GENERAL INTRODUCTION 1.0 INTRODUCTION Research works and experiments have convinced security experts that Network Intrusion Detection Systems (NIDS)alone are not capable of securing the computer networks from internal and external threats completely. (Renuka et al., 2011). An intrusion detection system (IDS) is a device or software application that monitors systems for malicious activities and policy violations and produces reports to a management station. Intrusion detection systems are primarily focused on identifying possible incidents, logging information about them and reporting attempts. Organizations use these systems for identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. The goals of intrusion detection systems are to use all available information in order to detect both attacks by external hackers and misuse by insiders. IDSs are based on the belief that an attacker’s behaviour will be noticeably different from that of a legitimate user. (tzeyoung, 2009). Intrusions can occur due to vulnerabilities in operating systems. Many common operating systems are simply not designed to operate securely. Thus, malware often is written to exploit discovered vulnerabilities in popular operating systems. Depending on the nature of the attack, many times if an operating system is compromised, it can be difficult for an IDS to recognise that the operating system is no longer legitimate. Operating Systems must be designed to better support security policies pertaining to authentication, access control and encryption. Intrusion detection uses vulnerability assessment (sometimes referred to as scanning), which is a technology developed to access the security of a computer system or network. Hackers can use malware to record keyboard strokes, then send that account and password information by hacking sites which store those details through the use of tools such as scanning tools; which they use to survey and analyse system characteristics and remote management tools; used by system’s administrators to manage a network by managing and controlling systems devices from a remote location. According to the Information Assurance Technology Analysis Center (IATAC), 2009; IDSs are generally made up of sensors, analysers, user interfaces and honeypot. Sensors are deployed in a network or on a device to collect data, they take input from various sources, including network packets, log files and system call traces. Analysers in an IDS collect data forwarded by sensors and then determine if an intrusion has actually occurred. The user interface of the IDS gives the end user a view and way to interact with the system. Through the interface, a user can control and configure the system. Honeypot is a fully deployed IDS which administrators deploy as a bait or decoy for intruders, it can be used as early warning systems of an attack, decoys from critical systems and data collection sources for attack analysis. Provos and Holz (2007), defined honeypot as ‘A closely monitored computing resource that we want to be probed, attacked or compromised.’ The value of a honeypot is weighed by the information that can be obtained from it. To detect malicious behaviour, a network intrusion detection system (NIDS) requires signatures of known attacks and often fail to detect compromises that were unknown at the time it was deployed. Also NIDSs produces erroneous results called false positives and false negatives, which occur when the NIDS erroneously detects a problem with benign traffic and when unwanted traffic is undetected by the NIDS respectively. On the other hand, honeypots can detect vulnerabilities that are not yet understood. For instance, a compromise can be detected by observing network traffic leaving the honeypot, even if the means of the exploit has never been seen before. Honeypots consists of unreal services such as mail, telnet, HTTP etc, database for logging, packet dispatcher and protocols such as ICMP, TCP and UDP. This work is aimed at developing a network intrusion detection system by utilizing the effect of a decoy system precisely a honeypot which addresses false positives and false negatives as they are not easily evaded or defeated by new exploits. In fact, one of their primary benefits is that they can most likely detect when a new compromise occurs via a new or unknown attack by virtue of system activity, not signatures. Administrators also do not have to worry about updating a signature database or patching anomaly detection engines. Honeypots happily capture any attacks thrown their way. Honeypots reduce false positives by capturing small datasets of high value. The data in the honeypot will be analysed using Adaptive neuro-fuzzy inference system (ANFIS) 1.1 MOTIVATION OF STUDY This work is motivated by the need to secure networks and