Network Intrusion Detection System Using SNORT
VerifiedAdded on 2023/06/11
|51
|9826
|455
AI Summary
This capstone project report discusses the implementation of a Network Intrusion Detection System (NIDS) using SNORT. It covers the literature review, objectives, detailed design, implementation, testing, and results of the project. The report also includes a glossary and abbreviations section. The project was completed by students from the School of IT and Engineering in a trimester. The report is relevant for students studying MN692 Capstone Project.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
MN692 Capstone Project
Network intrusion detection system
Final Report
Student Names
Student IDs
School of IT and Engineering
Trimester x 201x
Network intrusion detection system
Final Report
Student Names
Student IDs
School of IT and Engineering
Trimester x 201x
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 2 of 51
Table of Contents
Acknowledgment.......................................................................................................................3
1 Abstract..............................................................................................................................4
2 Glossary and Abbreviations...............................................................................................6
1. Introduction........................................................................................................................7
2. Project Detailed Design......................................................................................................8
2.1 Literature Review......................................................................................................12
2.2 Objectives of the Project...........................................................................................12
2.3 Detailed Design.........................................................................................................13
2.3.1 Design and implementation.....................................................................................13
2.3.2 Table of weekly Activities for MN692...................................................................14
2.3.3 Roles& Responsibilities of each team member......................................................15
2.3.4 Gantt Chart..............................................................................................................18
2.3.5 Project methodology...............................................................................................26
Figure 14: Block diagram of NIDS..................................................................................27
3 Project Implementation and Evaluation...........................................................................27
3.1 Implementation..........................................................................................................27
3.1.1 Software Requirements......................................................................................28
3.1.2 Hardware Requirements.....................................................................................29
3.1.3 Research graphs of malware attacks..................................................................29
3.1.4 Installing Snort...................................................................................................30
3.2 Testing and troubleshooting......................................................................................32
3.3 Results.......................................................................................................................38
Ping scan results that are stored in snort log............................................................................41
Verification of snort intrusion..................................................................................................42
3.4 Discussion and analysis.............................................................................................42
3 Conclusion........................................................................................................................51
References................................................................................................................................52
Network Intrusion Detection System Using SNORT
Table of Contents
Acknowledgment.......................................................................................................................3
1 Abstract..............................................................................................................................4
2 Glossary and Abbreviations...............................................................................................6
1. Introduction........................................................................................................................7
2. Project Detailed Design......................................................................................................8
2.1 Literature Review......................................................................................................12
2.2 Objectives of the Project...........................................................................................12
2.3 Detailed Design.........................................................................................................13
2.3.1 Design and implementation.....................................................................................13
2.3.2 Table of weekly Activities for MN692...................................................................14
2.3.3 Roles& Responsibilities of each team member......................................................15
2.3.4 Gantt Chart..............................................................................................................18
2.3.5 Project methodology...............................................................................................26
Figure 14: Block diagram of NIDS..................................................................................27
3 Project Implementation and Evaluation...........................................................................27
3.1 Implementation..........................................................................................................27
3.1.1 Software Requirements......................................................................................28
3.1.2 Hardware Requirements.....................................................................................29
3.1.3 Research graphs of malware attacks..................................................................29
3.1.4 Installing Snort...................................................................................................30
3.2 Testing and troubleshooting......................................................................................32
3.3 Results.......................................................................................................................38
Ping scan results that are stored in snort log............................................................................41
Verification of snort intrusion..................................................................................................42
3.4 Discussion and analysis.............................................................................................42
3 Conclusion........................................................................................................................51
References................................................................................................................................52
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 3 of 51
Acknowledgment
We like to express our gratitude to our respected A/Prof Savitri Bevinakoppa and our
supervisor, lecturer Dr. Ammar Alazab. Most significantly to our industry client Dr. Robert
Layton who provided the best guidance throughout our project on Network Intrusion
Detection System, Which aided to execute the project successfully without any hurdles, by
neutralizing and detecting the attacks on the system with different techniques.
We are thankful to our mentors.
Signatures of students:
Network Intrusion Detection System Using SNORT
Acknowledgment
We like to express our gratitude to our respected A/Prof Savitri Bevinakoppa and our
supervisor, lecturer Dr. Ammar Alazab. Most significantly to our industry client Dr. Robert
Layton who provided the best guidance throughout our project on Network Intrusion
Detection System, Which aided to execute the project successfully without any hurdles, by
neutralizing and detecting the attacks on the system with different techniques.
We are thankful to our mentors.
Signatures of students:
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 4 of 51
1 Abstract
The Internet and computer networks are increasingly exposed to security threats.
When there are new types of attacks that occur constantly, the development of flexible and
adaptive security-oriented approaches is a serious problem. In this context, a network based
on anomaly intrusion detection methods are a valuable technology for protecting target
systems and networks against malicious activities. Intrusion detection systems (IDS) are
based on the belief that the behaviour of an attacker will be markedly different from that of a
legitimate user and that many unauthorized actions can be detected [1]. Typically, IDS uses
statistical anomalies and abuse patterns based on rules to detect intrusions. A number of IDS
prototypes were developed in several institutions and some of them were also deployed on an
experimental basis. However, despite the variety of such methods security tools that include
the detection of anomalies functionality is just beginning to emerge, and a number of
important problems remain unsolved. In this process, the system tries to neutralize the attacks
that are being happened. IDS are being installed in the network rather than being installed in
individual hosts to provide security to the system. Using signature and anomaly-based
detection the attacks are being detected and stopped. Snort is the major IDS tool which
detects the attack successfully by installing and configuring it in a network. The system
provides a continuous response to the intrusions that happen [2].
The intention of the project is to implement a NIDS successfully in detecting the
malware and inform the system about the incoming malicious traffic using different tools.
Network Intrusion Detection System Using SNORT
1 Abstract
The Internet and computer networks are increasingly exposed to security threats.
When there are new types of attacks that occur constantly, the development of flexible and
adaptive security-oriented approaches is a serious problem. In this context, a network based
on anomaly intrusion detection methods are a valuable technology for protecting target
systems and networks against malicious activities. Intrusion detection systems (IDS) are
based on the belief that the behaviour of an attacker will be markedly different from that of a
legitimate user and that many unauthorized actions can be detected [1]. Typically, IDS uses
statistical anomalies and abuse patterns based on rules to detect intrusions. A number of IDS
prototypes were developed in several institutions and some of them were also deployed on an
experimental basis. However, despite the variety of such methods security tools that include
the detection of anomalies functionality is just beginning to emerge, and a number of
important problems remain unsolved. In this process, the system tries to neutralize the attacks
that are being happened. IDS are being installed in the network rather than being installed in
individual hosts to provide security to the system. Using signature and anomaly-based
detection the attacks are being detected and stopped. Snort is the major IDS tool which
detects the attack successfully by installing and configuring it in a network. The system
provides a continuous response to the intrusions that happen [2].
The intention of the project is to implement a NIDS successfully in detecting the
malware and inform the system about the incoming malicious traffic using different tools.
Network Intrusion Detection System Using SNORT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 5 of 51
2 Glossary and Abbreviations
NIDS: Network Intrusion Detection System
IDS: Intrusion Detection System
DDoS: Distributed Denial of Service
SVM: Support Vector Machine
STP: Spanning Tree Protocol
WEKA: Waikato environment for knowledge and analysis
QP: Quadratic programming
SMO: Sequential minimal optimization
NIDS: Network intrusion detection system
Network Intrusion Detection System Using SNORT
2 Glossary and Abbreviations
NIDS: Network Intrusion Detection System
IDS: Intrusion Detection System
DDoS: Distributed Denial of Service
SVM: Support Vector Machine
STP: Spanning Tree Protocol
WEKA: Waikato environment for knowledge and analysis
QP: Quadratic programming
SMO: Sequential minimal optimization
NIDS: Network intrusion detection system
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 6 of 51
1. Introduction
Intrusion Detection Systems are security tools that, like other measures such as
antivirus software, firewalls, and access control schemes, are intended to strengthen the
security of information and communication systems. Over the years, several IDS approaches
have been proposed in literature since the creation of this technology, two highly relevant
works in this direction reddening [3].
An intrusion detection system (IDS) can be considered an application which is
associated with monitoring a network or systems for detecting various kinds of malicious
activity or policy violations. Various malicious activities or violations are typically reported
either to the administrator or are generally collected centrally by making use of a security
information and event management (SIEM) system. The SIEM system is associated with
combining the outputs from multiple sources, which is followed by the usage of the alarm
filtering techniques in order to distinguish the various type of malicious activity from the
alarms that are false.
There exist several types of IDS, and this scopes from a single computer to a
widespread network. The most common Type of IDS includes the “network intrusion
detection systems” (NIDS) and “host-based intrusion detection systems” (HIDS). The system
which is associated with monitoring the important operating system files can be considered as
an example of a HIDS, whereas a system which is associated with the analysing the network
traffic which is incoming can be considered as an example of a NIDS. The IDS can be
classified according to the detection approach that is used amongst which the most well-
known variants include the signature-based detection or recognizing the bad patterns, such as
malware and anomaly-based detection or the detecting deviations from a model of "good"
traffic, which often relies on machine learning. Some IDS have the ability to respond to
Network Intrusion Detection System Using SNORT
1. Introduction
Intrusion Detection Systems are security tools that, like other measures such as
antivirus software, firewalls, and access control schemes, are intended to strengthen the
security of information and communication systems. Over the years, several IDS approaches
have been proposed in literature since the creation of this technology, two highly relevant
works in this direction reddening [3].
An intrusion detection system (IDS) can be considered an application which is
associated with monitoring a network or systems for detecting various kinds of malicious
activity or policy violations. Various malicious activities or violations are typically reported
either to the administrator or are generally collected centrally by making use of a security
information and event management (SIEM) system. The SIEM system is associated with
combining the outputs from multiple sources, which is followed by the usage of the alarm
filtering techniques in order to distinguish the various type of malicious activity from the
alarms that are false.
There exist several types of IDS, and this scopes from a single computer to a
widespread network. The most common Type of IDS includes the “network intrusion
detection systems” (NIDS) and “host-based intrusion detection systems” (HIDS). The system
which is associated with monitoring the important operating system files can be considered as
an example of a HIDS, whereas a system which is associated with the analysing the network
traffic which is incoming can be considered as an example of a NIDS. The IDS can be
classified according to the detection approach that is used amongst which the most well-
known variants include the signature-based detection or recognizing the bad patterns, such as
malware and anomaly-based detection or the detecting deviations from a model of "good"
traffic, which often relies on machine learning. Some IDS have the ability to respond to
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 7 of 51
detected intrusions. Systems with response capabilities are typically referred to as an
intrusion prevention system.
