JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.

ORG

78

Intrusion Detection Using Time-Inhomogeneous Hidden Bernoulli Model

Sadaf Tabassum, Malik Sikandar Hayat Khiyal and Aihab Khan Fatima Jinnah Women University, Rawalpindi

AbstractThis paper includes the way to track the hackers. We are very much dependent over the networking today, it
is widely been used in all fields. The security of network is also becoming an increasingly important phenomenon. The system is always at the stake due to hackers attack. It is becoming increasingly important for every organization to secure the network system from hackers` attacks. The system is needed to track in such a way that the attacks on the system could be identified. This research is more focused over the detection of attack on the system. This paper focuses on the development of the software which is designed to identify the abnormal behavior of the system. This software will identify intrusion by using probability. Whenever there will be any intrusion the network administrator will be informed by the software that there is an intrusion and any hacker is trying to enter the system. This paper will help in opening the new horizons for the coming researchers as well in order to extend the work in future.AnditisconcludedthatwhentrainingisperformedtheTime inhmogeneous Hidden Bernoulli Model (TIHBM) become faster in this phase.Nonrecursively probability is per
formed inTIHBM.Results showsthat probabilityisdecreaseswhen timeis increasesatthesamevalueofstateand whenbothtimeandstatearechangedthenprobabilityshowdifferentvalues.

IndexTermsTimeinhmogeneousHiddenBernoulliModel,IntrusionDetection,Probablity, Detectionofabnormalbehavior

1 INTRODUCTION
Astheworldismovingtowardsglobalizationatamuch faster pace than ever before, everyone is getting more dependentonthenetworking.Weneedtohavenetwork ing everywhere. Each and every field of life may it be educationorbusinessisdependinguponthenetworking. It is the source of information and the source of know ledge as well. It is beyond our imagination that how much we are depending over the network in our daily life. Today the most important and readily available source of information is internet, which is itself a collec tion of numerous networks. The dependence of human being on the networking is increasing every day. The in creasingimportanceofthenetworkshasmadethemvul nerable. Today most of the thefts are done electronically overthenetwork.Thenetworkismostlikedplaceforthe hackersandtheintruderstoattack.

The hackers can attack over the system in order to steal thevaluableinformationorinsomecasesmoneyaswell. Soitisbecomingincreasinglyimportantfortheorganiza tions to make the network secured from hackers. This studyisapartoftheattemptswhicharebeencarriedout in order to stop the intrusion. The problem domain is network security. This study will result in the develop mentofasystemwhichaimstoidentifytheintrudersand also to make the system administrator alert that the sys temisendangered. The intrusion problem in the system is solved by the study aims at the usage of a model named as Time inhomogeneous Hidden Bernoulli Model(TIHBM). This modelusessomestatisticaltechniquessuchasprobability inordertoidentifytheintrusion.Thismodelisspecificin its implications and it uses the probability approach in ordertomeasurethebehaviorofthesystemstatistically.

Sadaf Tabussam is with the Fatima Jinnah Women University, the Mall TIHBM is a generalized Bernoulli process it is not Road Rawalpindi. dependent upon Markov process.In TIHBM dynamic Malik Sikander Hayat Khiyal is with the Department of Software Engineerprogramming is eliminated and thats makes the ing, Fatima Jinnah Women University, the Mall Road, Rawalpindi. Aihab Khan is with the Software Engineering Department, University of technique simpler.The computational complexity for the Fatimah Jinnah, the Mall, Rawalpindi.

evaluation of the probablity and estimation of state is

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

79

lesserinTIHBM.TheTIHBMissimplerandfaster.The TIHBMcanbeeasilyusefortheapplication.[4] This study will contribute towards the existing frame of knowledge in the aspect of its uniqueness of technique whichisbasedonthestatisticaltechniqueofprobability. Thistechniqueisusedasthevehicleinordertoreachthe destinationie,tostoptheintrusion.Thisstudywillopen upnewhorizonsfortheupcomingresearcherstoexplore newdimensionsinthisexistingmodelofintrusiondetec tion.

