SNORT BASED HYBRID INTRUSION DETECTION SYSTEM WITH AUTOMATIC SIGNATURE GENERATION

Abstract

With the tremendous growth of network-based services and information on Internet, the number of the network hosts has sharply increased. But the network-based computers are often vulnerable; due to this reason we need systems to detect these vulnerabilities. Intrusion detection is the process of identifying suspicious activities on a target system or network. Intrusion Detection System (IDS) used today suffer from several shortcomings in the presence of complex and unknown attacks. Hence in this dissertation Snort based hybrid Intrusion Detection System with automatic signature generation is investigated. The problem of unknown attacks with IDS is solved using anomaly detection. Entropy is one of the well known detection technique used in intrusion detection. In this work, a system is designed with the help of Entropy based technique and integrated with real time system Snort (Signature based technique) so that it can have advantages of both techniques. A feature extraction system is designed which can be used for calculating the important features for which entropy can be calculated for anomaly detection. Another issue of IDS, hectic amount of alert data, has also been addressed by developing alert unification system which comprises of alert ranking and reduction system. Alert reduction system is used to efficiently unify alerts generated by hybrid IDS whereas alert ranking system is used to give ranks to those alerts according to their importance. Also signature database of IDS is very limited and it is very hectic to manually update it. For automating this task various signature generation systems were proposed. In this thesis, an automatic signature system based on honeypot is proposed with Real Time Rule Accession (RTRA) capability. Honeypot is used to collect attack data on the network which is used by association rule generation algorithm- for generating rules. These rules are added in Snort. An open source signature generation system. Honeycomb is compared with our system. The experiment results show the dominance of our system over honeycomb in respect to quantity, completeness and non-redundancy of rules.