Network intrusion detection systems (NIDS) has been placed at a strategic point or
points inside a network for the purpose of monitoring the traffic that is generally towards or
from all devices connected with the network. This is generally associated with performing an
analysis of the traffic that is passing on the entire subnet, which is followed by matching of
the traffic which is generally passed on the subnets to the library of known attacks. After the
identification of the attack or abnormal behaviour is done, then an alert is sent to the
administrator. (An example of a NIDS would be installing it on the subnet where firewalls are
located in order to see if someone is trying to break into the firewall. Ideally one would scan
all inbound and outbound traffic, however doing so might create a bottleneck that would
impair the overall speed of the network.).Some of the common tools used for simulating
network intrusion detection systems mainly includes the OPNET and Net Sim. This type of
Systems is also capable of comparing signatures for similar packets in order to link and drop
the harmful detected packets that are consisting of a signature matching with the records in
the NIDS. When the classification of the design of NIDS is done according to the system
interactivity property, then it can be concluded that there are two types and this mainly
includes the 5fon-line and off-line NIDS, which are often referred to as inline and tap mode,
respectively. On-line NIDS is associated with dealing with the network on a real-time basis.
This is also associated with analysing the Ethernet packets along with the application of some
rules in order to decide if it is an attack or not. Off-line NIDS are associated with dealing
with the stored data, which is initially associated with the passing of it through some
processes in order to decide if it is an attack or not.
Network Intrusion Detection System Using SNORT
detected intrusions. Systems with response capabilities are typically referred to as an
intrusion prevention system.
Network intrusion detection systems (NIDS) has been placed at a strategic point or
points inside a network for the purpose of monitoring the traffic that is generally towards or
from all devices connected with the network. This is generally associated with performing an
analysis of the traffic that is passing on the entire subnet, which is followed by matching of
the traffic which is generally passed on the subnets to the library of known attacks. After the
identification of the attack or abnormal behaviour is done, then an alert is sent to the
administrator. (An example of a NIDS would be installing it on the subnet where firewalls are
located in order to see if someone is trying to break into the firewall. Ideally one would scan
all inbound and outbound traffic, however doing so might create a bottleneck that would
impair the overall speed of the network.).Some of the common tools used for simulating
network intrusion detection systems mainly includes the OPNET and Net Sim. This type of
Systems is also capable of comparing signatures for similar packets in order to link and drop
the harmful detected packets that are consisting of a signature matching with the records in
the NIDS. When the classification of the design of NIDS is done according to the system
interactivity property, then it can be concluded that there are two types and this mainly
includes the 5fon-line and off-line NIDS, which are often referred to as inline and tap mode,
respectively. On-line NIDS is associated with dealing with the network on a real-time basis.
This is also associated with analysing the Ethernet packets along with the application of some
rules in order to decide if it is an attack or not. Off-line NIDS are associated with dealing
with the stored data, which is initially associated with the passing of it through some
processes in order to decide if it is an attack or not.
Network Intrusion Detection System Using SNORT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MN692 Capstone Project Report Page 8 of 51
2. Project Detailed Design
NIDS monitors the traffic that is headed towards the main system using applications.
It can be used either software or hardware based. It creates alert to the admin when the
attacker tries to enter the system. NIDS detects different kinds of attacks that try to enter into
the main system. There are several applications used in order to detect network intrusions,
snort is one of the major tools which is used to detect the intrusions and alert it regularly. As
these tools are open source and easy to install on any network which is cost-efficient. Snort is
mainly based on the rules which are stored in a file name called local. Rules which can be
customized according to the user requirements. It reads the customized rules and applies it to
the captured data.
There exists various kind of techniques in the literature for detecting the behaviours
related to intrusion. In recent times, intrusion detection has been associated with receiving a
lot of interest amongst the researchers and this has mainly happened due to the wide
application of this for preserving the security within a network. Here, we present some of the
techniques used for intrusion detection.
S. F. Owens and R. R. Levaryhas been associated with stating the fact that the
intruder detection systems have been commonly created by making use of the expert system
technology. However, the Intrusion Detection System (IDS) researchers have been associated
with biasing which is generally related to the construction of the systems which are generally
difficult to handle, along with lacking in insightful user interfaces, besides this, they are also
very inconvenient for usage with real-life circumstances. The adaptive expert system
proposed by them has been associated with the utilizing of fuzzy sets in order to detect the
attacks. Besides this, the implementation of the expert system can be considered as
comparatively easy while using it with computer system networks which have the capability
of getting adjusted to nature or to the degree of the threat. Experiments with Clips have been
Network Intrusion Detection System Using SNORT
2. Project Detailed Design
NIDS monitors the traffic that is headed towards the main system using applications.
It can be used either software or hardware based. It creates alert to the admin when the
attacker tries to enter the system. NIDS detects different kinds of attacks that try to enter into
the main system. There are several applications used in order to detect network intrusions,
snort is one of the major tools which is used to detect the intrusions and alert it regularly. As
these tools are open source and easy to install on any network which is cost-efficient. Snort is
mainly based on the rules which are stored in a file name called local. Rules which can be
customized according to the user requirements. It reads the customized rules and applies it to
the captured data.
There exists various kind of techniques in the literature for detecting the behaviours
related to intrusion. In recent times, intrusion detection has been associated with receiving a
lot of interest amongst the researchers and this has mainly happened due to the wide
application of this for preserving the security within a network. Here, we present some of the
techniques used for intrusion detection.
S. F. Owens and R. R. Levaryhas been associated with stating the fact that the
intruder detection systems have been commonly created by making use of the expert system
technology. However, the Intrusion Detection System (IDS) researchers have been associated
with biasing which is generally related to the construction of the systems which are generally
difficult to handle, along with lacking in insightful user interfaces, besides this, they are also
very inconvenient for usage with real-life circumstances. The adaptive expert system
proposed by them has been associated with the utilizing of fuzzy sets in order to detect the
attacks. Besides this, the implementation of the expert system can be considered as
comparatively easy while using it with computer system networks which have the capability
of getting adjusted to nature or to the degree of the threat. Experiments with Clips have been
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 9 of 51
used have been used for the purpose of proving the adjustment capability of the system. A
researcher Alok Sharma did the usage of text processing on system call sequences technique
for only intrusion detection. To have a host-based intrusion detection kernel based
comparison measurement is used. K-nearest neighbour is used for processing to check if it’s
normal or abnormal classification [11] in 1998-DARPA has assessed the proposed method
and compared with present methods for operation.
B. Shanmugam and NorbikBashah Idris have been related to proposing a progressive
fuzzy and data mining approaches which were built upon the hybrid model in which both the
misuse and along with anomaly malware attack. The goals of this researchers mainly
included the decreasing of the quantity of data that is generally kept for the purpose of
processing and also for the purpose of improving the detection rate of the existing IDS by
making use of the attribute assortment process and data mining method. An improved Kuok
fuzzy data mining algorithm or a modified version of APRIORI algorithm is generally used
for the purpose of utilizing and also for the purpose of implementing fuzzy rules which have
been associated with enabling the generation of if-then rules that are associated with showing
the best possible way to process the attack.
To test and benchmark the efficiency of any model use DARPS 1999 dataset which
include the live results of the working networking environment.)
O. A. Adebayo has presented a method that uses Fuzzy-Bayesian to detect real-time
network anomaly attack for discovering malicious activity against a computer network. They
have established the effectiveness of the method by describing the framework. The overall
performance of the intrusion detection system (IDS) based on Bayes has been improved by a
combination of fuzzy with the Bayesian classifier. In addition, by the experiment carried out
on KDD 1999 IDS data set, the practicability of the method has been verified. Abadeh, M.S.,
and Habibi, J. has proposed a method to develop fuzzy classification rules for intrusion
Network Intrusion Detection System Using SNORT
used have been used for the purpose of proving the adjustment capability of the system. A
researcher Alok Sharma did the usage of text processing on system call sequences technique
for only intrusion detection. To have a host-based intrusion detection kernel based
comparison measurement is used. K-nearest neighbour is used for processing to check if it’s
normal or abnormal classification [11] in 1998-DARPA has assessed the proposed method
and compared with present methods for operation.
B. Shanmugam and NorbikBashah Idris have been related to proposing a progressive
fuzzy and data mining approaches which were built upon the hybrid model in which both the
misuse and along with anomaly malware attack. The goals of this researchers mainly
included the decreasing of the quantity of data that is generally kept for the purpose of
processing and also for the purpose of improving the detection rate of the existing IDS by
making use of the attribute assortment process and data mining method. An improved Kuok
fuzzy data mining algorithm or a modified version of APRIORI algorithm is generally used
for the purpose of utilizing and also for the purpose of implementing fuzzy rules which have
been associated with enabling the generation of if-then rules that are associated with showing
the best possible way to process the attack.
To test and benchmark the efficiency of any model use DARPS 1999 dataset which
include the live results of the working networking environment.)
O. A. Adebayo has presented a method that uses Fuzzy-Bayesian to detect real-time
network anomaly attack for discovering malicious activity against a computer network. They
have established the effectiveness of the method by describing the framework. The overall
performance of the intrusion detection system (IDS) based on Bayes has been improved by a
combination of fuzzy with the Bayesian classifier. In addition, by the experiment carried out
on KDD 1999 IDS data set, the practicability of the method has been verified. Abadeh, M.S.,
and Habibi, J. has proposed a method to develop fuzzy classification rules for intrusion
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 10 of 51
detection use in computer networks. The method of fuzzy rule base system design has been
based on the iterative rule learning approach (IRL). Using the evolutionary algorithm to
optimize one fuzzy classifier rule at a time, the fuzzy rule base has been created in an
incremental fashion. Intrusion detection problem has been used as a high-dimensional
classification problem to analyse the functioning of the final fuzzy classification system.
Results have demonstrated that the fuzzy rules generated by the proposed algorithm can be
utilized to build a reliable intrusion detection system [13].
Network Intrusion Detection Systems (NIDS) generally consists of a network
appliance (or sensor) along with a Network Interface Card (NIC) which is generally
responsible for operating in the promiscuous mode along with working in a separate
management interface. Placing of the IDS is done in association with the network segment or
boundary along with the monitoring of all traffic present in that segment. Network intrusion
detection system (NIDS) can be considered as an independent platform which is associated
with identifying the various intrusions by examining the traffic in the network along with
monitoring of multiple hosts. Network intrusion detection systems are associated with
gaining access to the network traffic by creating a connection with the network hub.
Additionally, the network switches are also configured for mirroring the ports, or for the
network tap. Along with this in a NIDS, the sensors are generally present at the choke points
of the network which are to be monitored, often in the demilitarized zone (DMZ) or at
network borders. The Sensors are associated with capturing all the network traffic along with
analysing the content of individual packets for the traffics which are malicious in nature.
Network Intrusion Detection System Using SNORT
detection use in computer networks. The method of fuzzy rule base system design has been
based on the iterative rule learning approach (IRL). Using the evolutionary algorithm to
optimize one fuzzy classifier rule at a time, the fuzzy rule base has been created in an
incremental fashion. Intrusion detection problem has been used as a high-dimensional
classification problem to analyse the functioning of the final fuzzy classification system.
Results have demonstrated that the fuzzy rules generated by the proposed algorithm can be
utilized to build a reliable intrusion detection system [13].
Network Intrusion Detection Systems (NIDS) generally consists of a network
appliance (or sensor) along with a Network Interface Card (NIC) which is generally
responsible for operating in the promiscuous mode along with working in a separate
management interface. Placing of the IDS is done in association with the network segment or
boundary along with the monitoring of all traffic present in that segment. Network intrusion
detection system (NIDS) can be considered as an independent platform which is associated
with identifying the various intrusions by examining the traffic in the network along with
monitoring of multiple hosts. Network intrusion detection systems are associated with
gaining access to the network traffic by creating a connection with the network hub.