2. PAPER ORGANIZATION
Section 1 of the paper includes introduction of the paaper while section 2 is based on the related work to the topic. Section 3 is based on the proposed frame work of the study while section 4 is of technique which is used in the paper. The next section which is 5 sections is of experimental results and the last section concludes the paper. 2RELATEDWORK

intraceshasprobabilitylessthanthethreshold.Ifanother thresholdissetandtheratiobetweenallthesequencein the trace and mismatches is greater than that value then thereispossibleintrusionishappened.Intherealworld onlinedetectioncanbemadebyusingtheproposedme thod.Theperformanceofintrusiondetectionisenhanced by reducing the false alarm rate. a doubly stochastic processdescribedbyanHMMs.Unobservablefinitestates is contained by HMMs..Set of probabilities called transi tion probabilities contain the transitions among the dif ferentstate.Theevaluationproblem,thelearningproblem and the decoding problem are three issues in HMMs.Beforetrainingwemustdecidethesizeofmodel.

Cho and Han[1]presentthatInsteadofgoodperformance

ofHMMsapplyingHMMsinrealintrusiondetectionsys tem there are some problems. The relatively high false positive error rate to model normal behavior large amount of time is required. Conventional HMMbased IDS errors are remove using the two sophisticated tech niquesproposedinthispaper.Theamountoftimewhich isrequiredfortrainingtheHMMcanbereducesbymod eled privilege flows. The false positive error rate can be minimizing with the help of combining multiple HMMs.HMMsismostappropriatetoolformodelingthe sequence information. This model can be in the form of graphandthisgraphhasNnodes(state)andhasedges. Givensymbolisobservedbyusingobservationprobabili ties and initial state distribution. The normal behavior is model when anomaly recognition matches the current behavior against it and also calculated the probability with its generation, for this purpose both Forward backward procedure and Viterbi algorithm can be used. Forbuildingthenormalbehaviortherequiredflowtime can be reduce by Privilege flow. As compare to conven tionalmodeling,modelingprivilegechangedatahasfew er chances of errors. This technique can open new ways for intensive anomaly detection. The reliability can be improved by using HMMbased intrusion detection sys tems.

YeandChang[3]presentthattheabnormalityisdetected byusingchisquarestatisticaltechnique.Thistechniqueis useasthatthenormaleventsprofileisbuildinaninfor mation system the events are departures from the norm profile in the recent past and large departure are shown in the form of anomalies which is represented as intru sion. The performance of this technique was tested inan information system by differentiating the normal events from intrusive events. In terms of a low false alarm rate and a high detection rate this technique show promising performance for intrusion detection. At very early stage intrusiveeventsaredetected.Inthispaper,detectionrate is calculated by using session. Collectively, the results shows that the statistical multivariate technique is based onthechisquarestatistictestthatachievethefalsealarm rate0%andrateofdetectionis100%bysession.Ininfor mationsystemsifintrusionwillcausesmallviolationsof relationships of variable but in some of multiple va riablesthereislargedeparturesfromthemean,thenthe X2statisticandtheHotellingsT2statisticcanbeeffective equallyforintrusiondetection.Forintrusiondetectiona 3 PROPOSED FRAMEWORK technique of multivariate anomaly detection with a low The major steps include the designing the system is fol computationcostisneeded.Iftheupperlimitislessthan lowing, computedX2foranauditeventthenthereisanomalyin a)SourceData auditevent. Wang et al. [2] has conducted the study that Hidden b)TrainingData Markov Model (HMMs) is new method using for intru c)TestingData sion detection. The probability that the sequence of sys temcallswascomputedforabnormalitydetectionwhich d) Apply Timeinhomogeneous hidden Bernoulli model is produces by the HMMs.Instead of sequences at each e) Results whether system show abnormal behavior or system call anomaly decisions are made by HMMs. the sequence is flagged as a mismatch if the given sequence not.

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

80

BlockDiagram: Source data

3. TheprobabilityforselectedstatePS|T(i|t):
Toselectanystateiatgiventimet,theselectedprobabili tywillbePS|T(i|t).Andcanbecalculatedas: , (4)[4]

Training data 4.Generationofobservationsequence: Testing data TIHBM generates the sequences which is observed is O={o1,o2ot}. If the time sequence is = {1,2,...,L} and the sequence of thestatesisrepresentedwithSthenthesurvivingproba bilitywillbeuptothetimeL. (5)[4] System behavior (6) [4] The sequence with the length L is generated from P ().The probablity P () is a function of probablity PT(t).P()willbeconsideredasconstantvalue.

