Data mining approach in host and network-based intrusion prevention system

Abstract

Intrusion Prevention Systems (IPS) as a security solution have their own characteristics in analysing, detecting and preventing intruders' acts. It provides a quite good service in securing the network, which goes further than the functionality of Intrusion Detection Systems (IDS), firewalls, antivirus and any security applications. This is by actively responding to attacks and affording great flexibility when dealing with security threats. Host based IPS mostly depend on a static signature mechanism to identify intruders, which in turn needs to be updated from time to time to insure the most accurate detection. The use of improved Network Intrusion Prevention System (NIPS) based on two mechanisms is to detect patterns of known intrusions (misuse detection) and to distinguish anomalous network activity of intrusion from normal network traffic (anomaly detection) effectively. The Data Mining methods have been used in this chapter to enhance NIPS based on anomaly detection. In this chapter we try to enhance intruders' detection, by replacing the static database with a dynamic one, and even more adding intelligence to the detecting mechanism through Data Mining. A feedback to the whole process is being made to help in making future inspections to be more realistic. The use of Data Mining methods will result in the development of a Network Intrusion Prevention System (NIPS) as an internal security gateway for defending against attacks and threats from within and outside the computer network system. In addition, it will help to detect anomalous activity comprising suspicious probing inside the network before it launches any network attacks with damaging effects. The study aims to enhance the Snort tool, which consists of a NIPS based on both misuse- and anomaly-detection mechanisms, by using two sub-phases of Data Mining approaches: an improved K-mean clustering algorithm and a PF-growth algorithm. The integration of these two sub-phases helps to discover new rules, especially those related to internal network scans; in addition, the unsupervised learning process in the K-mean algorithm is used to discover new clusters which may represent a new type of attack depending on the decisions of analysts. The Host based IPS will contribute to achieving enhancement in the following: evolving the techniques of investigating activities due to the use of Data Mining, integrate or could eliminate antivirus programs installed on Personal Computer (PC), and Maximize the level of security of the whole network through securing single host. Integrating of two of Data Mining approaches (K-mean clustering and PF-Growth algorithm) helps to discover new rules especially those related to internal network scans, besides unsupervised learning process in K-mean algorithm is used to discover new cluster may represent a new type of attack depending on decisions of analysts. All that work, helps to enhance and develop NIPS tool, by involving Data Mining approaches in investigating anomalies. Besides achieve objective to be a complete system performs requirements such as detect probe attack inside source of network and prevent it before launch network attack to the target machine with high performance, reduce false alarm, easy building system with low cost, and compatibility with any operating system. Furthermore, maximize the effectiveness in identifying attacks, thereby helping the users to construct more secure information systems. © 2014 Springer International Publishing Switzerland.