system resources. Intrusion detection systems has been developed at 1980 to protect the computer from threats by monitoring and surveillance. It has been observed that network intrusion detection systems alone cannot handle both internal and external threats to computers because the number of false alarms generated by Network Intrusion Detection Systems have firewalls which also play a vital role in network security but also cannot prevent attacks from happening and computer security system still fails to secure the computer networks in case of new attacks. The problems posed by the existing system are as follows: Network breaches occur as invalid data and TCP/IP stack attacks may cause an NIDS to crash. Local packets that escaped can create a significantly high false-alarm rate in the NIDS. NIDS requires signatures of known attacks and often fail to detect compromises that were unknown at the time it was deployed. Encrypted packets are not processed by the intrusion detection system, therefore the encrypted packet can allow an intrusion to the network that is undiscovered until more significant network intrusions have occurred. Therefore, in order to have a better secured networking system, the honeypot system should be incorporated into networks to allow administrators monitor the behaviour of attackers closely. 1.2 AIM AND OBJECTIVES. The aim of this work is to develop a honeypot based intrusion detection system that will enhance network security by using Adaptive Neurofuzzy Inference System. The specific objectives are as follows: To design a virtual honeypot network consisting of a honeywall, honeyd and high interaction honeypot analysing tool in a virtualized domain. To capture, collect and analyse network data. Using the result obtained to access system and file integrity and network security. Design of a Mamdani type ANFIS for intelligent analysis of activities. To provide necessary network security measures. Implementation of the system using MATLAB tool. 1.3 METHODOLOGY The steps necessary to achieve the objectives in section 1.2 are as follows; Review of relevant literature in network intrusion detection systems (NIDS), honeypots and adaptive neuro-fuzzy inference system. Honeypot system design and network setup in virtualized environment using VMware workstation. Intrusion into the honeypot network; using an advanced penetrating tool such as backtrack5 or kali-linux. Data control, capture and collection using liblibrary (libevent, libdnet, libpcap). Design of a Mamdani type ANFIS for intelligent analysis of activities. Implementation of the system using MATLAB tool. Result and inferences. 1.4 SCOPE OF THE STUDY This work considers the use of honeypot as a network intrusion detection system in tracking attacker’s traffic and traffic analysis using ANFIS. It does not cover other advanced features of honeypot such as load balancing. The design is basically for academic and research purposes. 1.5 ORGANIZATION OF STUDY This work is presented in five chapters. Chapter one represents a general overview of the study and states the problems that motivates this study, the aim and objectives of the study and the methodologies employed to realise the objectives of the study. Chapter two is summarily concerned with the review of relevant literature in network intrusion detection system, honeypot, fuzzy inference system and analysis of the existing system. The model of the system structure and its components are presented in chapter four. Chapter five sums up the work by presenting the summary, offering recommendations to the system and conclusion of the work. 1.6 DEFINITION OF TERMS Intrusion Detection System (IDS): This is a device or software application that monitors network or system activities for malicious activities. Honeypot: This is a system that is expressly setup to ‘attract’ and ‘trap’ people who attempt to penetrate other people’s computer systems. Fuzzy Logic: This is a form of many valued logic which deals with reasoning that is approximate rather than fixed and exact. False Positive: This is an event signalling an IDS to produce an alarm when no attack has taken place. Noise: This refers to data or interference that can trigger a false positive. Ethernet: A physical network protocol for transmitting information across copper wires. Ethernet network segments are restricted to distances normally less than415 meters and utilize a packet oriented message transfer protocol. Ethernet is the most popular physical network topology in use today. Event: A notification from an analyzer to the security administrator a signature has triggered. An event typically contains information about the activity that triggered the signature, as well as the specifics of the occurrence. File assessment: A technology in which message digest hashing algorithms are used to render files and directories tamper evident. Firewall A computer or router (or combination thereof) configured to permit or deny specific kinds of traffic through it. Usually used to protect a network from potentially hostile outside networks; intranetwork firewalls, however are becoming more popular. Available in a variety of strengths and reliability
