International Journal of Computer Information Systems, Vol. 3, No.

4, 2011

Intruder Detection System Using Decision Tree Algorithm

Murugan S
Department Of Computer Science Engineering Hindustan University Chennai, India mailrugan@yahoo.com

Arunkumar R
Department Of Computer Science Engineering Hindustan University Chennai, India arueng@gmail.com

SakthiPriya P
Department Of Computer Science Engineering Hindustan University Chennai, India smartsakthis@gmail.com

Chrystal Amutha D
Assistant Professor Department Of Computer Science Engineering Hindustan University Chennai, India chrystalamutha@gmail.com complete coverage at the monitored site with host-based IDS, the host based IDS need to be loaded on every computer. There are two primary classes of host-based intrusion detection software: host wrappers/personal firewalls and agent-based software. Both approaches are much more effective in detecting trusted-insider attacks (so-called anomalous activity) than is network-based IDS, and both are relatively effective for detecting attacks from the outside. Host wrappers or personal firewalls can be configured to look at all network packets, connection attempts, or login attempts to the monitored machine. This function can also include dial-in attempts or other nonnetwork related communication ports. A network-based IDS monitors the traffic on its network segment as a data source. This is generally accomplished by placing the network interface card in promiscuous mode to capture all network traffic that crosses its network segment. Network traffic on other segments can't be monitored. Network-based IDS involves looking at the packets on the network as they pass by some sensor. The sensor can only see the packets that happen to be carried on the network segment its attached to. Packets are considered to be of interest if they match a signature. Three primary types of signatures are: 1. String signatures: look for a text string that indicates a possible attack. 2. Port signatures: look for connection attempts to wellknown, frequently attacked ports. 3. Header signatures: look monitor for dangerous or illogical combinations in packet headers.

Abstract - Data mining methods have been used to build intruder detection systems based on anomaly detection. Data mining algorithms discover useful, previously unknown knowledge by analyzing large databases. The aim is to characterize the normal system activities with a profile by applying mining algorithms to audit data so that the number of intruders can be detected by creating log entries and comparing the valid users with the intruder data in that. Apply Data Mining to Intruder Detection is a system developed to impart security to the files accessed by the users logging into a secured network. The goal of this project is to provide a general framework for an adaptive intruder detection module that utilizes decision tree algorithm. The client requests for a file. The server authenticates the client and displays the appropriate file to display. By providing access rights to the files, authentication and secrecy can be made. Keywords: anomaly detection, decision tree algorithm, Authentication and secrecy.

I. INTRODUCTION Intrusion Detection Systems (IDS) allow detecting inappropriate, incorrect, or anomalous activity in computer networks. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems. Host-based IDS is typically a piece of software being loaded on the to be monitored system. The IDS software uses log files and/or the system's auditing agents as sources of data. Host-based IDS involves not only looking at the communications traffic in and out of a single computer, but also checking the integrity of your system files and watching for suspicious processes. To get

October Issue

Page 153 of 179

ISSN 2229 5208

Both network-based and host-based IDS have pros and cons. Very often, a combination of both technologies is used in the network for complete protection. Figuring out where to use each type and how to integrate the data is a real and growing concern. II. LITERATURE SURVEY System study is the first stage of system development life cycle. This gives a clear picture of what actually the physical system is? In practice, the system study is done in two phases. In the first phase, the preliminary survey of the system is done which helps in identifying the scope of the system. The second phase of the system study is more detailed and in-depth study in which the identification of users requirement and the limitations and problems of the present system are studied. To describe the system study phase more analytically, we would say that system study phase passes through the following steps: 1. 2. 3. problem identification and project initiation background analysis inference or findings III. ACTIVITIES In Information Security, intrusion detection is the act of detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource. Intrusion detection does not, in general, include prevention of intrusions. Intrusion detection can be performed manually or automatically. Manual intrusion detection might take place by examining log files or other evidence for signs of intrusions, including network traffic. A system that performs automated intrusion detection is called an Intrusion Detection System (IDS). An IDS can be either host-based, if it monitors system calls or logs, or networkbased if it monitors the flow of network packets.

