Heavy reliance on the Internet and worldwide connectivity has greatly increased that can be imposed by attacks plunged over the Internet against systems. It is very difficult to prevent such attacks by the only use of security policies, firewall or other mechanism because system and application software always contains unknown weaknesses or many bugs. In addition, complex, often unforeseen, interactions between software components and or network protocols are continually exploited by attackers. Successful attacks inevitably occur despite the best security precautions. There for INTRUSION DETECTION SYSTEM has become an essential part of the system because they can detect the attacks before they inflict widespread damage. Some approaches detect attacks in real time and can stop an attack in progress. Others provide after-the-fact information about attacks and can help repair damage, understand the attack mechanism, and reduce the possibility of future attacks of the same type. More advanced INTRUSION DETECTION SYSTEMs detect never-before-seen, new, attacks, while the more typical systems detect previously seen, known attacks [1].


The speed of growth of Internet is very fast without any end. With this growth the threat of attacks is also increasing. Because as we all know that theft can be occurred over the Internet from all over the world. So we require a system which can detect the attack or theft before there is some loss of information and reputation of organization or any individual. There are many solutions has been provided by the researchers and from many companies like firewall, INTRUSION DETECTION SYSTEM and IPS to stop the attacks. But still it is very hard to detect the attacks like DoS and worm propagation before they widespread, because regularly thousands of attacks are being developed and for a signature based INTRUSION DETECTION SYSTEM it is very hard to detect these kinds of new attacks with perfect accuracy. Mostly INTRUSION DETECTION SYSTEM generates many false alarms. These false alarms can affect the other processing of the network.

If somehow any attacker gets to know that there is an INTRUSION DETECTION SYSTEM in the network then, the attacker will want to disable the INTRUSION DETECTION SYSTEM. His/her first target will be the INTRUSION DETECTION SYSTEM before attacking the network. So there should be proper security policies for deploying the IDS to take proper advantages of it.


Security is the main concern for any network. Every day thousands of attacks are created so that alarms and logs should be generated properly for reducing their effect. INTRUSION DETECTION SYSTEM and IPS are mostly used devices for providing these kinds of solutions. But there are many issues like performance and accuracy. So the main objective of the project is to develop a signature based INTRUSION DETECTION SYSTEM for DoS attacks with better scalability and performance i.e. INTRUSION DETECTION SYSTEM with minimum false alarms and with better throughput. In this study the example of TCP SYN flood attack will be taken for implementing and evaluating the performance and scalability of the developed INTRUSION DETECTION SYSTEM.

Second Objective of this study is to discuss the policies for implementing the INTRUSION DETECTION SYSTEM securely. And these policies shall also be evaluated.


INTRUSION DETECTION SYSTEMs (IDS) are software or hardware systems that automate the process of monitoring the events occurring in a computer system or network, analyzing them for signs of security problems. As network attacks have increased in number and severity over the past few years, INTRUSION DETECTION SYSTEMs have become a necessary addition to the security infrastructure of most organizations [2, 48]. There are many different types of INTRUSION DETECTION SYSTEM and they can be characterized by different monitoring and analysis approaches. Each approach has different advantages and disadvantages. All approaches can be described in terms of generic process model for INTRUSION DETECTION SYSTEMs. Many INTRUSION DETECTION SYSTEMs can be described in terms of three fundamental functional components information source, analysis, and response [2].


Chapter 1 In this chapter we will give a brief introduction of whole project, what is the motivation for selecting this project. What are the main objectives of this project? And what is the main problem which will be considered in this project.

Chapter 2 is all about the literature review. In this chapter many different aspects of the INTRUSION DETECTION SYSTEM will be discussed like why we require INTRUSION DETECTION SYSTEM, different type of INTRUSION DETECTION SYSTEM, need for INTRUSION DETECTION SYSTEM, about attacks different types of attacks and many other different facts about INTRUSION DETECTION SYSTEM which can help to improve the knowledge about INTRUSION DETECTION SYSTEM.

Chapter 3 will focus on the analysis and designing part of the INTRUSION DETECTION SYSTEM. How a computer system can be designed. What s the system engineering and different type’s models will be discussed.



Internet is carrying more traffic than ever before and still growing in the size without any end. Along with the explosive growth comes an increased threat from Internet related attacks. The Internet allows theft to occur from anywhere of the world [14].

Many threats impact on the operation of your computer network. Natural threats such as flood fire and tornadoes, causes unexpected disruptions. Most companies have well-defined procedure to handle these natural attacks. Security procedures designed to combat hacker attacks, an unsecured network will definitely be attacked. The only question is when the attack will occur [14].


INTRUSION DETECTION SYSTEMs have been adopted by many organizations because the organizations know that INTRUSION DETECTION SYSTEMs are necessary component of the security architectures. But still INTRUSION DETECTION SYSTEM is not too much popular, most organizations lack experienced INTRUSION DETECTION SYSTEM operators. INTRUSION DETECTION SYSTEM can be most effective if the human operates it. But before developing a signature based INTRUSION DETECTION SYSTEM the knowledge of the attacks is must. Signatures is a set of rules that sensor uses to detect typical intrusive activities. These rules are based on various criteria i.e. IP protocol parameters, transport protocol parameter and packet data [12].