Additionally, the network switches are also configured for mirroring the ports, or for the
network tap. Along with this in a NIDS, the sensors are generally present at the choke points
of the network which are to be monitored, often in the demilitarized zone (DMZ) or at
network borders. The Sensors are associated with capturing all the network traffic along with
analysing the content of individual packets for the traffics which are malicious in nature.
Network Intrusion Detection System Using SNORT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 11 of 51
Figure 1: Elementary diagram
Above figure illustrates elementary diagram of the project, it explains the project
methodology of how a NIDS is placed to capture the traffic and detect the intrusions and
avoid the malicious traffic. NIDS is placed between firewall and host.
2.1 Literature Review
The key approaches to detect an attack is by using signature and anomaly-based
detection. The anomaly is based on the behaviour of the traffic and whereas signature based
is on the previous attacks. Anomaly evaluates asymmetric patterns of the activity. Misuse
which is signature based detects the known attacks through the signatures that are stored in
the database. Anomaly detection technique builds profiles according to the behaviour of
network traffic, users, and hosts.
Snort is all about network security. The user has developed snort IDS for network
analysis attack and also relate to the current work and then analysed with wire shark. Attacks
are classified on the basis of profile and then the comparison is made with the scoring
accuracy which is improved than current attacks. It produces alarm only one time instead of
making again and again. There are rule categories of SNORT and it gives the greatest
performance in updating all rules [18]. It also gives an evaluation of all rules and also
confirms that his verified snort IDS can identify the high percentage of network attacks. Also
Network Intrusion Detection System Using SNORT
Figure 1: Elementary diagram
Above figure illustrates elementary diagram of the project, it explains the project
methodology of how a NIDS is placed to capture the traffic and detect the intrusions and
avoid the malicious traffic. NIDS is placed between firewall and host.
2.1 Literature Review
The key approaches to detect an attack is by using signature and anomaly-based
detection. The anomaly is based on the behaviour of the traffic and whereas signature based
is on the previous attacks. Anomaly evaluates asymmetric patterns of the activity. Misuse
which is signature based detects the known attacks through the signatures that are stored in
the database. Anomaly detection technique builds profiles according to the behaviour of
network traffic, users, and hosts.
Snort is all about network security. The user has developed snort IDS for network
analysis attack and also relate to the current work and then analysed with wire shark. Attacks
are classified on the basis of profile and then the comparison is made with the scoring
accuracy which is improved than current attacks. It produces alarm only one time instead of
making again and again. There are rule categories of SNORT and it gives the greatest
performance in updating all rules [18]. It also gives an evaluation of all rules and also
confirms that his verified snort IDS can identify the high percentage of network attacks. Also
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 12 of 51
clear that users must update their snort rules frequently. As a future work, we can say that if
we identify other types of network attacks like teardrop attack, DoS, DDoS and data
alteration with existing method than there could be further room for the research
2.2 Objectives of the Project
The project's goal is to find a way to escape the most vicious intruders. This can be
done by implementing NIDS, which needs to be updated according to the present situation.
These can be done by analysing the packets that are captured by using techniques such as
identification, vulnerability and risk calculation. Our project, therefore, aims to preserve the
concept and its function of the system for detecting and preventing network intrusion and
network security by analysing incoming and outgoing traffic. Predefining set of rules in our
operating firewall this helps the firewall to build in identifying different types of attacks. The
main objective is to identify the threat and protect the sensitive data from the intruder. NIDS
is programmed to differentiate between valuable data with help of identification strings.
Capture, analyse and deliver report using signature and anomaly-based detection
system.
To implement NIDS that can detect any irregular network traffic in the network by
analysing the header file, port no and address.
Storing all the details of the attacks that are being happened before for the usage of
signature-based detection technique.
Create a system which helps to detect security threats in a network.
Launch a new system in a network to decrease the attacks.
A network-based IDS scanner secures the whole network by detecting the missing
packets, open ports and security breach.
Network Intrusion Detection System Using SNORT
clear that users must update their snort rules frequently. As a future work, we can say that if
we identify other types of network attacks like teardrop attack, DoS, DDoS and data
alteration with existing method than there could be further room for the research
2.2 Objectives of the Project
The project's goal is to find a way to escape the most vicious intruders. This can be
done by implementing NIDS, which needs to be updated according to the present situation.
These can be done by analysing the packets that are captured by using techniques such as
identification, vulnerability and risk calculation. Our project, therefore, aims to preserve the
concept and its function of the system for detecting and preventing network intrusion and
network security by analysing incoming and outgoing traffic. Predefining set of rules in our
operating firewall this helps the firewall to build in identifying different types of attacks. The
main objective is to identify the threat and protect the sensitive data from the intruder. NIDS
is programmed to differentiate between valuable data with help of identification strings.
Capture, analyse and deliver report using signature and anomaly-based detection
system.
To implement NIDS that can detect any irregular network traffic in the network by
analysing the header file, port no and address.
Storing all the details of the attacks that are being happened before for the usage of
signature-based detection technique.
Create a system which helps to detect security threats in a network.
Launch a new system in a network to decrease the attacks.
A network-based IDS scanner secures the whole network by detecting the missing
packets, open ports and security breach.
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 13 of 51
2.3 Detailed Design
2.3.1 Design and implementation
Network Intrusion Detection System (NIDS) is advanced protection which examines
network activity to detect attacks or intrusions. NIDS systems can be hardware and software-
based devices used to examine an attack. NIDS products are being used to observe
connection to detect whether attacks have been launched [20]. NIDS systems just monitor
and generate the alert of an attack, whereas others try to block the attack.
The network intrusion detection systems can detect several types of the attacks that
use the network. NIDS are excellent for detecting access without authority or some kinds of
access in excess of authority. A NIDS does not require much modification for production
hosts or servers. It benefits because these servers regularly have the closed operating system
for CPU and installing additional software updates may exceed the capacities of the system.
Most NIDSs are quite easy to deploy on a network and can observe traffic from multiple
machines at once [21].
We are using Snort for the network intrusion detection system. Snort is primarily a
rule-based IDS. It can perform real-time traffic monitoring, analysis and packet tracing on
Internet Protocol (IP) networks. Snort reads the predefined or customize rules at the start-up
time which can be predefined or customized and builds internal data structures or chains to
apply these rules to captured data. Snort is available with multiple sets of pre-defined rules to
detect intrusion activity and you can also free to add your own rules as per the requirement.
Below is the block diagram for the snort architecture.
2.3.2 Table of weekly Activities for MN692
Week Activity
Week -1 Will be authenticating all the details and activity to be performed at this stage
Network Intrusion Detection System Using SNORT
2.3 Detailed Design
2.3.1 Design and implementation
Network Intrusion Detection System (NIDS) is advanced protection which examines
network activity to detect attacks or intrusions. NIDS systems can be hardware and software-
based devices used to examine an attack. NIDS products are being used to observe
connection to detect whether attacks have been launched [20]. NIDS systems just monitor
and generate the alert of an attack, whereas others try to block the attack.
The network intrusion detection systems can detect several types of the attacks that
use the network. NIDS are excellent for detecting access without authority or some kinds of
access in excess of authority. A NIDS does not require much modification for production
hosts or servers. It benefits because these servers regularly have the closed operating system
for CPU and installing additional software updates may exceed the capacities of the system.
Most NIDSs are quite easy to deploy on a network and can observe traffic from multiple
machines at once [21].
We are using Snort for the network intrusion detection system. Snort is primarily a
rule-based IDS. It can perform real-time traffic monitoring, analysis and packet tracing on
Internet Protocol (IP) networks. Snort reads the predefined or customize rules at the start-up
time which can be predefined or customized and builds internal data structures or chains to
apply these rules to captured data. Snort is available with multiple sets of pre-defined rules to
detect intrusion activity and you can also free to add your own rules as per the requirement.
Below is the block diagram for the snort architecture.
2.3.2 Table of weekly Activities for MN692
Week Activity
Week -1 Will be authenticating all the details and activity to be performed at this stage
Network Intrusion Detection System Using SNORT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MN692 Capstone Project Report Page 14 of 51
of the project from the research done in the previous stage to complete the
project effectively. Doing research on some data collection method with the
help of some basic tools on network traffic, IP source and destination and
packet capture from the network for network intrusion detection system.
Week-2 To reduce the obscurity and uncontaminated network data for the research
method to be used to get the final outcome, the pre-processing research method
will be used to relate to the data.
Week-3 The concept research method is in use are data mining technique, which will
be used to explore and understand the application of the decision-tree
algorithm.
Week-4 Considerate and illustrative doubts on One-class support vector machine (1-
class SVM).
Week-5 The software required for packet sniffing is snort, which is required to be
installed and configure the rules of snort.
Week-6 Authentication the rules of snort appropriately and cross-checking the software
required for snort and works perfectly to initiate the project.
Week-7 To build the research method which is the hybrid detection method?
Week-8 To improve the intrusion detection method and also to assess and random test
the system.
Week-9 To do a complete verification of the project in accordance with our project
requirement and accomplishing all the task assigned to compete and to
organize for a demonstration of the project.
Week-10 Report Writing for the final document.
Week-11 Ongoing report writing and oral presentation document.
Week-12 Finishing the final report and assembly the limitation of the project if any or
Network Intrusion Detection System Using SNORT
of the project from the research done in the previous stage to complete the
project effectively. Doing research on some data collection method with the
help of some basic tools on network traffic, IP source and destination and
packet capture from the network for network intrusion detection system.
Week-2 To reduce the obscurity and uncontaminated network data for the research
method to be used to get the final outcome, the pre-processing research method
will be used to relate to the data.
Week-3 The concept research method is in use are data mining technique, which will
be used to explore and understand the application of the decision-tree
algorithm.
Week-4 Considerate and illustrative doubts on One-class support vector machine (1-
class SVM).
Week-5 The software required for packet sniffing is snort, which is required to be
installed and configure the rules of snort.
Week-6 Authentication the rules of snort appropriately and cross-checking the software
required for snort and works perfectly to initiate the project.
Week-7 To build the research method which is the hybrid detection method?
Week-8 To improve the intrusion detection method and also to assess and random test
the system.
Week-9 To do a complete verification of the project in accordance with our project
requirement and accomplishing all the task assigned to compete and to
organize for a demonstration of the project.
Week-10 Report Writing for the final document.
Week-11 Ongoing report writing and oral presentation document.
Week-12 Finishing the final report and assembly the limitation of the project if any or
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 15 of 51
submit the final report and prepare for a demonstration
2.3.3 Roles& Responsibilities of each team member
Week Vinod Allam Solomonwaskar Rakeshnunna Abdul Rasheed
Week -1 To comprehend
and validating the
details of the
project and
implementing.
Exploration of
Network data
abstraction.
Extraction of the
rules required for
snort.
To get acquaintance
with ‘Honey D’ and
other network
configuration for the
computer.
Week-2 Complete
understanding of
pre-processing
methods.
Scrutiny on the pre-
processing systems
such as
Normalization,
Discretization, and
Feature range.
Congregation and
substantiating
Configure the
snort as per the
rules required for
the project.
Reading from IEEE
journals on SVM
(support vector
machine) model to
create a
decomposed subnet.