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 Once an intrusion has been detected, IDS issues alerts notifying administrators of this fact. The next step is undertaken either by the administrators or the IDS itself, by taking advantage of additional countermeasures (specific block functions to terminate sessions, backup systems, routing connections to a system trap, legal infrastructure etc.) following the organizations security policy. An IDS is an element of the security policy IV. EXISTING SYSTEM Though there are many levels of access protection to computing and network resources, yet the intruders are finding ways to entry into many sites and systems, and causing major damages. So the task of providing and maintaining proper security in a network system becomes a challenging issue. In the existing system, the users are authenticated using their login and password codes. Any user can view the files stored in the server if the login and password codes are known, additional security checks and intruder list is not provided in the existing system. The existing system does not have categorized users and also data mining concepts are not used. A separate module for administrator is not present in the existing system and hence user categorization and news publishment are not included in the existing system. This requirement led to the development of the proposed system where user categorization and intruder detection using data mining concepts were given more importance. LIMITATIONS OF EXISTING SYSTEM: a. Users are authenticated using their login and password. b. Any user can view the file if they know the login & password. c. Additional security checks & intruder list is not provided. d. Data mining concepts are not used. V. PROPOSED SYSTEM In the proposed system, the data mining technique is applied for determining the no of intruders. The users are validated using their login, password and secret codes. If the user login is valid then they are given access to view files according to their category classification. If the user is an intruder then an alert message is displayed. The Administrator uses the data mining techniques to determine the intruders list from the user database. The administrator has the facility to add new users, modify the user details and delete users. The users in this system are categorized and hence the administrator has the facility to add a new category, modify its details or delete it. The same can be done for news publishing, an additional feature wherein notifications for different users are published.

Figure 1. Intruder Detection System Activities

October Issue

Page 154 of 179

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 VI. SYSTEM ARCHITECTURE C. USER MANAGEMENT MODULE
User >2

Wrong Attempt Password <2 Correct Enter into System Decision Tree Algorithm (DTA) Action Root Node as Hacker

1. User Management is used to allot the users id, password. 2. It is used to allow the users in to the next level by authenticating secret code and pass code. 3. Users can view the news. 4. Users can access the files based on their category. D. CATEGORY MANAGEMENT MODULE 1. In this module, the categorization of users will be done. The category type should be assigned by the administrator. 2. Category code and secret codes should be assigned by admin. 3. This category code and secret code should be loaded while assigning the users in users module 4. In Category management we can add, edit and delete categories which can be updated in a separate table E. NEWS MANAGEMENT MODULE 1. In this we can create news which should be assigned to the particular category users. 2. The news should be viewed by the users log into their particular category one cannot view the other news. 3. In news management we can add, edit and delete news, F. USERS LOG MODULE

VII. MODULES a. Server Module b. User Module. c. User Management d. Category Management e. News Management f. Users Log Module A. SERVER MODULE 1. The Server Module has sub modules namely User Management, Category Management, News Management and Report. 2. The administrator is authorized to add, modify or delete user details, category and news details via the sub modules. 3. The Administrator uses the data mining techniques to determine the intruders list from the user database. 4. The administrator checks the report for intruder detection B. USER MODULE 1. This module is used to create new users in our Application, which can be stored in a table with user details such as First name, Last name, user name, password, Category Name, Category code, Secret code, Mail id. 2. In this Category should be loaded from the category table in which category code and secret code are already inserted. 3. In User management we can add, edit and delete users which can be updated in a separate table.

