Collaborative Intrusion Detection System with Snort Machine Learning Plugin

Dimas Priambodo - National Cyber and Crypto Polytechnic, Bogor,16120, Indonesia
Achmad Husein Faizi - National Cyber and Crypto Polytechnic, Bogor,16120, Indonesia
Fika Rahmawati - National Cyber and Crypto Polytechnic, Bogor,16120, Indonesia
Septia Sunaringtyas - National Cyber and Crypto Polytechnic, Bogor,16120, Indonesia
Jeckson Sidabutar - National Cyber and Crypto Polytechnic, Bogor,16120, Indonesia
Tiyas Yulita - National Cyber and Crypto Polytechnic, Bogor,16120, Indonesia


Citation Format:



DOI: http://dx.doi.org/10.62527/joiv.8.3.2018

Abstract


The increasing prevalence of cybercrime and cyber-attacks underscores the imperative need for organizations to implement robust network security measures. Nevertheless, current Intrusion Detection Systems (IDS) often rely on single-sensor or multi-sensor in the same type of IDS, including Host-Based IDS (HIDS) or Network-Based IDS (NIDS), which inherently possess limited detection capabilities. To address this limitation, this research combines NIDS and HIDS components into a collaborative-IDS system, thus expanding the scope of intrusion detection and enhancing the efficacy of the established attack mitigation system. However, the integration of NIDS and HIDS introduces formidable challenges, notably the elevated rates of False Positive and False Negative alerts. To surmount these challenges, the researcher employs machine learning techniques in the form of Snort plugins and comparison methods to heighten the precision of attack detection. The obtained results unequivocally illustrate the effectiveness of this approach. Using a Support Vector Machine for static analysis of the NSL-KDD dataset attains an outstanding 99% detection rate for Denial of Service (DoS) attacks and an impressive 98% detection rate for Probe attacks. Furthermore, in dynamic real-time attack simulations, the machine learning plugins exhibit remarkable proficiency in detecting various types of DoS attacks, concurrently offering more comprehensive identification of SYN Flooding DoS attacks compared to the Snort community rules set. These findings signify a significant advancement in intrusion detection, paving the way for more robust and accurate network security systems in an era of escalating cyber threats.

Keywords


Artificial intelligence; Machine learning; NIDS; HIDS; Snort Plugin

Full Text:

PDF

References


NIST, “Guide to Intrusion Detection and Prevention Systems (IDPS),” Gaithersburg, MD, 2007. doi: 10.6028/NIST.SP.800-94.

M. Tavallaee, E. Bagheri, W. Lu, A. A. Ghorbani, and I. C. I. Society., “A Detailed Analysis of the KDD CUP 99 Data Set,” in IEEE Symposium on Computational Intelligence, 2009.

S. Kumar, S. Gupta, and S. Arora, “Research Trends in Network-Based Intrusion Detection Systems: A Review,” IEEE Access, vol. 9, pp. 157761–157779, 2021, doi: 10.1109/ACCESS.2021.3129775.

S. A. R. Shah and B. Issac, “Performance comparison of intrusion detection systems and application of machine learning to Snort system,” Futur. Gener. Comput. Syst., vol. 80, pp. 157–170, 2018, doi: 10.1016/j.future.2017.10.016.

F. A. Vadhil, M. F. Nanne, and M. L. Salihi, “Importance of Machine Learning Techniques to Improve the Open Source Intrusion Detection Systems,” Indones. J. Electr. Eng. Informatics, vol. 9, no. 3, 2021, doi: 10.52549/ijeei.v9i3.3219.

A. Ghasempour, “HTTP based Network Intrusion Detection System by Using Machine Learning-Based Classifier,” Tallinn, 2021.

B. Subba, S. Biswas, and S. Karmakar, “Host Based Intrusion Detection System Using Frequency Analysis of N-Gram Terms,” in IEEE Region 10 Conference (TENCON) Malaysia, 2017.

I. Wahidah, Y. Purwanto, and A. Kurniawan, “Collaborative intrusion detection networks with multi-hop clustering for internet of things,” Int. J. Electr. Comput. Eng., vol. 11, no. 4, pp. 3255–3266, 2021, doi: 10.11591/ijece.v11i4.pp3255-3266.

K. Farhana, M. Rahman, and M. Tofael Ahmed, “An intrusion detection system for packet and flow based networks using deep neural network approach,” Int. J. Electr. Comput. Eng., vol. 10, no. 5, pp. 5514–5525, 2020, doi: 10.11591/IJECE.V10I5.PP5514-5525.

T. A. J. Ali and M. M. Taher Jawhar, “Detecting network attacks model based on a convolutional neural network,” Int. J. Electr. Comput. Eng., vol. 13, no. 3, pp. 3072–3078, 2023, doi: 10.11591/ijece.v13i3.pp3072-3078.

N. Yoshimura, H. Kuzuno, and Y. Shiraishi, “DOC-IDS : A Deep Learning-Based Method for Feature,” 2022.

S. A. Albelwi, “An Intrusion Detection System for Identifying Simultaneous Attacks using Multi-Task Learning and Deep Learning,” in 2022 2nd International Conference on Computing and Information Technology (ICCIT), 2022, pp. 349–353. doi: 10.1109/ICCIT52419.2022.9711630.