Week-3 To get
acquaintance with
decision tree
algorithm
To better understand
the gain based
decision tree
algorithm and
research on the gain
calculation for the
implementation.
To build a normal
algorithm for the
requirement of the
project.
To contribute the
known from the
SVM and explain
the team member to
construct hybrid
detection system
Week-4 To understand all
the
documentation
and research are
To see all the
documentation and
research done and
illustrative the quires
Joining all the
exploration is
done till now and
illustrative the
Consolidating all
the examination did
till now and
illustrative the
Network Intrusion Detection System Using SNORT
submit the final report and prepare for a demonstration
2.3.3 Roles& Responsibilities of each team member
Week Vinod Allam Solomonwaskar Rakeshnunna Abdul Rasheed
Week -1 To comprehend
and validating the
details of the
project and
implementing.
Exploration of
Network data
abstraction.
Extraction of the
rules required for
snort.
To get acquaintance
with ‘Honey D’ and
other network
configuration for the
computer.
Week-2 Complete
understanding of
pre-processing
methods.
Scrutiny on the pre-
processing systems
such as
Normalization,
Discretization, and
Feature range.
Congregation and
substantiating
Configure the
snort as per the
rules required for
the project.
Reading from IEEE
journals on SVM
(support vector
machine) model to
create a
decomposed subnet.
Week-3 To get
acquaintance with
decision tree
algorithm
To better understand
the gain based
decision tree
algorithm and
research on the gain
calculation for the
implementation.
To build a normal
algorithm for the
requirement of the
project.
To contribute the
known from the
SVM and explain
the team member to
construct hybrid
detection system
Week-4 To understand all
the
documentation
and research are
To see all the
documentation and
research done and
illustrative the quires
Joining all the
exploration is
done till now and
illustrative the
Consolidating all
the examination did
till now and
illustrative the
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 16 of 51
done and
illustrative the
quires with
supervisor and
team member to
start the project.
with supervisor and
team member as
begin the project
implementation.
questions with all
team member and
supervisor to
begin building of
the project.
questions with all
the team member
and supervisor to
begin building and
introducing the
project.
Week Vinod Allam Solomon Walker Rakesh nunna Abdul Rasheed
Week-5 Install virtual box
and wire-shark.
Installation of snort
subscription software
and win-cap.
To understand and
configure the rules
for snort.
To test if the
configured snort is
running correctly as
per requirement.
Week-6 Enduring the
configuration
steps of software.
Continuing the
configuration steps of
Snort.
To check for more
better
configuration of
snort
To check if the snort
is capturing data as
per requirement.
Week-7 Structure of the
decision-tree
algorithm.
Script test situation to
the logic of decision-
tree algorithm.
Scripting test
circumstances to
one-class SVM.
Construction of the
one-class SVM
detection algorithm.
Week-8 Continuation
building the
decision-tree
algorithm.
Extension testing the
logic of decision-tree
algorithm.
Additional testing
of the logic of
one-class SVM.
Building the one-
class SVM detection
algorithm.
Week-9 Assess and start
acceptance test.
Evaluate and start
acceptance test.
Appraise and start
acceptance test.
Gage and start
acceptance test.
Network Intrusion Detection System Using SNORT
done and
illustrative the
quires with
supervisor and
team member to
start the project.
with supervisor and
team member as
begin the project
implementation.
questions with all
team member and
supervisor to
begin building of
the project.
questions with all
the team member
and supervisor to
begin building and
introducing the
project.
Week Vinod Allam Solomon Walker Rakesh nunna Abdul Rasheed
Week-5 Install virtual box
and wire-shark.
Installation of snort
subscription software
and win-cap.
To understand and
configure the rules
for snort.
To test if the
configured snort is
running correctly as
per requirement.
Week-6 Enduring the
configuration
steps of software.
Continuing the
configuration steps of
Snort.
To check for more
better
configuration of
snort
To check if the snort
is capturing data as
per requirement.
Week-7 Structure of the
decision-tree
algorithm.
Script test situation to
the logic of decision-
tree algorithm.
Scripting test
circumstances to
one-class SVM.
Construction of the
one-class SVM
detection algorithm.
Week-8 Continuation
building the
decision-tree
algorithm.
Extension testing the
logic of decision-tree
algorithm.
Additional testing
of the logic of
one-class SVM.
Building the one-
class SVM detection
algorithm.
Week-9 Assess and start
acceptance test.
Evaluate and start
acceptance test.
Appraise and start
acceptance test.
Gage and start
acceptance test.
Network Intrusion Detection System Using SNORT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 17 of 51
Week-
10
For the final
report divide the
task equally and
to complete
report.
Writing on the fix
and evaluation part of
the report and also fix
issues in the project.
To complete the
writing on weekly
report and
problem fixing of
the project.
Scrutiny of the
project and its
limitation if any.
Week-
11
Structuring the
final report and
dividing the oral
presentation to
each team
member.
Preparing for
presentation on
evaluation step by
step procedure.
Oral presentation
on decision tree
and one class svm.
Will be writing
troubleshooting
steps.
Week-
12
To collect all the
data and ready for
the demonstration
on the project
Fixing any
troubleshooting in the
project and
demonstration.
Finding any
project limitation
and fixing it.
Compiling all the
document and oral
presentation and
giving it for final
proofreading.
2.3.4 Gantt Chart
Network Intrusion Detection System Using SNORT
Week-
10
For the final
report divide the
task equally and
to complete
report.
Writing on the fix
and evaluation part of
the report and also fix
issues in the project.
To complete the
writing on weekly
report and
problem fixing of
the project.
Scrutiny of the
project and its
limitation if any.
Week-
11
Structuring the
final report and
dividing the oral
presentation to
each team
member.
Preparing for
presentation on
evaluation step by
step procedure.
Oral presentation
on decision tree
and one class svm.
Will be writing
troubleshooting
steps.
Week-
12
To collect all the
data and ready for
the demonstration
on the project
Fixing any
troubleshooting in the
project and
demonstration.
Finding any
project limitation
and fixing it.
Compiling all the
document and oral
presentation and
giving it for final
proofreading.
2.3.4 Gantt Chart
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 18 of 51
Network Intrusion Detection System Using SNORT
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 19 of 51
Network Intrusion Detection System Using SNORT
Network Intrusion Detection System Using SNORT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MN692 Capstone Project Report Page 20 of 51
Network Intrusion Detection System Using SNORT
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 21 of 51
Figure 2: Gantt Chart
(Source: Created by author)
2.3.5 Project methodology
The network intrusion detection system (IDE) is a system that supports in identifying
numerous attacks within the network system. IDS can be located on any network that helps in
gathering data and information for providing good security to the networks. Rules are
mandatory to perform recognition of attacks in a network system. The Next Generation
Intrusion Detection Expert System (NIDES) has helped in keeping the security of the
network system by using the analytical and statistical model. The use of IDS has assisted in
maintaining the security of the data and information on the network server of the company
[22].
Network Intrusion Detection System Using SNORT
Figure 2: Gantt Chart
(Source: Created by author)
2.3.5 Project methodology
The network intrusion detection system (IDE) is a system that supports in identifying
numerous attacks within the network system. IDS can be located on any network that helps in
gathering data and information for providing good security to the networks. Rules are
mandatory to perform recognition of attacks in a network system. The Next Generation
Intrusion Detection Expert System (NIDES) has helped in keeping the security of the
network system by using the analytical and statistical model. The use of IDS has assisted in
maintaining the security of the data and information on the network server of the company
[22].
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 22 of 51
Figure 3: Flow Chart for research method NIDS
Packets are being captured and evaluated through snort, snort performs
defragmentation of IP packets and logs all the packets that are captured. It does packets
sniffing, logger and full functional NIDS. Snort detects and reports the attacks regularly using
signature and anomaly-based detection techniques. If any malicious data is detected; it
detects the malicious packets and stores it in log file [23]. On the bases of the fresh attack, its
profile is updated by a new rule and using these approach new attacks can be discovered.
Network Intrusion Detection System Using SNORT
Figure 3: Flow Chart for research method NIDS
Packets are being captured and evaluated through snort, snort performs
defragmentation of IP packets and logs all the packets that are captured. It does packets
sniffing, logger and full functional NIDS. Snort detects and reports the attacks regularly using
signature and anomaly-based detection techniques. If any malicious data is detected; it
detects the malicious packets and stores it in log file [23]. On the bases of the fresh attack, its
profile is updated by a new rule and using these approach new attacks can be discovered.
Network Intrusion Detection System Using SNORT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 23 of 51
Figure 4: Block diagram of NIDS
In this Method, the set of data is separated into a testing and training. The method
includes the detection technique with the help of known and unknown attacks. Hybrid based
NIDS includes both anomaly and signature-based to detect the attacks. All the attacks that are
being detected by anomaly are saved as signature-based in the database so that it can be
detected in the future. When the packets enter the system it is being analysed with signature-
based technique and then forwarded to the anomaly, anomaly analyses the behaviour of the
traffic and detects the attacks.
3 Project Implementation and Evaluation
3.1 Implementation
Windows should be used to implement Snort. The process is made painless and easy
by Windows – easier than to install Snort as well as to configure Linux server. Snort sensors
must be seen as apparatuses (such as UPS or a router) and hence, do not require to coordinate
with the server infrastructure. Actually, one presumably has other system apparatuses running
Network Intrusion Detection System Using SNORT
Figure 4: Block diagram of NIDS
In this Method, the set of data is separated into a testing and training. The method
includes the detection technique with the help of known and unknown attacks. Hybrid based
NIDS includes both anomaly and signature-based to detect the attacks. All the attacks that are
being detected by anomaly are saved as signature-based in the database so that it can be
detected in the future. When the packets enter the system it is being analysed with signature-
based technique and then forwarded to the anomaly, anomaly analyses the behaviour of the
traffic and detects the attacks.
3 Project Implementation and Evaluation
3.1 Implementation
Windows should be used to implement Snort. The process is made painless and easy
by Windows – easier than to install Snort as well as to configure Linux server. Snort sensors
must be seen as apparatuses (such as UPS or a router) and hence, do not require to coordinate
with the server infrastructure. Actually, one presumably has other system apparatuses running
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 24 of 51
on some versions of Linux. One final thought is if ones' intrusion detecting framework is on a
similar platform like the rest of the frameworks, it might progress toward becoming
compromised alongside different systems in case of an effective intrusion.
For minor fittings, a single PC can house the organization applications (ACID and
Snort Center and) screen the network. In bigger organizations, one will presumably need to
isolate these capacities. One PC can play out the administration roles while different PCs acts
like sensors. Windows is intended to give a safe, lightweight condition and, in this way, runs
just a negligible arrangement of ordinary Windows services [24].
Network intrusion detection system, virtual box is installed in the computer in order to
simulate the process. Windows is used as the main platform in order to perform. Windows 10
OS is installed in virtual Box, after installing windows snort is being installed and configured
according to requirements in order to monitor incoming traffic. Honey D is being deployed in
the system in order to capture the attacker's details. All these applications are being installed
to neutralize the attacks using algorithms.
Snort is being deployed to monitor the malicious traffic using signature and anomaly-
based detections, it displays required information regarding the incoming and outgoing traffic
that is being captured by the wire shark and analyses the traffic by using algorithms. All these
applications are being deployed inside the OS and incoming traffic is being monitored
regularly. Nmap is being used to scan all the open ports and start the attack.
