Dos, Probe, U2R and R2L categories using SGA

    based IDS 62

    4.28 Experimental results for Dos, Probe, U2R and R2L categories using

    SSGA based IDS 62

    4.29 Comparison results of this research with other results 67

  • XI

    List of Figures

    2.1 The placement of the NIDS and HIDS in the Network 11

    2.2 One-point crossover 16

    2.3 Two-point crossover 17

    2.4 N-point crossover 18

    2.5 Uniform crossover 18

    2.6 Simple Genetic Algorithm structure 21

    2.7 Steady State Genetic Algorithm structure 22

    3.1 The structure of SGA based IDS 33

    3.2 The structure of SSGA based IDS 34

    4.1 Processing phase major compenents 43

    4.2 Analyzing NSL-KDD dataset using Microsoft SQL Server 2008 44

    4.3 The network connection features before encoding 46

    4.4 The network connection features after encoding 46

    4.5 Summary of added rules comparison 64

    4.6 Summary of training time comparison 64

    4.7 Summary of DR comparison 65

    4.8 Summary of FPR comparison 66

  • XII

    List of Abbreviations AF average of fitness value

    BFSS Best Feature Set Selection

    BTR Binary Tournament Replacement

    DARPA Defense Advanced Research