Attack can be divided into three different phases. The first phase is defining the goal for attack. The second phase is the reconnaissance attack, also known as the information gathering. After collecting the information the attacker proceed to the third phase, the attacking phase [12].


Before attacking a network or system, an attacker sets her goals or objectives. When attacking network the attacker can have various goals:

  • Data manipulation
  • System access
  • Elevated privileges
  • Denying availability of the network resources


  • Revenge
  • Political activism
  • Financial gain

Attackers attempt to disrupt network to discredit the particular organization’s image [12].


Collecting the information is the attacker’s second step in launching an attack against the network. Successful reconnaissance is also important for successful attack. Attackers use two main mechanisms to collect the information about the network.

  • Public data source
  • Scanning and probing

An attacker sometime starts his knowledge search by examining public information available about company. By using these kind of information the attacker can determine that where the business is located, the business partners, the value of the company assets and much more.

And through scanning, the attackers use remote reconnaissance to find specific resource on the network.

The goal of the information gathering is to pinpoint weak points on the network where an attack is likely to succeed. By pinpointing specific weakness on the network, the attacker can launch an attack in the future that generates minimal traffic or noise on the network. This greatly reduces the likelihood of detection during the actual attack [12]. For example: ping sweep, vertical scan, horizontal attack, DNS query, block scan and many more.


After an attacker maps the network, he researches known vulnerabilities for the system that he detected. The attacker’s goal at this stage is to gain access to resources of the network i.e.

Unauthorized data manipulation, system access, or privilege escalation.


Regardless of the motivation or personal preferences, an attacker has several attack methodologies from which to choose [12]:

  • Ad hoc (random)
  • Methodological
  • Surgical strike (lightning quickly)
  • Patient (slow)

AD HOC (Random)

An ad hoc attack methodology is unstructured. An attacker using this methodology is usually disorganized and those types of attacks frequently fail. It is difficult to comprehensively locate targets on the network.


It provides a well-defined sequence of steps to attack a network. First, the attackers use the reconnaissance to locate the targets. Next the attacker locates the exploits for known vulnerability on the target. Finally when he satisfies with his toolkit he starts attacking system on the target network.

SURGICAL STRIKE (Lightning Quick)

Many times the attacker uses an automated script against a network. The entire attack is completed in a few seconds. Before the system administrator or security analysts have time to react and make any decision.


It refers to how quickly the attacker executes his attacks. Usually the one uses a patient (slow) methodology to avoid detection. Many intrusion detection systems have difficulty detecting attacks that occurs over long period of time.


Viruses and worms provide a vehicle for an attacker to wreak havoc on your network and potentially the Internet. However, the spread of viruses and worms is much harder to determine in advance. Viruses and worms are much harder to determine in advance.

Trojan horse program enables an attacker to establish back door on systems. However Trojan horse requires some type of transport vehicle [12].


The purpose of DoS attacks is to deny legitimate access to the network resources. These attacks include everything from simple one-line commands to sophisticated programs written by knowledgeable hackers. There are different types of DoS attacks some of them are-

  • Network resource overload
  • Host resource starvation
  • Out-of-band attacks
  • Distributed attacks


One common way to deny the network access is by overloading a common resource necessary for network components to operate. The main common resource that can be attacked in the network bandwidth in several ways generating lots of traffic, distributing the attack across numerous hosts, and using a protocol flaws that amplifies the attack by soliciting help from many different hosts on the target [12].

Example- Smurf and Fraggle attack.


The resources available at the hosts are also known as the attack point as well. One such resource is the buffer that a host uses to track TCP connections.


The first out-of-bounds attack category uses over-sized packet, it overflows the allocated buffer and causes the system crash. An over-sized packet attack is ping of death.


The latest trend in DoS attacks is for an attacker to compromise numerous hosts and then use all these compromised hosts to provide a massive against a specific target. These types of attacks are known as the distributed denial of service attack (DDoS).


To disrupt the victims communication very badly, the attacker must compromise an agent machine that has more network resources than the victim. Locating and breaking into such a machine may prove difficult, if the target of the attack is well-provisioned site [16].