3.1.1 Software Requirements
Applications that are being installed
Software Version
Snort 2.9
Nmap 7
Virtual Box 5.2
Windows 10
Network Intrusion Detection System Using SNORT
on some versions of Linux. One final thought is if ones' intrusion detecting framework is on a
similar platform like the rest of the frameworks, it might progress toward becoming
compromised alongside different systems in case of an effective intrusion.
For minor fittings, a single PC can house the organization applications (ACID and
Snort Center and) screen the network. In bigger organizations, one will presumably need to
isolate these capacities. One PC can play out the administration roles while different PCs acts
like sensors. Windows is intended to give a safe, lightweight condition and, in this way, runs
just a negligible arrangement of ordinary Windows services [24].
Network intrusion detection system, virtual box is installed in the computer in order to
simulate the process. Windows is used as the main platform in order to perform. Windows 10
OS is installed in virtual Box, after installing windows snort is being installed and configured
according to requirements in order to monitor incoming traffic. Honey D is being deployed in
the system in order to capture the attacker's details. All these applications are being installed
to neutralize the attacks using algorithms.
Snort is being deployed to monitor the malicious traffic using signature and anomaly-
based detections, it displays required information regarding the incoming and outgoing traffic
that is being captured by the wire shark and analyses the traffic by using algorithms. All these
applications are being deployed inside the OS and incoming traffic is being monitored
regularly. Nmap is being used to scan all the open ports and start the attack.
3.1.1 Software Requirements
Applications that are being installed
Software Version
Snort 2.9
Nmap 7
Virtual Box 5.2
Windows 10
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 25 of 51
Weka 3.8
3.1.2 Hardware Requirements
2 personal computers
Specifications
8 GB ram
I5 processor
2 GB graphic card
500 GB hard disk
3.1.3 Research graphs of malware attacks
Figure 5: Research Gaps
As per above fig, This pie diagram illustrates around 31 percent of malware detection
in comparison to 21 percent of trojan activity in the network there are a percentage of
successful attack 6 percent and 3 percent unsuccessful attacks on the network using NIDS
Network Intrusion Detection System Using SNORT
Weka 3.8
3.1.2 Hardware Requirements
2 personal computers
Specifications
8 GB ram
I5 processor
2 GB graphic card
500 GB hard disk
3.1.3 Research graphs of malware attacks
Figure 5: Research Gaps
As per above fig, This pie diagram illustrates around 31 percent of malware detection
in comparison to 21 percent of trojan activity in the network there are a percentage of
successful attack 6 percent and 3 percent unsuccessful attacks on the network using NIDS
Network Intrusion Detection System Using SNORT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MN692 Capstone Project Report Page 26 of 51
Figure 6: Top network attacks
In this above bar diagram the type of attacks that have been happened until now
through various interfaces or applications. Browser attacks are one of an easy way to attack a
system and the least type of attacks is back door, scam, and DNS attacks.
3.1.4 Installing Snort
Figure 7: Snort Installation
Network Intrusion Detection System Using SNORT
Figure 6: Top network attacks
In this above bar diagram the type of attacks that have been happened until now
through various interfaces or applications. Browser attacks are one of an easy way to attack a
system and the least type of attacks is back door, scam, and DNS attacks.
3.1.4 Installing Snort
Figure 7: Snort Installation
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 27 of 51
Figure 8: Snort installation
Figure 9:
Snort
installation
Network Intrusion Detection System Using SNORT
Figure 8: Snort installation
Figure 9:
Snort
installation
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 28 of 51
Starting snort using the command
C:\snort\bin>Snort -W
Figure 10: Starting snort
3.2 Testing and troubleshooting
One must examine the basic principles governing snort application in remote
sensor network:
Snort security matters
Data packets’ confidentiality
Access control in the network
Outgoing and incoming transmission of the data packets.
Accessibility of services.
Snort’s functionality.
Check for available services.
Check hacker's action from public networks that are entering into private networks.
Network Intrusion Detection System Using SNORT
Starting snort using the command
C:\snort\bin>Snort -W
Figure 10: Starting snort
3.2 Testing and troubleshooting
One must examine the basic principles governing snort application in remote
sensor network:
Snort security matters
Data packets’ confidentiality
Access control in the network
Outgoing and incoming transmission of the data packets.
Accessibility of services.
Snort’s functionality.
Check for available services.
Check hacker's action from public networks that are entering into private networks.
Network Intrusion Detection System Using SNORT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 29 of 51
Network intrusion detection system plays a major part in the field of network security,
they provide a high layer of security to the main system from suspicious activities or patterns
and alarms network administrators when a suspicious traffic is being detected. Snort was
mainly implemented or designed to neutralize this issues.
Snort is being configured as a NIDS (Network Intrusion Detection System). In order
to detect the known and unknown attacks by saving the attackers signature. To provide
security against port scanning from the attackers and restricting the traffic from different
networks, used two different windows systems one for the attacker and other as a victim or
the main server [25].
Identifying ping scan
As the attacker starts to identify the host status by sending the ICMP, TCP, and UDP
packets using the command ping scan by assigning destination IP address so in order to
neutralize the attack a rule needs to be assigned in the snort.
Snort is the most effective application or a tool in order to detect the malicious traffic by
assigning rules. Traffic is being analysed through snort and can be implemented in a network.
Alerting icmp packets
Alert icmp any any -> any any (msg: “Testing ICMP alert! “; sid:1000001; )
Alert TCP any any -> any any (msg: “Testing TCP alert! “; sid:1000002; )
Alert UDP any any -> any any (msg: “Testing UDP alert! “; sid:1000003; )
The above rule needs to be implemented in the local. rules file in order to intimate the attack.
C:\users\server>cd \snort
C:\snort> cd rules
C:\snort\rules> local.rules
Network Intrusion Detection System Using SNORT
Network intrusion detection system plays a major part in the field of network security,
they provide a high layer of security to the main system from suspicious activities or patterns
and alarms network administrators when a suspicious traffic is being detected. Snort was
mainly implemented or designed to neutralize this issues.
Snort is being configured as a NIDS (Network Intrusion Detection System). In order
to detect the known and unknown attacks by saving the attackers signature. To provide
security against port scanning from the attackers and restricting the traffic from different
networks, used two different windows systems one for the attacker and other as a victim or
the main server [25].
Identifying ping scan
As the attacker starts to identify the host status by sending the ICMP, TCP, and UDP
packets using the command ping scan by assigning destination IP address so in order to
neutralize the attack a rule needs to be assigned in the snort.
Snort is the most effective application or a tool in order to detect the malicious traffic by
assigning rules. Traffic is being analysed through snort and can be implemented in a network.
Alerting icmp packets
Alert icmp any any -> any any (msg: “Testing ICMP alert! “; sid:1000001; )
Alert TCP any any -> any any (msg: “Testing TCP alert! “; sid:1000002; )
Alert UDP any any -> any any (msg: “Testing UDP alert! “; sid:1000003; )
The above rule needs to be implemented in the local. rules file in order to intimate the attack.
C:\users\server>cd \snort
C:\snort> cd rules
C:\snort\rules> local.rules
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 30 of 51
Figure 11
After assigning the rules to use the following command in order to test the
configuration that is being added. Use ping command by assigning the destination IP address
from the attacker's system by executing the following command in the main server all the
ping scan that is being performed on the main system is stored in log file.
C:\Snort\bin>snort -i 2 –c C:\snort\etc\snort.conf –A console > c:\snort\log\pingscan.txt
Testing from attackers windows system by using destination ip address
Figure 12: Identifying port scan performed by the attacker using snort
Port scanning is used to probe host for the ports that are open and perform the attack
by knowing the ports which are active to receive the traffic. This port scanning process is
Network Intrusion Detection System Using SNORT
Figure 11
After assigning the rules to use the following command in order to test the
configuration that is being added. Use ping command by assigning the destination IP address
from the attacker's system by executing the following command in the main server all the
ping scan that is being performed on the main system is stored in log file.
C:\Snort\bin>snort -i 2 –c C:\snort\etc\snort.conf –A console > c:\snort\log\pingscan.txt
Testing from attackers windows system by using destination ip address
Figure 12: Identifying port scan performed by the attacker using snort
Port scanning is used to probe host for the ports that are open and perform the attack
by knowing the ports which are active to receive the traffic. This port scanning process is
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 31 of 51
done by NMAP which is an application, designed in order to perform the port scanning on
the destination host, often used by network administrators to secure the network by restricting
the traffic.
Nmap for windows
After installing NMAP, use following Commands for nmap port scanning
C: \> cd “Program Files <86>”
C: \ Program Files <86>> cd Nmap
C: \ Program Files <86>\Nmap> Nmap –T4 –A –v 192.168.0.9
Nmap port scanning using destination IP address
Figure 13
Network Intrusion Detection System Using SNORT
done by NMAP which is an application, designed in order to perform the port scanning on
the destination host, often used by network administrators to secure the network by restricting
the traffic.
Nmap for windows
After installing NMAP, use following Commands for nmap port scanning
C: \> cd “Program Files <86>”
C: \ Program Files <86>> cd Nmap
C: \ Program Files <86>\Nmap> Nmap –T4 –A –v 192.168.0.9
Nmap port scanning using destination IP address
Figure 13
Network Intrusion Detection System Using SNORT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MN692 Capstone Project Report Page 32 of 51
Figure 14: NMAP test scanning of open ports from the attacker.
Figure 15: Command to store the port scan log file
Snort rules In order to store the port scanning details and stop the attack
Network Intrusion Detection System Using SNORT
Figure 14: NMAP test scanning of open ports from the attacker.
Figure 15: Command to store the port scan log file
Snort rules In order to store the port scanning details and stop the attack
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 33 of 51
Figure 16
Figure 17
HTTP Snort rules
Network Intrusion Detection System Using SNORT
Figure 16
Figure 17
HTTP Snort rules
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 34 of 51
Figure 18: Snort suspicious activity rules
3.3 Results
As the system is being tested with various types of attacks such as port scan nmap, ping
test all the packets are being captured by a snort and being shown in the output.
All the details are being stored in a log file in snort including date time and type of packets
that are being entered into the system.
Network Intrusion Detection System Using SNORT
Figure 18: Snort suspicious activity rules
3.3 Results
As the system is being tested with various types of attacks such as port scan nmap, ping
test all the packets are being captured by a snort and being shown in the output.
All the details are being stored in a log file in snort including date time and type of packets
that are being entered into the system.
Network Intrusion Detection System Using SNORT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 35 of 51
Figure 19: Result 1
Ports that are open when the attacker tries to port scan
Network Intrusion Detection System Using SNORT
Figure 19: Result 1
Ports that are open when the attacker tries to port scan
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 36 of 51
Figure 20: Result 2
Figure 21: Result 3
Snort output for port scan all the details are stored in log file.
Figure 22: Result 4
Port scan results
Network Intrusion Detection System Using SNORT
Figure 20: Result 2
Figure 21: Result 3
Snort output for port scan all the details are stored in log file.
