04-08-2012, 10:42 AM
NETWORK INTRUSION DETECTION USING NAÏVE BAYES
1NETWORK INTRUSION.pdf (Size: 377.43 KB / Downloads: 79)
INTRODUCTION
With the tremendous growth of network-based services
and sensitive information on networks, network security
is becoming more and more importance than ever
before. Intrusion detection techniques are the last line of
defences against computer attacks behind secure
network architecture design, firewalls, and personal
screening. Despite the plethora of intrusion prevention
techniques available, attacks against computer systems
are still successful. Thus, intrusion detection systems
(IDSs) play a vital role in network security. Symantec
in a recent report[1] uncovered that the number of
fishing attacks targeted at stealing confidential
information such as credit card numbers, passwords,
and other financial information are on the rise, going
from 9 million attacks in June2004 to over 33 millions
in less than a year.
INTRUSION DETECTION
An Intrusion Detection System (IDS) inspects the
activities in a system for suspicious behaviour or
patterns that may indicate system attack or misuse. There
are two main categories of intrusion detection
techniques; Anomaly detection [2] and Misuse detection.
The former analyses the information gathered and
compares it to a defined baseline of what is seen as
“normal” service behaviour, so it has the ability to learn
how to detect network attacks that are currently
unknown. Misuse Detection is based on signatures for
known attacks, so it is only as good as the database of
attack signatures that it uses for comparison. Misuse
detection has low false positive rate, but cannot detect
novel attacks. However, anomaly detection can detect
unknown attacks, but has high false positive rate.
RELATED WORK
ADAM (Audit Data Analysis and Mining) [4] is an
intrusion detector built to detect intrusions using data
mining techniques. It first absorbs training data known
to be free of attacks. Next, it uses an algorithm to group
attacks, unknown behaviour, and false alarms. ADAM
has several useful capabilities, namely;
1 Classifying an item as a known attack
2 Classifying an item as a normal event,
3 Classifying an item as an unknown attack,
4 Match audit trial data to the rules it gives rise
to.
IDDM (Intrusion Detection using Data Mining
Technique) [5] is a real-time NIDS for misuse and
anomaly detection. It applies association rules, meta
rules, and characteristic rules. It employs data mining to
produce description of network data and uses this
information for deviation analysis.
THE PROPOSED METHOD
The Naïve Bayes method is based on the work of
Thomas Bayes (1702-1761). In Bayesian classification,
we have a hypothesis that the given data belongs to a
particular class. We then calculate the probability for the
hypothesis to be true. This is among the most practical
approaches for certain types of problems. The approach
requires only one scan of the whole data. Also, if at
some stage there are additional training data, then each
training example can incrementally increase/decrease the
probability that a hypothesis is correct. Thus, a Bayesian
network is used to model a domain containing
uncertainty {12, 13].
CONCLUSION AND FUTURE WORK
In this paper, we have proposed a framework of NIDS
based on Naïve Bayes algorithm. The framework builds
the patterns of the network services over data sets
labelled by the services. With the built patterns, the
framework detects attacks in the datasets using the
naïve Bayes Classifier algorithm. Compared to the
Neural network based approach, our approach achieve
higher detection rate, less time consuming and has low
cost factor. However, it generates somewhat more false
positives.