Integrating Artificial Intelligence into Snort IDS

Abhijat Tripathi
Department of Computer Science and Engineering, Gautam Buddha Technical University, Lucknow, India
abhijat@jssaten.org.in

Abstract Snort is and Intrusion Detection system, utilizes signature based approach to form rules to detect anomalies and various kind of network attacks. This paper presents a method to integrate artificial neural network in snort as a module of preprocessor to detect any kind of portscan attempt on the network. ANN has the property of generalization and adopt itself to network and can classify malicious packet.AI enables snort to learn about the network and differentiate between normal and malicious traffic and detect right portscan attempts to reduce number of false alarms generated.

packets. After packets have been captured in a raw form, they are passed into the packet decoder. The decoder is the first step into Snorts Own architecture. The packet decoder translates specific protocol elements into an internal data structure. After the initial preparatory packet capture and decode is completed, Traffic is handled by the preprocessors. Any number of pluggable preprocessors either examine or manipulate packets before handing them to the next component: the detection Engine.

Keywords Snort, Artificial neural network, portscan, IDS, Snort pre-processor.

The detection engine performs simple tests on a single aspect of each packet to detect intrusions. The last component is the output plugins, which generate alerts to present suspicious activity to you.

I. INTRODUCTION As the network is developing new type of attacks are evolving and anomaly based IDS are not able to categorize each type of attack. So to detect new types of attack Artificial Intelligence technology need to be used as in case of neural networks, using this technique simplifies developers work, as artificial neural network has capability to adapt to network. It is just necessary to have adequate simulation tools, and they will create the code for you. Artificial Intelligence techniques can be used to learn the network behaviour and then filter alarms reported by the IDS, to reduce false alarms. Snort is a popular open source Network Intrusion Detection system
[4]

. Figure 1 shows the Snort component dataflow.

Snort can be divided into five major components that are each critical to intrusion detection. The first is the packet capturing mechanism. Snort relies on an external packet capturing library (libpcap) to sniff
Figure 1: Snort component dataflow

II. INTEGRATING ARTIFICIAL NEURAL NETWORK IN SNORT Snort can be extended in no. Of ways: adding an output mechanism for their specific uses, adding a complex protocol decoder, or adding detection plug-ins for a new method of detection. Figure 2 shows the external workflow of snort preprocessor. The integrated ANN Preprocessor gets new data streams from Flow Preprocessor, then it detect and analyze the data ,if abnormity happened, it will produce the alert file and record in log file, otherwise this process also produce the analysis file of data stream for administrator to get website to check the information of the network. The preprocessor prototype is

Figure 3 shows the internal structure of ANN Preprocessor. The module are as follows: Hash table processing: This module writes the important packets parameters which are gotten from the flow preprocessor into the hashing tables. According the different attacks features it will picks up and extracts the different features variation, and these variation can identify the attack. Data adaptation for ANN: specify the features parameters and set the relations of the features, and generate the ANN Input Data. Because ANN input data must be numeric not string format, the input data must be encoded. ANN processing: This process is the execution process of ANN, generate the result of the Input data.

Figure 2: External workflow of ANN Preprocessor

based on another preprocessor that comes by default with Snort, called Flow. The Flow, as its name implies, is responsible for managing the flows identified in the captured packets. In this case, Flow is responsible for calling a method on the prototype preprocessor each time get a packet that belongs to a new flow and gives a preprocessor that the first packet of this new flow. In other words, the prototype receives only the packets attempting to make a new connection.

Filter module: The output value of ANN is based on the inputs, weights, transfer function and other NN

algorithms. The output is float value between 0 and 1,so its need to set a threshold value for output. If the threshold value is too low that will occurs the high false positive but low false negative, if the value is too high will occurs the low false positive but high false negative. So it needs carefully and seriously choose the threshold

values, according to many times experiments set the threshold to let false negative and false positive be low.

middle layer there are 4 hidden neurons and 4 feedback neurons for recording the lasting time 4 hidden neurons outputs.
TABLE I : INPUTS OF ELMAN NEURAL NETWORK

