Thesis Summary

“A Classification Based Technique for Accurate Classification & Prediction of

the Intrusion”

 INTRODUCTION
In the recent years Intrusion Detection System received great attention .It has two reasons first is
tremendous growth of internet and second is large network of organization. Currently Intrusion
Detection System uses data mining techniques for detection of intrusion. In data mining
technique it analysis large amount of data and find frequent pattern or rules from that data. Data
mining technique effectively detect intrusion in the Intrusion Detection system. The main
objective of thesis is to detect intrusion from large amount of dataset by classification algorithm
and improve its detection rate and classification accuracy in the network based intrusion
detection system.

Intrusion Detection System has two types which are as follows

1] Network Based Intrusion Detection System

2] Host Based Intrusion Detection System

These system can be classified based on which events they monitor how they collect information
and how they reduce from the information that an intrusion has occurred. All the IDSs that
scrutinize data circulating on the network are called Network IDSs (NIDSs) while IDSs that
reside on the host and collect logs of operating system- related events are called Host IDSs
(HIDSs). IDSs may also vary according to the technique by which they detect intrusions.

Network Based IDS

Because they only scrutinize network traffic , the NIDS do not benefit from running on the host.
They are often run on dedicated machines that observe the network flows sometimes in
conjunction with a firewall. In this case they are not affected by security vulnerabilities on the
machines they are monitoring. Only a limited number of information can be inferred from data
gathered on the network link. The widespread adoption of end-to-end encryption further limits
the amount of information that can be gathered at the network interface.
One major shortcoming of NIDS is that they are oblivious to local root attacks. The authorized
user of the system that attempts to gain additional privileges will not be deleted if attack is
performed locally. The authorized user of the system may be able to set up an encrypted channel
when accessing the machine remotely.

Host Based IDS

The HIDS have an ideal vantage point . An HIDS runs on the machine it monitors, HIDS can
theoretically observe and log any event occurring on the machine. The complexity of current
operating system often makes it difficult if not impossible to accurately monitor certain events.
There are many difficulties faced by security tools that rely on system calls interposition to
monitor a host.

In addition to cons resulting from an incorrect or incomplete understanding of the operating

system, the race conditions in the operating system make the implementation of such tools
delicate. The HIDSs are also confirmed with difficulties arrived from arising from potential
tampering by the attacker. Also a secure logging mechanism is necessary to prevent logs from
being erased if the attacker compromises with the machine. Even if such a secure mechanism is
available, the attacker obtaining super user privilege on the host can disable the HIDS. If HIDS is
a user process, then an attacker can simply terminate the process. If HIDS is embedded in the
kernel, then the attacker can modify the kernel by loading a kernel module or by writing directly
in the kernel memory. It means that an HIDS can only be trusted up to the point where the
system was compromised.

 Objective

The main objectives of the research are given as follows:

 The objective is to improve accuracy of Intrusion Detection System (IDS) algorithm by
using KDD99 dataset.
 To reduce the error rate in Intrusion detection system.

 Required Characteristics of an Intrusion Detection System:

The following characteristics are ideally desirable for an intrusion detection system (based on the
list provided by Crosby and Safford[2]).

1. IDS must run continually with minimal human supervision.

2. IDS must be fault tolerant:
a) IDS must be able to recover from system crashes either accidental or caused by
malicious activity.
b) After a crash, the IDS must be able to recover from its previous state and resume its
operations unaffected.
3. IDS must resist supervision:
a) There should be a significant difficulty for an attacker to desirable or modify the IDS.
b) The IDS must be able to monitor itself and detect if it has been modified by an
attacker.
4. IDS must impose a minimal overhead on the systems where it runs to avoid interfering
with their normal operation.
5. IDS must be configurable to accurately implement the security policies of the systems
that are being monitored.
6. IDS must be easy to deploy. It can be achieved through portability to different
architectures and operating system, through simple installation schemes and by being
easy to use and understand by the operator.
7. IDS must be adaptable to changes in system and user behavior over time.
8. IDS must be able to detect attacks:
a) The IDS must not flag any legitimate activity as an attack(false positive)
b) The IDS must not fail to flag any real attacks as such(false negatives).
c) The IDS must report intrusions as soon as possible after they occur.
d) The IDS must be general enough to detect different types of attacks.
 Proposed methodology

In decision tree classifiers, the criteria used for the attribute selection is as follows: First
information gain of each attribute is computed then the attribute having maximum information
gain is chosen. This means that an attribute with maximum values is chosen for splitting the tree.
But in most of the cases, it is not necessary that an attribute with maximum values will be the
best. Also ID3 algorithm uses the concept of information gain for selecting an attribute. The
information gain is based on the concept of the probability. Probability based method is suitable
for stochastic problems. But it cannot be the common criteria for attribute selection.

For solving this problem, we propose a more accurate decision tree based classifier. Our
proposed solution will use a new attribute selection criteria. It will give more weight to attributes
with less values but more importance. Also it will reduce the weight of attribute with more
values and less importance.

 Result
1. Classification Accuracy is increased in intrusion Detection System.
2. Error rate is decreased in intrusion Detection System.
 Conclusion

In today’s world intrusion is very much harmful for the data flow on the internet. Intrusion
compromise the authenticity and confidentiality of the system. So for security of system from the
intruder it is very much necessary that system will not explore in front of intruder. In our
proposed work ,we have proposed a modified method to detect intrusion and this method is
based on the decision tree classifier. Firstly training is perform with the help of classifier then
prediction of attack is done. Proposed method is more suitable for novelty attack detection. Error
rate is decreased and accuracy of the system has been increased. By Proposed work the accuracy
has been increased and error rate is decreased and problem of false positive and false negative is
also resolved.

 Future Work

Some Problems and concept that remain unaddressed can be performed in future in our proposed
scheme so that the method become more effective and provide the better result We can further
implement this approach to identify user to root category of attack.As a future scope, this scheme
can be implemented an can be used to detect other attack. In future to utilize the profit of this
proposed method we can also extend the approach by using more parameter. It can also be
implemented for different attack that are present in intrusion detection like user to root attack. It
can provide security to the military networks ever more security of network is needed to protect
data.