Apply TI-HBM

Normal

Abnormal

Fig 1. Intrusion Detection System The Fig1. Show that how the system will workand show the results.

5. Experimental Results

4 Technique
State transition can be modeled by using TIHBM which is new acoustic model.The parameters P(i,t) are used in TIHBM.The following parameters must be satisfied for TIHBM::

The Intrusion Detection results are shown in Table (1). It can be seen that the TI-HBM improves the Intrusion Detection accuracy compared to standard HMM. TABLE 1 Intrusion Detection accuracy for the test set

NO. 1 2 3

(1)[4]

Observation sequence X has maximum length that is representedasLmax.ForapplyingTIHBMin realworld weneedparametersthatcanbetakefromP(i,t): 1.TimeDistributionprobabilityPT(t): TheprobablityPT(t)iscomputedattimetas:

Average Threshold Range Result Probability value 0.07 10% 0.06- Intrusion 0.08 0.0 10% 0 No intrusion 0.5 10% 0.45- Intrusion 0.55

The TI-HBM wasalways faster than HMM in training phase in our experiments. Taking different values of state and time we check the results.

probability variation
3.5 3

(2)[4]

2.ProbablityofsurvivalP(t+1|t):
Survival probability of time t + 1 is represented as P (t +1|t). Its mean that process will survive till time t+1 andatthattimetheprobabilitywillbeP(t+1|t). Sothesurvivalprobabilityiscomputedas:

2.5 2 1.5 1 0.5 0 1 2 st a t e s 3 Ser ies1 Ser ies2 Ser ies3

(3) [4]

Fig 2. Probability variation. The results shows that probability values are different by

JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, JUNE 2011, ISSN 2151-9617 HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/ WWW.JOURNALOFCOMPUTING.ORG

81

taking different values of time and stete.Probablity is increases when state value is increases and time is decreases. Taking different values of time and taking constant nalue of state.

Transactions on Reliability, Vol. 53, No. 1, pp. 116-121, March 2004 [6] Z. Cai, X. Guan, P. Shao, Q. Peng, G. Sun, A Rough Set Theory Based Method for Anomaly Intrusion Detection in Computer Networks, Expert Systems, vol. 18, No. 5, pp. 251-259, Nov 2003.

probability variation
3.5 3 2.5 2 1.5 1 0.5 0 st at es t ime st a t e s probabilit y Ser ies1 Ser ies2 Ser ies3

Fig3. Probability variation. Resultsshowsthatprobabilityisdecreaseswhentimeis increasesatthesamevalueofstate.Sotimeandprobabili tyareinverselypropotional.

CONCLUSION

Results shows that probability is decreases when time is increasesatthesamestateandwhenbothtimeandstate arechangedthenprobabilityshowdifferentvalues. For processing, TIHBM is considered as theoretical fra meworkFor the sake of making TIHBM simpler at state leveldynamicProgrammingiseliminated.Whentraining is performed theTIHBM become faster in this phase.Nonrecursively probability is performed in TI HBM. This work will open new horizons in future for the up coming researchers.The new research area could be the comparisionbetweentheHiddenMarkovModel(HMM) and Timeinhomogeneous Hidden Bernoulli ModelTI HBM).

REFERENCES
[1] Cho S., S. Han, Two Sophisticated Techniques to Improve HMM-Based Intrusion Detection Systems, vol # 2, pg # 154-160,May 2002 [2] Wang W., X. Guan, X. Zhang, 2004, Modeling Program Behaviors by Hidden Markov Model for Intrusion Detection, paper presented in Third International Conference on Machine Learning and Cybernetics held at 24-26 August 2004, vol # 5, pg # 2830-2835 [3] Ye N. Q. Chang, 2001, An Anomaly Detection Technique Based on a Chi-square Statistic for Detecting Intrusions into Information Systems, Quality And Reliability Engineering International, Vol. 17 pp.105- 112 [4] Kabudian J. Homayounpour M. Ahadi2. S. Timeinhmogenous Hidden Bernoulli Model an Alternative to Hidden Markov Model for Automatic Speech Recognition: Pg # 4101 - 4104, March 31 2008-April 4 2008 [5] N. Ye, Y. Zhang and C. M. Borror, Robustness of the Markov chain model for cyber attack detection, IEEE