Table Of Contents
Chapter ONE
INTRODUCTION
- 1.1Introduction
- 1.2Background of Study
- 1.3Problem Statement
- 1.4Objective of Study
- 1.5Limitation of Study
- 1.6Scope of Study
- 1.7Significance of Study
- 1.8Structure of the Research
- 1.9Definition of Terms
Chapter TWO
LITERATURE REVIEW
- 2.1Overview of Network Intrusion Detection Systems (NIDS)
- 2.2Understanding Honeypots
- 2.3Fuzzy Logic in Intrusion Detection Systems
- 2.4Challenges in Network Security
- 2.5Importance of Adaptive Neuro-Fuzzy Inference System (ANFIS)
- 2.6False Positives and False Negatives in Intrusion Detection
- 2.7Signatures and Anomaly Detection in IDS
- 2.8Evolution of Honeypots in Network Security
- 2.9Data Analysis Techniques in Network Security
- 2.10The Role of Firewalls in Network Security
Chapter THREE
SYSTEM DESIGN AND IMPLEMENTATION
- 3.1Literature Review of Network Intrusion Detection Systems
- 3.2Examining Different Types of Honeypots
- 3.3Understanding Adaptive Neuro-Fuzzy Inference System (ANFIS)
- 3.4Setting Up a Virtualized Environment for Honeypots
- 3.5Intrusion Testing and Data Collection Methods
- 3.6Designing an Intelligent Analysis System
- 3.7Implementation of ANFIS using MATLAB
- 3.8Result Analysis and Inferences
Chapter FOUR
SYSTEM TESTING AND EVALUATION
- 4.1Theoretical Framework of Honeypot-Based IDS
- 4.2Components of a Honeypot System
- 4.3Virtual Honeypot Network Design
- 4.4Honeywall and Honeyd Configuration
- 4.5High Interaction Honeypot Analysis
- 4.6Data Capture and Analysis Techniques
- 4.7Intelligent Analysis using ANFIS
- 4.8Network Security Measures and Implementation
Chapter FIVE
SUMMARY, CONCLUSION AND RECOMMENDATIONS
- 5.1Summary of Findings
- 5.2Recommendations for Network Security Improvement
- 5.3Conclusion and Implications of the Study
- 5.4Future Research Directions
- 5.5Contributions to Network Security Field
Project Abstract
Research works and experiments have convinced security experts that Network Intrusion Detection Systems (NIDS) alone are not capable of securing computer networks from internal and external threats completely. An intrusion detection system (IDS) is a device or software application that monitors systems for malicious activities and policy violations and produces reports to a management station. Intrusion detection systems focus on identifying possible incidents, logging information about them, and reporting attempts. Organizations use IDSs to identify security policy problems, document existing threats, and deter individuals from violating security policies. The goals of intrusion detection systems are to detect attacks by external hackers and misuse by insiders using all available information. IDSs are based on the belief that an attacker’s behavior will be noticeably different from that of a legitimate user. Intrusions can occur due to vulnerabilities in operating systems, and many common operating systems are not designed to operate securely. Malware is often written to exploit vulnerabilities in popular operating systems. Intrusion detection uses vulnerability assessment to access the security of a computer system or network. Hackers can use malware to record keystrokes and send account and password information to hacking sites. Network Intrusion Detection Systems face challenges such as false positives, false negatives, and difficulties in detecting compromises unknown at deployment. Honeypots have been identified as a valuable tool in addressing these challenges. Honeypots are closely monitored computing resources deployed as bait for attackers, providing early warning systems of attacks and data collection sources for attack analysis. Honeypots can help detect new compromises by observing network traffic and capture any attacks thrown their way, reducing false positives by capturing small datasets of high value. This research aims to develop a honeypot-based intrusion detection system that enhances network security using the Adaptive Neurofuzzy Inference System (ANFIS). The objectives include designing a virtual honeypot network, capturing and analyzing network data, designing an ANFIS for intelligent analysis, and implementing the system using MATLAB. The study will focus on the use of honeypots in tracking attacker traffic and traffic analysis using ANFIS. The scope is limited to honeypots as network intrusion detection systems for academic and research purposes, excluding advanced features like load balancing.
