ABSTRAT:
This paper describes a novel approach using Hidden Markov Models (HMM) to detect complex Internet attacks. These attacks consist of several steps that may occur over an extended period of time. Within each step, specific actions may be interchangeable. A perpetrator may deliberately use a choice of actions within a step to mask the intrusion. In other cases, alternate action sequences may be random (due to noise) or because of lack of experience on the part of the perpetrator. For an intrusion detection system to be effective against complex Internet attacks, it must be capable of dealing with the ambiguities described above. We describe research results concerning the use of HMMs as a defense against complex Internet attacks. We describe why HMMs are particularly useful when there is an order to the actions constituting the attack (that is, for the case where one action must precede or follow another action in order to be effective). Because of this property, we show that HMMs are well suited to address the multi-step attack problem. In a direct comparison with two other classic machine learning techniques, decision trees and neural nets, we show that HMMs perform generally better than decision trees and substantially better than neural networks in detecting these complex intrusions.
EXISTING SYSTEM :
Other researchers have also studied multi-stage Internet attacks. For example, work at Stanford Research Institute (SRI) [2] has included a probabilistic approach to intrusion detection. The SRI approach calculates the similarity between alerts of various types, emanating from multiple sensors. If the alerts are sufficiently similar, they are fused into a meta-alert that summarizes the information contained in the individual alerts. In the SRI approach, the probability of transitioning from one attack phase to another (attack states in our formulation) is specified by the incident class similarity matrix. This matrix is comparable to the state transition matrix in the HMM representation. Therefore, a significant difference between our approach and the SRI approach is that we compute the state transition matrix automatically, using ML techniques, whereas the SRI approach derives the incident class similarity matrix manually, using human judgment. However, an HMM could be used as a source for the correlated attack reports, discussed in Ref. [2], using the meta-alerts as input
EXISTING SYSTEM DISADVANTAGES:
1.LESS ACCURACY
2. LOW EFFICIENCY
PROPOSED SYSTEM :
Considering the precision, recall, and F-measure calculations, these values are very good, except for those categories where there are insufficient training and test examples. In addition, for categories 2 and 7, the classifier attained a high value for precision, but low value for recall. This means that for those categories the classifier had few false positives but had a high proportion of false negatives. This could mean that the training population, with only a few examples, had almost no positive examples, causing the classifier to learn that almost all examples should be labelled as negative. Figure 5 shows the ROC curves [21] obtained from the testing activity. Note that the ROC curves presented in Figure 6 were obtained from the category 1 testing data. ROC curves for the other categories are similar. The point that should be made regarding this figure is that the ROC curves gain most of their performance in the region from 0 to 40 percent false alarm rate, and the ROC curves improve as the training level is increased
PROPOSED SYSTEM ADVANTAGES:
1.HIGH ACCURACY
2.HIGH EFFICIENCY
SYSTEM REQUIREMENTS
SOFTWARE REQUIREMENTS:
• Programming Language : Python
• Font End Technologies : TKInter/Web(HTML,CSS,JS)
• IDE : Jupyter/Spyder/VS Code
• Operating System : Windows 08/10
HARDWARE REQUIREMENTS:
Processor : Core I3
RAM Capacity : 2 GB
Hard Disk : 250 GB
Monitor : 15″ Color
Mouse : 2 or 3 Button Mouse
Key Board : Windows 08/10
