Parameter Based Anomaly Detection System with H-Parameter EstimationGuided By:Dr. Shekhar VermaAssociate ProfessorDeartment of !nformation "echnolo#y!!!"-Allaha$adBySheel Sindhu %anohar!&'()*+)**!!!"-Allaha$adJuly 21, 2015 Parameter Based Anomaly Detection System 2A$stract,etworks are -ery rone to many attacks includin# intrusion in.ection/ ea-es droin#/ etc. 'omutersystemscan$eaffected$ytheintrudersandaffectednodecande#radethe erformance of the networks. "he erformance in terms of $andwidth slows down. "heir cause can $e malicious codes on somenodesinthenetwork.&eneedtoidentifytheseanomalousnodestomaintainthe relia$ility of the network.,o system is resent for rediction of attacks so that recautions can $e taken. &earetryin#toro-ideamoreaccuratesolutionstoredictanomaloussituationsinthe network. Dee acket insection methods has $een imlemented for efficient classification of ackets.Hurst Parameter -alues are estimated for self similarity in the traffic for secific network. "he e0erimental results of Hurst arameter shows that the roosed aroach can $e used for co-relation in network traffic distri$ution.Parameter Based Anomaly Detection System 3!nde0!ntroduction%oti-ationPro$lem DefinitionBack#round1iterature Sur-ey"raffic Analysis Dee Packet !nsectionProosed Aroach2esults'onclusionParameter Based Anomaly Detection System 4!ntroductionAccordin# to network re3uirement we need facility to redict new tyes of security threats.Dee Packet !nsection 4DP!5 is a technolo#y that ena$les the networkanalysttoanaly6einternettraffic/throu#hthe network/ and differentiate them accordin# to their ayload.DP!allowsnetworkoeratorstoscantheayloadof!P ackets as well as the header.2e#ulare0ressionoratternhelsintheayload$ased insection.Analysis on classified data for anomaly.Parameter Based Anomaly Detection System 5%oti-ation,etworkser-icero-idersfaceintroductionofincreasin#ly comle0 and sohisticated thereat.'urrentnetworksecuritysolutionsarenotdesi#nedtoaddress unknown threats.1o#scatured$ye0istin#networksecuritysolutionsarenot informati-e enou#h,etwork traffic analysis tools are not desi#ned to analy6e traffic in dethParameter Based Anomaly Detection System 6Pro$lem DefinitionNetworsecuritysolutionsareinclinedto!andleseto"#re$de"ined attacs%Note&ui##ed'ydesi(n#roacti)elyto"oreseenetworusa(etrendsand #redictin( "uture t!reats% *!e conse&uences de(radation o" ser)ices due to "re&uent attacs% Analy+in( networ tra""ic and "etc! networ usa(e trends%*o im#ro)e networ security solutions%Bysim#lelo((in(wecan,t#redictattacs'ecauselo(o"se)eral unwanted tra""ic di""icult to analy+e t!e #atternParameter Based Anomaly Detection System -7$.ecti-esDe-eloin#anewaroach8ParameterBasedAnomaly Detection System9."o desi#n and de-elo a reacti-e model to #et usa#e trends"ocaturestreamsandmaintainlo#sforredictionsfor threats."o de-elo erformance or statistics $ased reresentations.Parameter Based Anomaly Detection System .Back#roundDee acket insection !ntrusion Detection systemPassi-e and 2eacti-e model of !DS"yes of attackPattern %atchin# in !DS!ssues with !DSParameter Based Anomaly Detection System /Dee Packet !nsectionDee acket insection is an ayload $ased insection,ot only a techni3ue $ut also a sur-eillance method o-er the network.Dee acket insection also hels in !ntrusion detection system Atthe#roundle-elmatchin#isdonewiththesi#naturesforthematch with the re3uired alication for the re3uired urose.Various aroaches to aly dee acket insections: *. Automata $ased/ (. heuristics $ased and +. filterin# $ased aroach.Parameter Based Anomaly Detection System 10!ntrusion Detection SystemAnintrusiondetectionsystem4!DS5isanalicationthatscans network or comuter system:sacti-ities for destructi-e acti-ities or any kind of olicy -iolations. "hereare-arietyof!ntrusiondetectionsystemonthe$asisof method of insection:-$ased on the acket insection$ased on the traffic analysisParameter Based Anomaly Detection System 11Passi-e%odeland2eacti-e %odel of !DSPassi-emodelnote0actly$eha-eslikeafirewallit#i-esan alertmessa#eincaseofanyattackoranykindofsusicious acti-ity. 2eacti-emodel$eha-eslikeaauto-resondertothero$lem andrelyaccordin#totheattackand$lockstheunwanted traffic.Parameter Based Anomaly Detection System 12"yes of AttacksS;, !P. 1ine seed acket filterin# $ased on atterns is always an issue.Parameter Based Anomaly Detection System 14!ssues with !ntrusion Detection System"he !DS system always reacts to those attacks or attackers which is in$uilt in it. !ssues comes into the networks when there a new tye of attack inside a network. 