1. User log module is used to generate the reports based on decision tree algorithm. 2. It is used to generate the report which is based on decision tree algorithm. 3. Decison tree algorithm based reports are used to find the list of intruders by ip address, entry time. Username, mail id, age. VIII. DECISION TREE ALGORITHM Decision trees are powerful and popular tools for classification and prediction. The attractiveness of decision trees is due to the fact that, in contrast to neural networks, decision trees represent rules. Rules can readily be expressed so that humans can understand them or even directly used in a database access language so that records falling into a particular category may be retrieved. Decision tree is a classifier in the form of a tree structure (see Figure 1), where each node is either: (i) a leaf node - indicates the value of the target attribute (class) of examples, or (ii) a decision node - specifies some test to be carried out on a single attribute-value, with one branch and sub-tree for each possible outcome of the test.

October Issue

Page 155 of 179

ISSN 2229 5208

International Journal of Computer Information Systems, Vol. 3, No. 4, 2011 REFERENCE

[1] A. Briney, Got Security? Information Security Magazine, Vol 2, No. 7, July 1999, pages. 2023. [2] A.K. Larson, Global Security Survey: Virus Attack, Information Week, No. 743, July 12 1999, pages. 424, 48, 50, 523, 56. [3] C. Boeckman, Getting Closer to Policy-Based Intrusion Detection, Information Security Bulletin, Vol. 5, No. 4, May 2000. [4] D.E. Denning, An Intrusion Detection Model, IEEE Trans. Software Eng., Vol. SE-13, No. 2, Feb. 1987, pages. 222232. [5] J. Allen et al., State of the Practice of Intrusion Detection Technologies, Tech Report CMU/SEI-99-TR-028, Carnegie Mellon Univ., Software Engineering Inst., Pittsburgh, 2000. [6] J.P. Anderson, Computer Security Threat Monitoring and Surveillance, tech. report, James P. Anderson Co., Fort Washington, Pa.,1980 [7] J.P. Egan, Signal Detection Theory and ROC Analysis, Academic Press, San Diego, 1975 [8] T.H. Ptacek and T.N. Newsham, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, 1998 www.aciri. org/vern/Ptacek-Newsham-Evasion-98.ps. [9] R. Lippmann et al., Evaluating Intrusion Detection Systems: The 1998 DAPA Offline Intrusion Detection Evaluation, Discex 2000, Vol. 2, IEEE Computer Soc. Press, Los Alamitos, Calif., 2000, pages. 1226.

Figure 3. Decision Tree A decision tree can be used to classify an example by starting at the root of the tree and moving through it until a leaf node, which provides the classification of the instance. The key requirements to do mining with decision trees are: a. Attribute-value description: object or case must be expressible in terms of a fixed collection of properties or attributes. This means that we need to discretize continuous attributes, or this must have been provided in the algorithm. b. Predefined classes (target attribute values): The categories to which examples are to be assigned must have been established beforehand (supervised data). c. Discrete classes: A case does or does not belong to a particular class, and there must be more cases than classes. d. Sufficient data: Usually hundreds or even thousands of training cases.

AUTHORS PROFILE
Murugan S, Chennai, 09.09.1988, M.E computer science and engineering, School of computing sciences and engineering, Hindustan University, Chennai, Tamil Nadu, India.

IX. CONCLUSION This paper focused on detection of intruders in system based on binary tree algorithm. This shows providing security to the system as well as to the user details. Apply Data Mining to Intruder Detection is a system developed to impart security to the files accessed by the users logging into a secured network.

Arunkumar R, Chennai, 20.06.1987, M.E computer science and engineering, School of computing sciences and engineering, Hindustan University, Chennai, Tamil Nadu, India.

Sakthipriya P, Chennai, 06.08.1989, M.E computer science and engineering, School of computing sciences and engineering, Hindustan University, Chennai, Tamil Nadu, India.

Chrystal Amutha D, Assistant Professor Department Of Computer Science Engineering Hindustan University Chennai, India chrystalamutha@gmail.com

October Issue

Page 156 of 179

ISSN 2229 5208