Z. Liu and Y. Shi, “A Hybrid IDS Using GA-Based Feature Selection Method and Random Forest,” Int. J. Mach. Learn. Comput., vol. 12, no. 2, 2022, doi: 10.18178/ijmlc.2022.12.2.1077.

Z. U. A. Tariq, E. Baccour, A. Erbad, M. Guizani, and M. Hamdi, “Network Intrusion Detection for Smart Infrastructure using Multi-armed Bandit based Reinforcement Learning in Adversarial Environment,” in 2022 International Conference on Cyber Warfare and Security (ICCWS), 2022, pp. 75–82. doi: 10.1109/ICCWS56285.2022.9998440.

F. A. Saputra, M. Salman, K. Ramli, A. Abdillah, and I. Syarif, “Big Data Analysis Architecture for Multi IDS Sensors using Memory based Processor,” in 2017 International Electronics Symposium on Knowledge Creation and Intelligent Computing (IES-KCIC), 2017, pp. 40–45. [Online]. Available: https://ieeexplore.ieee.org/xpl/conhome/8170163/proceeding

B. Kerim, “Securing IoT Network against DDoS Attacks using Multi-agent IDS,” J. Phys. Conf. Ser., vol. 1898, no. 1, pp. 3–10, 2021, doi: 10.1088/1742-6596/1898/1/012033.

“Wazuh - Components · Wazuh documentation.” https://documentation.wazuh.com/current/getting-started/components/index.html

“Wazuh agent - Components · Wazuh documentation.” https://documentation.wazuh.com/current/getting-started/components/wazuh-agent.html (accessed Nov. 11, 2021).

“Wazuh server - Components · Wazuh documentation.” https://documentation.wazuh.com/current/getting-started/components/wazuh-server.html (accessed Nov. 11, 2021).

“Wazuh Elastic Stack.” https://documentation.wazuh.com/current/getting-started/components/elastic_stack.html (accessed Nov. 11, 2021).

M. Gogoi and S. Mishra, “Detecting DDoS Attack,” no. March 2018, pp. 55–66, 2018, doi: 10.4018/978-1-7998-3335-2.ch004.

R. U. Rehman, Intrusion Detection Systems with Snort Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID. New Jersey: Pearson Education Inc., 2003. [Online]. Available: http://www.phptr.com

J. Frank, “Artiicial Intelligence and Intrusion Detection: Current and Future Directions,” 1994.

M. Tiwari, R. Kumar, A. Bharti, and J. Kishan, “INTRUSION DETECTION SYSTEM,” in Article in International Journal of Technical Research and Applications, 2017, vol. 5, no. 2, pp. 38–44. [Online]. Available: www.ijtra.com,

A. Singh, N. Thakur, and A. Sharma, “A review of supervised machine learning algorithms,” in 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), 2016, pp. 1310–1315.

T. Al‐shehari and R. A. Alsowail, “An insider data leakage detection using one‐hot encoding, synthetic minority oversampling and machine learning techniques,” Entropy, vol. 23, no. 10, 2021, doi: 10.3390/e23101258.

A. Gupta, “One Hot EnCoding | Data Science and Machine Learning | Kaggle.” https://www.kaggle.com/discussions/getting-started/114797 (accessed Nov. 11, 2021).

“ML | Label Encoding of datasets in Python - GeeksforGeeks.” https://www.geeksforgeeks.org/ml-label-encoding-of-datasets-in-python/ (accessed Oct. 15, 2022).

A. Zheng and A. Casari, Feature Engineering for Machine Learning: Principles and Techniques for Data Scientists, 1st ed. California: O’Reilly Media, Inc., 2018.

I. Stromberger, N. Bacanin, and M. Tuba, “Hybridized krill herd algorithm for large-scale optimization problems,” SAMI 2017 - IEEE 15th Int. Symp. Appl. Mach. Intell. Informatics, Proc., pp. 473–478, 2017, doi: 10.1109/SAMI.2017.7880356.

G. Zhang and E. Li, “Research on IDS snort based on classic clustering algorithm,” Proc. - 2020 Int. Conf. Urban Eng. Manag. Sci. ICUEMS 2020, pp. 673–676, 2020, doi: 10.1109/ICUEMS50872.2020.00147.

P. Refaeilzadeh, L. Tang, and H. Liu, “Cross-Validation - Encyclopedia of Database Systems,” L. LIU and M. T. ÖZSU, Eds. Boston, MA: Springer US, 2009, pp. 532–538. doi: 10.1007/978-0-387-39940-9_565.

Artificially Intelligent Intrusion Detection System, “kdd99_feature_extraction,” Github, 2022. https://github.com/AIIDS/kdd99_feature_extractor (accessed Mar. 20, 2022).

Snort, “DPX Readme.” https://snort.org/documents/dpx-readme (accessed Mar. 20, 2022).

K. Labib and V. Rao Vemuri, “Detecting Denial-of-Service And Network Probe Attacks Using Principal Component Analysis,” pp. 1–8, 2011.

C. L. Schuba, I. V Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, “Analysis of a denial of service attack on TCP,” in Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, 1997, pp. 208–223. doi: 10.1109/secpri.1997.601338.