2esearchis#oin#oninthisareaandnotmuchsuccessachie-edinthis area till now. 7ur system issu##estin# a aradi#m towards such tye of systems which can detect and redict attacks $efore the critical and undesira$le situation reached. Parameter Based Anomaly Detection System 151iterature Sur-eyS. ,o. "ool0emar* 7enDP!7en Source Dee Packet !nsection En#ine( nDP!nDP! is a to-maintained suerset of the oular 7enDP!+ !PP(Pidentify eer-to-eer 4P(P5 data in !P traffic= HiPP!EHi-Performance Protocol !dentification En#ine? 1i$rotoidentli$rary desi#ned to erform alication rotocol identification with DP!@1-$"ilterclassi"ier "or 1inu2,s Net"ilter t!at identi"ies #acets 'ased on a##lication layer dataParameter Based Anomaly Detection System 161iterature Sur-ey%ethods of Payload Based !nsectionApproaches Key Point Success Rate IssuesPort Based ApproachesRead Port From Header30-70% Transient PortsStatistica Approaches!achine "earnin# !ethods$ Heuristics Based!oderate Trainin#$ %ot !uch &ynamicPattern !atchin# Automaton Based$ Strin# patterns$ Re#uar '(pression)ood %o predictionParameter Based Anomaly Detection System 1-1iterature Sur-ey"yes of Si#natureParameter Based Anomaly Detection System 1.,etwork Analysis %ethods'lassification 7f DataPortBased'lassification:%atchin#withtheortfrom header and classify dataStatistical'lassification:,otdeendsonheaderdatait deends on ayload statisticsStrin# %atchin# Based 'lassificationAro0imate Strin# %atchin#E0act Strin# %atchin#Parameter Based Anomaly Detection System 1/Different 'lassification %ethodsParameter Based Anomaly Detection System 20Proosed %ethod"hearoachistorearean!DSsystemsuchthatitcan redict the situation of attack. "he acket insection system is #ood at detectin# known attacks $ut they cannot easily detect a new tye of attack. "here is a roclamation that the attack will create an a$normal networkusa#econditions/whichwillha-eanimacton networktrafficle-el4e.#.ontrafficcharacteristics5throu#h which system can analy6e to detect a new tye of attack."ar#etin#asasmallcolle#enetworkasertheresent situation we will cature ackets and classify them on the $asis of different cate#ories.Parameter Based Anomaly Detection System 21Phases of Proosed Aroach3irstste#istosni""erandca#ture#acetsusin(wires!arinnormal condition and in attaced conditioned % Second ste# is creation o" (round trut! "ile 'y e2tractin( details "rom %#ca# "ile% *!irdste#istoe2tractdetailsa"ter#rocessin(anddraw#aretoanalysis c!art also e2tract time series o" #ca# data o)er time line "or 4 #arameter% 3ourt! ste# is #lottin( o" Sel" Similar data and estimation o" 4 #arameters% 3i"t! ste# com'ined in"erence "rom 4$Parameter "or a'normality condition% Parameter Based Anomaly Detection System 22Packet 'aturin# &e used a sniffer for acket caturin#. &ireshark is a tool ro-ided for sniffin# and caturin#. &e reared ** data sets for analysis where ? data sets of normal traffic caturin# in normal condition.@ data sets are infected with attack conditionsAttack simulated usin# S;, ackets and !'%P ackets usin# 1inu0 shell scritin#Parameter Based Anomaly Detection System 231A-4)C.DE*C.)E*C.*5F*-?GF)-DGF)-DGFC0)D-C0)d-HGI4connection:Econtent-tye:Econtent-len#th:Edate:5Eost FC0)D-C0)d -HGI htt>F)*GC.F)*DGParameter Based Anomaly Detection System 24E0traction of Ground "ruthGround truth file refers to the classified form of the all the sender and recei-er session wise.1A-S %ethodParameter Based Anomaly Detection System 322esultsHurst Estimation using Periodogram Variance MethodParameter Based Anomaly Detection System 332esultsHurst Estimation usin# A##re#ate Variance %ethod4Attacked5Parameter Based Anomaly Detection System 342esultsHurst Estimation using R/S Method (for attack condition)Parameter Based Anomaly Detection System 352esults Hurst Estimation usin# Periodo#ram %ethodParameter Based Anomaly Detection System 36(Parameter Based Anomaly Detection System 422eferences