Figure 22: Result 4
Port scan results
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 37 of 51
Figure 23: Result 5
Ping scan results that are stored in snort log
Network Intrusion Detection System Using SNORT
Figure 23: Result 5
Ping scan results that are stored in snort log
Network Intrusion Detection System Using SNORT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MN692 Capstone Project Report Page 38 of 51
Figure 24: Result 6
HTTP Snort results
Figure 25: Snort testing suspicious activity results, Result 7
Verification of snort intrusion
This is intended to recognize any intrusion into the network with an aim of
deciding and giving affirmation that there is no any point of intrusion into the system from an
external system. This additionally assists to identify the attempted attack. Along these lines,
the snort ought to have the capacity to distinguish the attempted hacking.
3.4 Discussion and analysis
The concentration in this structure is to look at the activity of snort in a remote
sensor system to recognize arrange attack by use of WIDS. Adequate outcomes will be
Network Intrusion Detection System Using SNORT
Figure 24: Result 6
HTTP Snort results
Figure 25: Snort testing suspicious activity results, Result 7
Verification of snort intrusion
This is intended to recognize any intrusion into the network with an aim of
deciding and giving affirmation that there is no any point of intrusion into the system from an
external system. This additionally assists to identify the attempted attack. Along these lines,
the snort ought to have the capacity to distinguish the attempted hacking.
3.4 Discussion and analysis
The concentration in this structure is to look at the activity of snort in a remote
sensor system to recognize arrange attack by use of WIDS. Adequate outcomes will be
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 39 of 51
received from the way snort is composed, installed, and designed in the Remote Network that
protects the system from any intrusion or attack. The snort structures execution, dataset
employed as well as the testing ought to encourage adequate outcomes to be acknowledged in
WIDS found on the server that have different standards and guidelines.
Figure 26: Analysis
The report demonstrates that several forms of intrusions are noted after the installing
snort, firewall, as well as other safety devices that assist in detecting the attacks.
From the alarm. Ids file demonstrates Rremote Procedure Call (RPC) a threat based
on the buffer overflow exploitation which is categorized as miscellaneous activity and ranks
it as lower level insecurity as per the WIDS snort standards-based ranking. The enemy
executing attacks to a host with an Internet Protocol Address of 192.168.120.100 aiming host
with an Internet Protocol Address of 192.168.0.128 that in this circumstance is the mail
server. Port 52 is the one that is being used, where snort cannot detect. Port 53 is then open,
where backdoor attacks use to survey network services categorized as attempted proprietor
privileges gain the Priority. This indicates that the enemy has administrative rights, therefore
can fully access the network services [26]. TCP is the protocol used in this situation. When an
administrator receives the report, it is easy to screen all traffic through TCP port-52
implementing the principle on Snort.
Network Intrusion Detection System Using SNORT
received from the way snort is composed, installed, and designed in the Remote Network that
protects the system from any intrusion or attack. The snort structures execution, dataset
employed as well as the testing ought to encourage adequate outcomes to be acknowledged in
WIDS found on the server that have different standards and guidelines.
Figure 26: Analysis
The report demonstrates that several forms of intrusions are noted after the installing
snort, firewall, as well as other safety devices that assist in detecting the attacks.
From the alarm. Ids file demonstrates Rremote Procedure Call (RPC) a threat based
on the buffer overflow exploitation which is categorized as miscellaneous activity and ranks
it as lower level insecurity as per the WIDS snort standards-based ranking. The enemy
executing attacks to a host with an Internet Protocol Address of 192.168.120.100 aiming host
with an Internet Protocol Address of 192.168.0.128 that in this circumstance is the mail
server. Port 52 is the one that is being used, where snort cannot detect. Port 53 is then open,
where backdoor attacks use to survey network services categorized as attempted proprietor
privileges gain the Priority. This indicates that the enemy has administrative rights, therefore
can fully access the network services [26]. TCP is the protocol used in this situation. When an
administrator receives the report, it is easy to screen all traffic through TCP port-52
implementing the principle on Snort.
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 40 of 51
Figure 27: Analysis 2
To examine whether snort applies configured policies and rules towards outgoing
and incoming traffic. The death of the ping attack is tested through DOS attack
The point of applying death of ping attacks is to test whether snort has the capacity
to recognize the traffic from public and internal network. The apparatus went to the installed
server by sending limitless data parcels. Central servers that are targeted should respond to
every ping packet directed to an internal system. Designed snort must stop the death ping
after it shows up [27]. The command applied ping < IP target host> - t - 1 65500, will transfer
packets at a speed of 125 lbs. Target hosts test is the mail server, IP address of 192.168.0.128
like demonstrated below:-
The report indicates that traffic timestamp, time, date, packets NETBIOS Unicode
data have accesses categorized by the name generic protocol command on decode
precedence, DOS, and SMB. Report evaluation demonstrates that alarm activities contained
heavy traffic, from external and internal towards port 53 address 192.168.150.10, applied for
NETBIOS. Services of NETBIOS are used to let communication in internal LAN. The report
offers details concerning the position of the host within the private network. Through port 53,
traffic is noticed [28]. The other attacks include the Finger protocol, HTTP, and the Trojan
horse.
Snort results that are being detected
Protocol Total Packets Traffic
TCP 6908 80%
UDP 1829 10%
ICMP 721 6%
Network Intrusion Detection System Using SNORT
Figure 27: Analysis 2
To examine whether snort applies configured policies and rules towards outgoing
and incoming traffic. The death of the ping attack is tested through DOS attack
The point of applying death of ping attacks is to test whether snort has the capacity
to recognize the traffic from public and internal network. The apparatus went to the installed
server by sending limitless data parcels. Central servers that are targeted should respond to
every ping packet directed to an internal system. Designed snort must stop the death ping
after it shows up [27]. The command applied ping < IP target host> - t - 1 65500, will transfer
packets at a speed of 125 lbs. Target hosts test is the mail server, IP address of 192.168.0.128
like demonstrated below:-
The report indicates that traffic timestamp, time, date, packets NETBIOS Unicode
data have accesses categorized by the name generic protocol command on decode
precedence, DOS, and SMB. Report evaluation demonstrates that alarm activities contained
heavy traffic, from external and internal towards port 53 address 192.168.150.10, applied for
NETBIOS. Services of NETBIOS are used to let communication in internal LAN. The report
offers details concerning the position of the host within the private network. Through port 53,
traffic is noticed [28]. The other attacks include the Finger protocol, HTTP, and the Trojan
horse.
Snort results that are being detected
Protocol Total Packets Traffic
TCP 6908 80%
UDP 1829 10%
ICMP 721 6%
Network Intrusion Detection System Using SNORT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 41 of 51
ARP 328 4%
PROS and CONS of IDS
IDS have both manual and automatic intervention capacity to counter attacks.
IDS have the capacity to detect the new malicious attack patterns and watches logs
and user actions.
It blocks the attacks and drops the packets and modifies the firewall.
Real-time live monitoring tool.
Can discover innovative attacks.
Unidentified by the attacker and cost-efficient to install.
Open source tools.
CONS of IDS
It drops and ends sessions in case the packet is malicious.
Cannot distinguish the difference between legitimate and malicious packet.
Performance is minimum because of the huge traffic.
Alerts after the attack are made by the intruder.
Regular update required for signature-based technique.
WEKA
Figure 28: WEKA
Network Intrusion Detection System Using SNORT
ARP 328 4%
PROS and CONS of IDS
IDS have both manual and automatic intervention capacity to counter attacks.
IDS have the capacity to detect the new malicious attack patterns and watches logs
and user actions.
It blocks the attacks and drops the packets and modifies the firewall.
Real-time live monitoring tool.
Can discover innovative attacks.
Unidentified by the attacker and cost-efficient to install.
Open source tools.
CONS of IDS
It drops and ends sessions in case the packet is malicious.
Cannot distinguish the difference between legitimate and malicious packet.
Performance is minimum because of the huge traffic.
Alerts after the attack are made by the intruder.
Regular update required for signature-based technique.
WEKA
Figure 28: WEKA
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 42 of 51
WEKA is a cluster of algorithms consist of a number of machine learning and data
mining [29]. This has a GUI interface to cooperate with the data files, as this software is
written in java language. It comprises15 attribute evaluators, 76 classification algorithms, ten
search algorithms and 49 data pre-processing tools for feature range [30]. This software
contributes with three algorithms to discover association rules. It has three GUI: "The
Explorer", "The Experimenter" and "The Knowledge Flow." The supporting file format for
WEKA is ARFF stands for Attribute-Relation File Format. WEKA also contains tools for
conception, as for the dataset the algorithm can be applied directly.
Why is WEKA data mining software used for? The WEKA tool integrates these steps
as follows:-[31, 32]
To evaluate the precision of any data exploration and pre-processing is a necessity in
weka database.
Characteristic of a class is to divide the classes accordingly to its occurrences.
Abstraction of any features for the using of classifying.
To use the subset of the classes should be used for the decision learning process.
It's always better to check for any out of place dataset and how it can be re-corrected.
When a subset is selected for the classes that are put in the records for the learning
process.
Any testing method will give an approximate performance from the algorithm
selected.
Network Intrusion Detection System Using SNORT
WEKA is a cluster of algorithms consist of a number of machine learning and data
mining [29]. This has a GUI interface to cooperate with the data files, as this software is
written in java language. It comprises15 attribute evaluators, 76 classification algorithms, ten
search algorithms and 49 data pre-processing tools for feature range [30]. This software
contributes with three algorithms to discover association rules. It has three GUI: "The
Explorer", "The Experimenter" and "The Knowledge Flow." The supporting file format for
WEKA is ARFF stands for Attribute-Relation File Format. WEKA also contains tools for
conception, as for the dataset the algorithm can be applied directly.
Why is WEKA data mining software used for? The WEKA tool integrates these steps
as follows:-[31, 32]
To evaluate the precision of any data exploration and pre-processing is a necessity in
weka database.
Characteristic of a class is to divide the classes accordingly to its occurrences.
Abstraction of any features for the using of classifying.
To use the subset of the classes should be used for the decision learning process.
It's always better to check for any out of place dataset and how it can be re-corrected.
When a subset is selected for the classes that are put in the records for the learning
process.
Any testing method will give an approximate performance from the algorithm
selected.
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 43 of 51
Figure 29
Dataset KDD
Figure 30: WEKA
In weka, the classification of the data is an algorithm in data mining which is used for
intrusion detection system to differentiate any attack or intrusion from the regular effects that
happen in the system of weka. The classify algorithm are administered knowledge approach,
as weka doesn't involve class names for any of the prediction goal. There are two types of
Network Intrusion Detection System Using SNORT
Figure 29
Dataset KDD
Figure 30: WEKA
In weka, the classification of the data is an algorithm in data mining which is used for
intrusion detection system to differentiate any attack or intrusion from the regular effects that
happen in the system of weka. The classify algorithm are administered knowledge approach,
as weka doesn't involve class names for any of the prediction goal. There are two types of
Network Intrusion Detection System Using SNORT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MN692 Capstone Project Report Page 44 of 51
classification algorithms which are the main in class which are one binary classification and
another one is multiclass classification [33]. The binary classify method is a classification of
the element in two groups on the foundation of whether they have some distinctive or not.