Input Variations hits_as_dst

hits_as_src

Av_rcv_time

Av_snd_time

Figure 3: Internal Workflow of ANN Preprocessor

Ack_rst_resp

III. IMPLEMENTATION OF THE INTEGRATED ANN PORTSCAN

PREPROCESSOR

Rh/has Rh/had

The paper studies the portscan preprocessor based on Neural Network. Firstly analyze the features of port scan attack to extract the variations from packets using for ANN input data , the variations of port scan should be related to the connection times such as the connection times of source/destination IP address, average connection times and so on. Secondly It use SNNS Stuttgart Neural Network Simulator ) to train Elman neural network for identified the attack behaviors. Elman Neural Network is a partial feedback network, the feedback can detect and identify the time-changing model, port scan attack will cause the different connection time between IP address ,according to the advantage of the Elman it can identify this problem. The Elman Neural Network model is shown in Figure 4, where there are 7 input neurons, 2 output neurons. and in the

Detail The number of connection request received by this IP. If the value is high ,it could mean this IP be attacked The number of connection request sent by this IP. If the value is high ,it means this IP is a port scanner The average time between connection requests received by this IP address. It means how frequently connection requests are received. If the value is low,it could mean this IP could be attacked The average time between connection requests sent by this IP address. It means how frequently connection requests are sent. If the value is low, it could mean this IP is a port scanner. The number of Negative response, if this value is high, it means IP may be attacked The number of connection request received by source IP The number of connection request received by destination IP

Elman NN need two input datasets: one group is normal traffic dataset, other is portscan dataset. This article finds 2092 data. The first input group generate from the normal traffic, and make a output figure(such as 1 0) to mean the normal traffic, the second input group generate from a controlled portscan sniffer and make a output figure(such as 0 1) to mean the abnormal traffic. Then SNNS used the two datasets to train ANN, let the weights of the ANN amending and learning in the processing until the ANN training succeeding. Finally translate the trained ANN to C language and integrated to Snort IDS preprocessor.

Figure 4 : Trained Elman NN TABLE II : EACH NEURON BIAS OF THE TRAINED NETWORK

Layer Units Input 1 Input Layer Hidden Layer Output Layer Feedback Layer
TABLE III : THE WEIGHTS OF THE NEURON

Bias Input 2 -0.99803 3.30964 0.501820 0.0000 0.0000 0.0000 Input 3 -0.91674 1.22628 Input 4 0.64670 -3.69274 Input 5 0.27079 Input 6 0.81734 Input 2 -0.81540

-1.0 3.01484 0.76573 0.0000

Neuron units Input 1 Hidden 1 Hidden 2 Hidden 3 Hidden 4 Output 1 Output 2 0.67315 0.00347 0.01646 1.75284 -1.82081 2.0822 Input 2 -0.07402 2.46868 1.49848 0.88362 5.88475 -5.88059 Input 3 8.00245 -0.43011 -3.64108 1.04675 -5.69745 5.68272

Input Weights Input 4 10.82333 0.87862 -2.23034 -0.64424 5.85101 -5.8412 Input 5 2.16461 1.85528 0.26491 -1.5041 Input 6 1.07162 2.28586 5.6819 1.34372 Input 7 1.53913 -1.63398 -0.37378 -0.22217

Snort IDS we can use genetic algorithm to reduce the no. of rules applied on packets captured. New type of attacks with little modification like DoS , can be successfully be detected by training of neural network. ACKNOWLEDGMENT This paper work was done under the supervision of Mrs. Gunjan Pahuja , Lecturer, J.S.S Academy of Technical Education , Noida, India. REFERENCES
Figure 5: Graph between Hits as Destination Vs No. of flows [1] J. Balthrop, S.F., and M.R. Glickman, Revisiting LISYS: parameters and normal behavior. Proceedings of the 2002 Congress on Evolutionary Computation, 2002. 10451050. [2] Sourcefire. What is Snort? 2010 [cited; Available from: http://www.snort.org [3] Lane, T.a.B., C. E. Data Reduction Techniques for Instance-Based Learning from Human/Computer Interface Data. in Proceedings of the Seventeenth International Conference on Machine Learning. 2000. [4] Neri, F. Comparing Local Search with respect to Genetic Evolution to Detect Intrusion in Computer Networks. in Proceeding of 2000 Congress on Evolutionary Computation (CEC'2000). 2000. [5] Hofmeyr, S.A., An Immunological Model of Distributed Detection and Figure 6: Graph between Difference receive time Vs Time its Application to Network Security. PhD thesis, University of New Mexico, 1999.

Figure 7: Graph between Difference send time Vs Time

IV. CONCLUSIONS AND FUTURE WORKS This article investigates the technology of integration AI Into Snort preprocessor plug-in, which makes Snort IDS more intelligent to detect new or variant network attacks.The intended future works can be As for the detection engine of