Project Overview
<p>
</p><div><b><p><b>INTRODUCTION</b></p><p><b>1.1 BACKGROUND OF STUDY.</b></p><p>Information technology is an essential tool to guest tracking. The faster and more effectively it works, the safer our business management is.</p><p>Information system (IS) refers to a system that comprises of persons, data records and activities that process data and information in an organization, and it includes the organization‟s manual and automated processes. In a narrow sense, the term information system refers to the specific application software that is used to store data records in a computer system and automates some of the information-processing activities of the organization.</p><p></p><p>The term information technology has ballooned to encompass many aspects of computing and technology, and the term has become very recognizable. The information technology umbrella can be quite large, covering many fields. IT professionals perform a variety of duties that range from installing applications to designing complex computer networks and information database.</p><p>Since the first wave of computerization in the 1970‟s, the implementation of information technology within policing has been questioned and often met with resistance. The development of an information technology strategy must be viewed in the context of increasing expectations and pressure for reform within organizations. 2</p><p>The business environment in which banks operate is changing; increased demands for efficiency has led to information technology being recognized as a valuable and innovative addition to guest tracking system.</p><p>Over the last decade, computer and telecommunication technologies have developed at an extraordinary rate. Increased computer power, advances in data transmission, attractive and user-friendly graphic interfaces present bank with unprecedented capacity to collect, store, analyze and share data with stakeholders inside and outside of bank.</p><p>Historically, the innovation of information systems has served as the catalyst for dramatic changes in the organization work and has presented both opportunities and challenges to operators.</p><p>Some banks have made tremendous efforts in creating databases for guest information system for security purposes.</p><p></p></b></div><b><div><p><b>1.2 STATEMENT OF PROBLEM</b></p><p>Keeping record of visitors in a bank has been a big task for the management. Often the identity of the guest is forgotten as soon as he/she leaves the bank. This is a big security risk as there is need to maintain an automated record of daily visitors to the bank in case security issues arise. 3</p><p><b>1.3 PURPOSE OF STUDY</b></p><p>The purpose of this study is to design software that will serve as an electronic register to keep record of daily guest to the bank. The software will maintain a centralized database system for the purpose of information sharing.</p><p><b>1.4 SIGNIFICANCE OF THE STUDY</b></p><p>The software developed will be beneficial to the bank management in so many ways:</p><p>1. Maintain a centralized database for Guest records</p><p></p><p>2. Retrieve previous information on guest from the system easily using serial query language</p><p>3. Have a good surveillance on the guest information for security purposes</p><p>4. Know the number of guest they receive on daily basis</p><p>5. Track the frequency of a guest visitation to the bank</p><p><b>1.5 OBJECTIVE OF STUDY</b></p><p>The purpose of this research work is to develop a system that should be able to achieve the following:</p><p>1. To provide an electronic register to keep record of guest visit to the bank</p><p>2. To produce a system where information and output report will be produced much faster, more accurately and more detailed.</p><p>4</p><p>3. Keeping record of total number of guest coming to the bank on daily basis.</p><p>4. Keep track of old guest in case of any security breach.</p><p>5. Provide password to prevent unauthorized users from accessing and manipulating information.</p><p><b>1.6 SCOPE OF THE STUDY</b></p><p>This research project covers only records on the banks managers guest and some other management staff, as it will be difficult to maintain guest record on every staff of the bank.</p><p><b>1.7 CONSTRAINS AND LIMITATION</b></p><p>Due to time constraint and limited resources, the use of biometric could not be incorporated into the work for authentic identification of guest.</p><p><b>1.8 DEFINTION OF TERMS</b></p><p>ARRIVAL FILE: This is master file consisting of the guest name, companies name and address, state, country, nationality, profession etc. which also include the mode of payment to be used by the guest.</p><p>DATABASE: This is the collection of related data/information</p><p>GUEST: This guest are used in the contest of the work refers to individual, companies or corporate bodies that visited the bank 5</p><p>SOFTWARE: This is the logically written instruction that control the</p></div></b>
<br><p></p>