Whereas the multiclass classify technique of classification occurrence into more than two
classes. The natural binary algorithms whereas all other which permits the application of
more than two classes. Here is some of the following classification:-
Figure 31: Naïve Bayes results
The naïve Bayes is the latest upgraded version of the Bayes theorem as it’s considered
to be a strong deliverance among attributes. Bayesian classifier encrypts probabilistic
associations amongst variables of interest. The meaning of this is the probability of one
attribute which won't affect any other probability of any other attribute. Network intrusion
detection system based on naïve Bayes algorithm the proposed a framework Mrutyunjaya
Panda and Manas Ranjan Patra [34]. The method naive Bayes is a set of supervised learning
algorithms based on applying "Bayes" theorem with any if the "naïve" supposition of
individuality among every pair of structures
Technique Result (Accuracy) Correctly Classified Instances Incorrectly Classified Instances
80.731 % and 19.269 %
Network Intrusion Detection System Using SNORT
classification algorithms which are the main in class which are one binary classification and
another one is multiclass classification [33]. The binary classify method is a classification of
the element in two groups on the foundation of whether they have some distinctive or not.
Whereas the multiclass classify technique of classification occurrence into more than two
classes. The natural binary algorithms whereas all other which permits the application of
more than two classes. Here is some of the following classification:-
Figure 31: Naïve Bayes results
The naïve Bayes is the latest upgraded version of the Bayes theorem as it’s considered
to be a strong deliverance among attributes. Bayesian classifier encrypts probabilistic
associations amongst variables of interest. The meaning of this is the probability of one
attribute which won't affect any other probability of any other attribute. Network intrusion
detection system based on naïve Bayes algorithm the proposed a framework Mrutyunjaya
Panda and Manas Ranjan Patra [34]. The method naive Bayes is a set of supervised learning
algorithms based on applying "Bayes" theorem with any if the "naïve" supposition of
individuality among every pair of structures
Technique Result (Accuracy) Correctly Classified Instances Incorrectly Classified Instances
80.731 % and 19.269 %
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 45 of 51
A confusion matrix that summarizes the number of instances predicted correctly or
incorrectly by a classification model
Confusion Matrix
A b <-- classified as
9225 486 | a = normal
388 8975 | b = anomaly
Figure 32: Decision tree results
The most known machine learning techniques are by Quinlan which was proposed a
decision tree classifier [35]. The decision tree is a collection of three elements,
1) To test or condition on a data item a decision node is represented.
2) To correspond to one possible test outcome attribute to the possible attribute value
which is an edge or a branch.
3) The object belongs to the class only when the leaf is controlled [36].
The Decision tree is a classifier algorithm
The decision tree is used to build the training. The tree of each node of the attribute of
data we choose one node and then we split the sample set into subsets to other
improved in one class or the other.
Network Intrusion Detection System Using SNORT
A confusion matrix that summarizes the number of instances predicted correctly or
incorrectly by a classification model
Confusion Matrix
A b <-- classified as
9225 486 | a = normal
388 8975 | b = anomaly
Figure 32: Decision tree results
The most known machine learning techniques are by Quinlan which was proposed a
decision tree classifier [35]. The decision tree is a collection of three elements,
1) To test or condition on a data item a decision node is represented.
2) To correspond to one possible test outcome attribute to the possible attribute value
which is an edge or a branch.
3) The object belongs to the class only when the leaf is controlled [36].
The Decision tree is a classifier algorithm
The decision tree is used to build the training. The tree of each node of the attribute of
data we choose one node and then we split the sample set into subsets to other
improved in one class or the other.
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 46 of 51
The normalization is a condition that any decision tree is based on by selecting the
attribute from splitting data and getting the results. To make a decision any attribute
with the highest normalized information gain is preferred.
For every attribute, the gain is considered and the maximum gain attribute is used in
the decision node. There are six of the decision tree algorithms to examine an in weka
which are J48, J48 Graft, Simple chart, Rep tree, Random forest and Random tree and
also different gain results [37].
Technique Result (Accuracy) Correctly Classified Instances Incorrectly Classified
Instances 98.5983 % and 1.4017 %
A confusion matrix that summarizes the number of instances predicted correctly or
incorrectly by a classification model
=== Confusion Matrix ===
a b <-- classified as
9574 137 | a = normal
179 12654 | b = anomaly
Figure 33: Confusion Matrix
A promising pattern classification technique is support vector machine (SVM) [38]. In
the last decade for the misuse detection, SVMs have supervised learning models which are
Network Intrusion Detection System Using SNORT
The normalization is a condition that any decision tree is based on by selecting the
attribute from splitting data and getting the results. To make a decision any attribute
with the highest normalized information gain is preferred.
For every attribute, the gain is considered and the maximum gain attribute is used in
the decision node. There are six of the decision tree algorithms to examine an in weka
which are J48, J48 Graft, Simple chart, Rep tree, Random forest and Random tree and
also different gain results [37].
Technique Result (Accuracy) Correctly Classified Instances Incorrectly Classified
Instances 98.5983 % and 1.4017 %
A confusion matrix that summarizes the number of instances predicted correctly or
incorrectly by a classification model
=== Confusion Matrix ===
a b <-- classified as
9574 137 | a = normal
179 12654 | b = anomaly
Figure 33: Confusion Matrix
A promising pattern classification technique is support vector machine (SVM) [38]. In
the last decade for the misuse detection, SVMs have supervised learning models which are
Network Intrusion Detection System Using SNORT
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
MN692 Capstone Project Report Page 47 of 51
related to the knowledge that has been functional increasingly. The latest SVM learning
algorithms are called as SMO (Sequential Minimal Optimization). The support vector
machine learning algorithms were using numerical (QP) quadratic programming for the inner
loop, whereas SMO uses an analytic QP step.
Technique Result (Accuracy) Correctly Classified Instances Incorrectly Classified
Instances 94.6017 % and 5.3983 %.
A confusion matrix that summarizes the number of instances predicted correctly or
incorrectly by a classification model
=== Confusion Matrix ===
a b <-- classified as
8999 712 | a = normal
505 12328 | b = anomaly
3 Conclusion
The aim of this report was to decide the viability and execution of the intruders
detecting system: Comparing it with the outstanding IDS, Snort, is a quick system. Snort was
evaluated on different steps on super PCs with different conventions and packet sizes as well
as protocols. A huge amount of packets reduces while using virtualization resulting from
changing aspects of virtualization where the assigned physical memory RAM to the host PC
is a distributed disc space as well as virtual RAM. It will respectfully impact the function and
creates packet drops. As the number of packets received by the network card gets higher than
the amount received by virtual machines, this thought is conceptualized due to the bottleneck
resulting from the exchange of low circle data [22].
In this project, the design and development of network intrusion tool help to detect the
attacks regularly and intimate the network admin and keeps the system secure without any
issue. Data mining techniques are being implemented dynamically in IDS and capable of
generating real-time results.
Network Intrusion Detection System Using SNORT
related to the knowledge that has been functional increasingly. The latest SVM learning
algorithms are called as SMO (Sequential Minimal Optimization). The support vector
machine learning algorithms were using numerical (QP) quadratic programming for the inner
loop, whereas SMO uses an analytic QP step.
Technique Result (Accuracy) Correctly Classified Instances Incorrectly Classified
Instances 94.6017 % and 5.3983 %.
A confusion matrix that summarizes the number of instances predicted correctly or
incorrectly by a classification model
=== Confusion Matrix ===
a b <-- classified as
8999 712 | a = normal
505 12328 | b = anomaly
3 Conclusion
The aim of this report was to decide the viability and execution of the intruders
detecting system: Comparing it with the outstanding IDS, Snort, is a quick system. Snort was
evaluated on different steps on super PCs with different conventions and packet sizes as well
as protocols. A huge amount of packets reduces while using virtualization resulting from
changing aspects of virtualization where the assigned physical memory RAM to the host PC
is a distributed disc space as well as virtual RAM. It will respectfully impact the function and
creates packet drops. As the number of packets received by the network card gets higher than
the amount received by virtual machines, this thought is conceptualized due to the bottleneck
resulting from the exchange of low circle data [22].
In this project, the design and development of network intrusion tool help to detect the
attacks regularly and intimate the network admin and keeps the system secure without any
issue. Data mining techniques are being implemented dynamically in IDS and capable of
generating real-time results.
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 48 of 51
References
[1]Raghunath, B. and Nitin Mahadeo, R. (2018). Network Intrusion Detection System
(NIDS). In: Network Intrusion Detection System (NIDS). [online] Nagpur: IEEE, pp.1-4.
Available at: https://ieeexplore.ieee.org/document/4580100/ [Accessed 29 May 2018].
[2] B. Klaus and P. Horn, Robot Vision. Cambridge, MA: MIT Press, 1986.
[3]R. von Solms and J. van Niekerk, "From information security ton cybersecurity",
Computers & Security, vol. 38, pp. 97-1.2, 2013.
[4]h. Liao, C. Richard Lin, Y. Lin and K. Tung, “Intrusion detection system: A
comprehensive review”, Journal of Network and Computer Applications, vol. 36, no. 1, pp.
16-24, 2013.
[5]U. Modi and A. Jain, "An Improved Method to Detect Intrusion Using Machine Learning
Algorithms", Informatics Engineering, an International Journal, vol. 4, no. 2, pp. 17-29, 2016.
[6] N. Thanh Van, T. Ngoc Thinh and L. Sach, "An anomaly-based Network Intrusion
Detection System using Deep learning", 2017, pp. 1-2.
[7] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods,
Systems and Tools. 2014, pp. 30-34.
[8]P. Casas, J. Mazel and P. Owezarski, “Unsupervised Network Intrusion Detection
Systems: Detecting the Unknown without Knowledge”, Computer Communications, vol. 35,
no. 7, pp. 772-783, 2012.
[9] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods,
Systems and Tools. 2014, pp. 30-34.
[10] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods,
Systems and Tools. 2014, pp. 30-34.
Network Intrusion Detection System Using SNORT
References
[1]Raghunath, B. and Nitin Mahadeo, R. (2018). Network Intrusion Detection System
(NIDS). In: Network Intrusion Detection System (NIDS). [online] Nagpur: IEEE, pp.1-4.
Available at: https://ieeexplore.ieee.org/document/4580100/ [Accessed 29 May 2018].
[2] B. Klaus and P. Horn, Robot Vision. Cambridge, MA: MIT Press, 1986.
[3]R. von Solms and J. van Niekerk, "From information security ton cybersecurity",
Computers & Security, vol. 38, pp. 97-1.2, 2013.
[4]h. Liao, C. Richard Lin, Y. Lin and K. Tung, “Intrusion detection system: A
comprehensive review”, Journal of Network and Computer Applications, vol. 36, no. 1, pp.
16-24, 2013.
[5]U. Modi and A. Jain, "An Improved Method to Detect Intrusion Using Machine Learning
Algorithms", Informatics Engineering, an International Journal, vol. 4, no. 2, pp. 17-29, 2016.
[6] N. Thanh Van, T. Ngoc Thinh and L. Sach, "An anomaly-based Network Intrusion
Detection System using Deep learning", 2017, pp. 1-2.
[7] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods,
Systems and Tools. 2014, pp. 30-34.
[8]P. Casas, J. Mazel and P. Owezarski, “Unsupervised Network Intrusion Detection
Systems: Detecting the Unknown without Knowledge”, Computer Communications, vol. 35,
no. 7, pp. 772-783, 2012.
