Online Intrusion using Alert Aggregation with Generative Data Stream Modeling for Mobile Ad-hoc Networks: Online Intrusion using Alert Aggregation with Generative Data Stream Modeling for Mobile Ad-hoc Networks By: Ankit Malik (1RV08IS007) Arindam Biswas (1RV08IS010) Srinivas (1RV08IS051) Under the guidance of: Swetha S. Problem Statement: Problem Statement Most intrusion detection systems are focusing on either routing protocols or its efficiency, but it fails to address the security issues. The ultimate goal of the security solutions for wireless networks is to provide security services, such as authentication, confidentiality, integrity, anonymity, and availability, to mobile users . O ne drawback is the large amount of alerts produced . Alerts can be given only in System logs . Existing IDS does not have general framework which cannot be customized by adding domain specific knowledge as per the specific requirements of the users or network administrators. Objectives: Objectives It is a generative modeling approach using probabilistic methods. Assuming that attack instances can be regarded as random processes “producing” alerts, we aim at modeling these processes using approximate maximum likelihood parameter estimation techniques. Thus, the beginning as well as the completion of attack instances can be detected . Sending Intrusion alerts to the mobile. This will make the process easier and comfortable . Intrusion Detection System does not degrade system performance as individual layers are independent and are trained with only a small number of features, thereby, resulting in an efficient system. Our framework has the advantage that the type of attack can be inferred directly from the layer at which it is detected. As a result, specific intrusion response mechanisms can be activated for different attacks. T he system admin or user can get the alerts in their mobile. Whenever alert message received in the message log of the server, the mobile too receives the alert message. PowerPoint Presentation: Database IDS LOG FILES User/Admin Sending Alerts to Mobile User Intrusion Detected Registration Server User Registeration File Sent if user is authorized SYSTEM ARCHITECTURE Data Flow Diagrams: Data Flow Diagrams DFD Level 0 PowerPoint Presentation: DFD Level 1 PowerPoint Presentation: DFD Level 2: PowerPoint Presentation: DFD Level 2 Methodology: Methodology There are 4 modules Server Client DARPA Data Set Mobile Following are the steps implemented in the modules given above : Server module acts as the Intrusion Detection System. It consists of four layers viz. sensor layer, Detection layer, alert processing layer and reaction layer. In addition there is also Message Log, where all the alerts and messages are stored for the references. This Message Log can also be saved as Log file for future references for any network environment. PowerPoint Presentation: Client In this module the client can enter only with a valid user name and password. If an intruder enters with any guessing passwords then the alert is given to the Server and the intruder is also blocked In this client module the client can be able to send data. Here, when ever data is sent Intrusion Detection System checks for the file. If the size of the file is large then it is restricted or else the data is sent. DARPA Dataset This module is integrated in the Server module. This is an offline type of testing the intrusions. In this module, the DARPA Data Set is used to check the technique of the Online Intrusion Alert Aggregation with Generative Data Stream Modeling. The DARPA data set is downloaded and separated according to each layers. Mobile This module is developed using J2ME. The traditional system uses the message log for storing the alerts. In this system, the system admin or user can get the alerts in their mobile. Whenever alert message received in the message log of the server, the mobile too receives the alert message. Expected Outcome: Expected Outcome The system is divided into independent layers that will help in efficiency and performance. The number of alerts will be reduced and the system will work in offline and online modes. The number of missing attack instances is extremely low or even zero in some of our experiments . If there is no intrusion, user will be logged in. The intrusions will be detected in user level, packet level & process level. When certain input is given the IDS will recognize the type of attack and pass it to all the subsequent layers. Conclusion: Conclusion This project proposes a novel technique for online alert aggregation and generation of meta alerts. Reduced number of alerts will largely improve system performance. The reduction rate with respect to the number of alerts is up to 99.96 percent. The delay for the detection of attack instances is within the range of some seconds only. BIBLIOGRAPHY: BIBLIOGRAPHY Alexander Hofmann and Bernhard Sick, “Online Intrusion Alert Aggregation with Generative Data Stream Modelling ”, IEEE Transactions on Dependable and Secure Computing, March – April 2011 C.M. Bishop, Pattern Recognition and Machine Learning. Springer, 2006. F. Valeur , G. Vigna , C. Krugel , and R.A. Kemmerer, “A Comprehensive Approach to Intrusion Detection Alert Correlation,” IEEE Trans. Dependable and Secure Computing, July-Sept. 2004. Stefano Basagni , Marco Conti, Silvia Giordano and Ivan Stojmenović ,” Mobile Ad Hoc Networking”. Radhika Ranjan Roy,” Handbook of Mobility Models and Mobile Ad Hoc Networks ”.