What is the best way to store rule sets generated from Genetic Algorithm for Intrusion Detection System (IDS) ? And how can this rule be used for testing new network traffic ?
Can you write Snort Rules that are generated from your algorithms ? Snort rules are most popular IDS rules. You could subsequently add these rules to your SNORT installation and run on live network traffic. But am really curious to know what your genetic algorithms are and how those rules look like
Actually I am trying to generate rules from training data set provided by DARPA datasets, using Genetic Algorithm that can be used in real world network traffic ? Also using Genetic Algorithm, we can derive new rules, classes .
Dear Shyam,
Your work is nice. You generate rules to detect intrusion using GA. But if you task is you used to the rules to solve real world network, then it will not work. Because most of the attacks present in the KDD dataset are obsolete. The attacks are not working in current OS for example SATAN is meant for Win95/98. But it will not work for win xp onward.
Do one thing , you prepare a testbed, and luanch attack using another computer. Store the attack patterns and apply your logic. To implement it for solve real world problem, you should convert the rule into snort/suricata format. These are popular OPEN IDS for research community.
If you have any doubt you can share your problem with me.
Happy New Year 2016.
Dear Shyam,
Your work is nice. You generate rules to detect intrusion using GA. But if you task is you used to the rules to solve real world network, then it will not work. Because most of the attacks present in the KDD dataset are obsolete. The attacks are not working in current OS for example SATAN is meant for Win95/98. But it will not work for win xp onward.
Do one thing , you prepare a testbed, and luanch attack using another computer. Store the attack patterns and apply your logic. To implement it for solve real world problem, you should convert the rule into snort/suricata format. These are popular OPEN IDS for research community.
If you have any doubt you can share your problem with me.
Happy New Year 2016.
Thanks Santosh.
Happy New Year 2016 to you too.
How can I launch different attacks using another computer ? Can you give some examples ? Eg. if the attack packet has certain values of Src IP, Dst IP, Dst port etc., then it is of this attack. Using such individual examples as chromosomes in terms of Genetic Algorithm, I can find best possible rules. Please help me with such examples
.
Dear Shyam,
I don't think you are approaching the problem rightly. If the SRC,DEST IP, PORT etc are known we don't need Genetic algorithms. We could use those values directly to write SNORT rules to stop the attacks.
Would recommend you read some papers in using Genetic algorithms for IDS.
https://scholar.google.co.in/scholar?q=genetic+algorithms+intrusion+detection+systems&hl=en&as_sdt=0,5
For example, here is the exact paper that you were attempting to do
http://bit.csc.lsu.edu/~jianhua/krish-1.pdf Quoting from their paper
"The final goal of applying GA is to generate rules that match only the anomalous connections. These rules are tested on historical connections and are used to filter new connections to find suspicious network traffic. " But this makes no real sense in practice.
Also it is very difficult to get such "labelled" data, unless the attacks are very specific. Setting up a network, launching attacks and collecting data would be too much an effort unless you have relevant expertise, bandwidth, resources etc.
I would recommend Search this website http://www.secrepo.com/ for lots of freely available data (sometimes labelled too)
Dear Sashank,
I am trying to generate rules from various traffic patterns, using GA. I needed datasets for various traffic pattern. For this, I will surely use secrepo , and other new datasets. The model I developed will self learn for new type of attacks as well after it is trained using GA. Thanks for suggestion.
Ok not sure why you would like to use GA , but there are many more recent advances in the field , you may find our blogs useful
http://blogs.cisco.com/security/how-not-to-sample-network-traffic
http://blogs.cisco.com/security/cognitive-threat-analytics-transparency-in-advanced-threat-research
http://blogs.cisco.com/security/how-opendns-predicts-attacks-when-hacker-infrastructure-is-cheap-and-plenty
- Badges
- Science topic