[9] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods,
Systems and Tools. 2014, pp. 30-34.
[10] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods,
Systems and Tools. 2014, pp. 30-34.
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 49 of 51
[11] Hock, F. and Kortis, P. (2015). Commercial and open-source based Intrusion Detection
System and Intrusion Prevention System (IDS/IPS) design for an IP networks. 2015 13th
International Conference on Emerging eLearning Technologies and Applications (ICETA).
[12] M Sun and T. Chen, Network intrusion detection system (2010) US Patent No.
US20100251370A1 United States, IFI CLAIMS Patent Services
Ravi L. Sahita (2016) State-transition based network intrusion detection US9270643B2.
[13]Snort.org. (2018). Snort - Network Intrusion Detection & Prevention System. [online]
Available at: https://www.snort.org/ [Accessed 24 May 2018].
[14]M.Sazzadul Hoque, "An Implementation of Intrusion Detection System Using Genetic
Algorithm", International Journal of Network Security & Its Applications, vol. 4, no. 2, pp.
109-120, 2012.
[15]R. von Solms and J. van Niekerk, "From information security ton cybersecurity",
Computers & Security, vol. 38, pp. 97-1.2, 2013.
[16]h. Liao, C. Richard Lin, Y. Lin and K. Tung, “Intrusion detection system: A
comprehensive review”, Journal of Network and Computer Applications, vol. 36, no. 1, pp.
16-24, 2013.
[17] N. Thanh Van, T. Ngoc Thinh and L. Sach, "An anomaly-based Network Intrusion
Detection System using Deep learning", 2017, pp. 1-2.
[18]K. G.D and D. S.D, "Network Intrusion Detection using
SNORT", Pdfs.semanticscholar.org, 2012. [Online]. Available:
https://pdfs.semanticscholar.org/0137/50ff3bfa504ef096d07b4aaf0ec87c36b554.pdf.
[Accessed: 29- May- 2018].
[19]U. Modi and A. Jain, "An Improved Method to Detect Intrusion Using Machine Learning
Algorithms", Informatics Engineering, an International Journal, vol. 4, no. 2, pp. 17-29, 2016.
Network Intrusion Detection System Using SNORT
[11] Hock, F. and Kortis, P. (2015). Commercial and open-source based Intrusion Detection
System and Intrusion Prevention System (IDS/IPS) design for an IP networks. 2015 13th
International Conference on Emerging eLearning Technologies and Applications (ICETA).
[12] M Sun and T. Chen, Network intrusion detection system (2010) US Patent No.
US20100251370A1 United States, IFI CLAIMS Patent Services
Ravi L. Sahita (2016) State-transition based network intrusion detection US9270643B2.
[13]Snort.org. (2018). Snort - Network Intrusion Detection & Prevention System. [online]
Available at: https://www.snort.org/ [Accessed 24 May 2018].
[14]M.Sazzadul Hoque, "An Implementation of Intrusion Detection System Using Genetic
Algorithm", International Journal of Network Security & Its Applications, vol. 4, no. 2, pp.
109-120, 2012.
[15]R. von Solms and J. van Niekerk, "From information security ton cybersecurity",
Computers & Security, vol. 38, pp. 97-1.2, 2013.
[16]h. Liao, C. Richard Lin, Y. Lin and K. Tung, “Intrusion detection system: A
comprehensive review”, Journal of Network and Computer Applications, vol. 36, no. 1, pp.
16-24, 2013.
[17] N. Thanh Van, T. Ngoc Thinh and L. Sach, "An anomaly-based Network Intrusion
Detection System using Deep learning", 2017, pp. 1-2.
[18]K. G.D and D. S.D, "Network Intrusion Detection using
SNORT", Pdfs.semanticscholar.org, 2012. [Online]. Available:
https://pdfs.semanticscholar.org/0137/50ff3bfa504ef096d07b4aaf0ec87c36b554.pdf.
[Accessed: 29- May- 2018].
[19]U. Modi and A. Jain, "An Improved Method to Detect Intrusion Using Machine Learning
Algorithms", Informatics Engineering, an International Journal, vol. 4, no. 2, pp. 17-29, 2016.
Network Intrusion Detection System Using SNORT
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
MN692 Capstone Project Report Page 50 of 51
[20] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods,
Systems and Tools. 2014, pp. 30-34.
[21]P. Casas, J. Mazel and P. Owezarski, “Unsupervised Network Intrusion Detection
Systems: Detecting the Unknown without Knowledge”, Computer Communications, vol. 35,
no. 7, pp. 772-783, 2012.
[22] Kim, Gisung, Seungmin Lee, and Sehun Kim. "A novel hybrid intrusion detection
method integrating anomaly detection with misuse detection." Expert Systems with
Applications 41, no. 4 (2014): 1690-1700.
[23] Network Intrusion Detection and Prevention. Springer US, 2010, pp. 34-35.
[24]M.Sazzadul Hoque, "An Implementation of Intrusion Detection System Using Genetic
Algorithm", International Journal of Network Security & Its Applications, vol. 4, no. 2, pp.
109-120, 2012.
[25]U.Aickelin and J. Twycross, "Rule Generalisation using Snort", Arxiv.org, 2016.
[Online]. Available: https://arxiv.org/pdf/0803.2973. [Accessed: 29- May- 2018].
[26] M. K, R. A and V. K, "DoS and DDoS Attacks: Defense, Detection and Traceback
Mechanisms -A Survey", Global Journals Inc, vol. 14, no. 7, pp. 1-19, 2014.
[27] A. Kumar, "DDoS Attacks—A Cyberthreat and Possible Solutions", pp. 1-4.
[28] S. Arunmozhi and Y. Venkataramani, "DDoS Attack and Defense Scheme in Wireless
Ad hoc Networks", International Journal of Network Security & Its Applications, vol. 3, no.
3, pp. 182-187, 2011.
[29] R. Dash, Selection of the Best Classifier from Different Datasets Using WEKA, HERT,
Vo1.2 Issue 3, March 2013.
[30] H. Nguyen and D. Choi, Application of Data Mining to Network Intrusion Detection:
Classifier Selection Model, @Springer Verlag Berlin Heidelberg, 2008.
Network Intrusion Detection System Using SNORT
[20] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods,
Systems and Tools. 2014, pp. 30-34.
[21]P. Casas, J. Mazel and P. Owezarski, “Unsupervised Network Intrusion Detection
Systems: Detecting the Unknown without Knowledge”, Computer Communications, vol. 35,
no. 7, pp. 772-783, 2012.
[22] Kim, Gisung, Seungmin Lee, and Sehun Kim. "A novel hybrid intrusion detection
method integrating anomaly detection with misuse detection." Expert Systems with
Applications 41, no. 4 (2014): 1690-1700.
[23] Network Intrusion Detection and Prevention. Springer US, 2010, pp. 34-35.
[24]M.Sazzadul Hoque, "An Implementation of Intrusion Detection System Using Genetic
Algorithm", International Journal of Network Security & Its Applications, vol. 4, no. 2, pp.
109-120, 2012.
[25]U.Aickelin and J. Twycross, "Rule Generalisation using Snort", Arxiv.org, 2016.
[Online]. Available: https://arxiv.org/pdf/0803.2973. [Accessed: 29- May- 2018].
[26] M. K, R. A and V. K, "DoS and DDoS Attacks: Defense, Detection and Traceback
Mechanisms -A Survey", Global Journals Inc, vol. 14, no. 7, pp. 1-19, 2014.
[27] A. Kumar, "DDoS Attacks—A Cyberthreat and Possible Solutions", pp. 1-4.
[28] S. Arunmozhi and Y. Venkataramani, "DDoS Attack and Defense Scheme in Wireless
Ad hoc Networks", International Journal of Network Security & Its Applications, vol. 3, no.
3, pp. 182-187, 2011.
[29] R. Dash, Selection of the Best Classifier from Different Datasets Using WEKA, HERT,
Vo1.2 Issue 3, March 2013.
[30] H. Nguyen and D. Choi, Application of Data Mining to Network Intrusion Detection:
Classifier Selection Model, @Springer Verlag Berlin Heidelberg, 2008.
Network Intrusion Detection System Using SNORT
MN692 Capstone Project Report Page 51 of 51
[31]B.X.Wang, D.H.Zhang, J.Wang, et al, “Application of Neural Network to Prediction of
Plate Finish Cooling Temperature”, Journal ofCentral South University of Technology,
2008,15(1):13.140.
[32]IanH.Witten and Elbe Frank, "Datamining Practical Machine Learning Tools and
Techniques", Second Edition, Morgan Kaufmann, San Fransisco, 2005.
[33] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.ht ml Anazida Zainal;
MohdAizainiMaarof; Siti MariyamShamsuddin,(2009): Ensemble Classifiers for Network
Intrusion Detection System, Journal of Information, Universiti Teknologi Malaysia.
[34] Mrutyunjaya Panda, Manas Ranjan Patra, “Network Intrusion Detection Using Naïve
Bayes,”International Journal of Computer Science and Network Security,vol.7 no.12, 2007,
pp.258-262.
[35] Quinlan, C4.5: Programs for Machine Learning, 1993, Morgan Kaufmann Publishers,
San Mateo,CA.
[36] Ben Amor, Benferhat, Elouedi, “Naive Bayes vs. Decision Trees in Intrusion Detection
Systems,”Proc. of the 2004 ACM symposium on applied computing, 2004, pp. 420–424.
[37] J.R.Quinlan, Induction of decision trees, Machine Learning, vol. 1, no. 1, pp. 81–
106,1986.
[38] Cortes, Vapnik, Support-vector networks, Machine Learning, vol.20, 1995, pp.273–297.
Network Intrusion Detection System Using SNORT
[31]B.X.Wang, D.H.Zhang, J.Wang, et al, “Application of Neural Network to Prediction of
Plate Finish Cooling Temperature”, Journal ofCentral South University of Technology,
2008,15(1):13.140.
[32]IanH.Witten and Elbe Frank, "Datamining Practical Machine Learning Tools and
Techniques", Second Edition, Morgan Kaufmann, San Fransisco, 2005.
[33] http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.ht ml Anazida Zainal;
MohdAizainiMaarof; Siti MariyamShamsuddin,(2009): Ensemble Classifiers for Network
Intrusion Detection System, Journal of Information, Universiti Teknologi Malaysia.
[34] Mrutyunjaya Panda, Manas Ranjan Patra, “Network Intrusion Detection Using Naïve
Bayes,”International Journal of Computer Science and Network Security,vol.7 no.12, 2007,
pp.258-262.
[35] Quinlan, C4.5: Programs for Machine Learning, 1993, Morgan Kaufmann Publishers,
San Mateo,CA.
[36] Ben Amor, Benferhat, Elouedi, “Naive Bayes vs. Decision Trees in Intrusion Detection
Systems,”Proc. of the 2004 ACM symposium on applied computing, 2004, pp. 420–424.
[37] J.R.Quinlan, Induction of decision trees, Machine Learning, vol. 1, no. 1, pp. 81–
106,1986.
[38] Cortes, Vapnik, Support-vector networks, Machine Learning, vol.20, 1995, pp.273–297.
Network Intrusion Detection System Using SNORT
1 out of 51
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.