Distribution brings number of benefits to the attackers:

  • By using distribution techniques, the attacker can multiply the resources on the attacking end, allowing him to deny service to more powerful machines at the target end [16].
  • To stop a simple DoS attack from a single agent, a defender needs to identify that agent and take some action that prevents it from sending such a large volume of traffic. In many cases, the attack from a machine can be stopped only if the machine’s human administrator, or network operator, takes action. If there are thousands agents participating in the attack, however, stopping any single one of them may provide little benefit to the victim. Only by stopping most or all of them can the DoS effect be palliated [16].
  • If the attacker choose agents that are spread widely throughout the Internet, attempts to stop the attack are more difficult, since the only point at which all of the attack traffic merges is close to the victim. This point is called aggregation point. Other nodes in the network might experience no telltale signs of the attack and might have difficulty distinguishing the attack traffic from legitimate traffic [16].
  • In DoS attack executed from a single agent, the victim might be able to recover by obtaining more resources. For example, an overwhelmed Web server might be able to recruit other local servers to help handle the extra load. Regardless of how powerful a single agent might be, the defender can add more capacity until he outstrips the attacker’s ability to generate load. This approach is less effective in defending against DDoS attacks. If the defender doubles his resources to handle twice as many requests, the attacker merely needs to double the number of agents- often an easy task [16].


The SYN-flooding attack is a Distributed denial-of-service method disturbing hosts that run TCP server processes. The attack take benefit of the state retention TCP performs for some time after receiving a SYN segment to a port that has been put into the listen state. The basic idea is to utilize this behavior by causing a host to retain enough state for bogus half-connections that there are no resources to establish new genuine connections [51, 52].

A TCP implementation may allocate to LISTEN state to be entered with either all, some, or none of the pair of IP addresses and port numbers specified by the application. In many common applications like web servers, none of the remote host’s information is pre known or preconfigured, so that a connection can be established with any client whose details are unidentified to the server ahead of time. This type of “unbound” LISTEN is the goal of SYN flooding attacks due to the way it is typically implemented by operating systems [51, 52].

For success, [51, 52] the SYN flooding attack relies on the victim host TCP implementation’s behavior. In particular, it assumes that the victim allocates state for every TCP SYN segment when it is received and that there is perimeter on the amount of such state than can be kept at any time.

The [51, 52] SYN flooding attack does not attempt to overload the networks recourses or the end host memory, but merely attempts to exhaust the backlog of half-open connections associated with the port number. The goal is to send a quick barrage of SYN segments from IP addresses (often spoofed) that will not generate replies to the SYN-ACKs that are produced. By keeping the backlog full of bogus half-opened connections, legitimate requests will be rejected. Three important attack parameters for success are the size of the barrage, the frequency with which barrages2 are generated, and the means of the selecting IP addresses to spoof.

Usually, [51, 52] systems implements a parameter to the typical listen () system calls that allows the application to suggest a value for this limit, called the backlog.

1 To be effective, the size of the barrage must be made large enough to reach the backlog. Ideally, the barrage size is no larger than the backlog, minimizing the volume of the traffic the attacker must source. Typical default backlog values vary from half-dozen to several dozen, so the attack might be tailored to the particular value determined by the victim host and application. On machines intended to be servers, especially for a high volume of the traffic, the backlogs are often administratively configured to higher.

Another aspect makes both DoS and DDoS attacks hard to handle: Defenses that work well against many other kinds of attacks are not necessarily effective against denial of service. For years, system administrators have been advised to install a firewall and keep its configuration up to date, to close unnecessary ports on all machines, to stay current with patches of operating systems and other important software, and to run intrusion detection system to discover any attacks that have managed to penetrate the outer bastions of defense [16].

Unfortunately, these security measures often will not help against denial of service. The attack can consist of traffic that the firewall finds acceptable. Intrusion detection systems are of limited value in dealing with DoS, since, unlike break-ins and thefts, DoS attacks rarely hide themselves [16].


Intrusion detection systems gather information from a computer or network of computers and attempt to detect intruders or system abuse. Generally, an intrusion detection system will notify a human analyst of a possible intrusion and take no further action, but some newer systems take active steps to stop an intruder at the time of detection [4].

The goal of intrusion detection is seemingly simple: to detect intrusions. However, the task is difficult, and in fact intrusion detection systems do not detect intrusions at all—they only identify evidence of intrusions, either while they’re in progress or after the fact. Such evidence is sometimes referred to as an attacks “manifestation.” If there is no manifestation, if the manifestation lacks sufficient information, or if the information it contains is untrustworthy, then the system cannot detect the intrusion [5].

Intrusion detection systems are classified into two general types known as signature based and heuristic based. Pfleeger and Pfleeger describe signature-based systems as “pattern-matching” systems that detect threats based on the signature of the attack matching a known pattern. Heuristic based systems, which are synonymous with anomaly-based systems, detect attacks through deviations from a model of normal behavior [6].

INTRUSION DETECTION SYSTEMs that operate on a single workstation are known as host intrusion detection system (HIDS), while those that operate as stand-alone devices on a network are known as NIDS. HIDS monitor traffic on its host machine by utilizing the resources of its host to detect attacks. NIDS operate as a stand-alone device that monitors traffic on the network to detect attacks. NIDS come in two general forms; signature based NIDS and heuristic based NIDS [7].


INTRUSION DETECTION SYSTEMs can be described in terms of three fundamental functional components [2, 48]:

  • Information Sources the different sources of event information used to determine whether an intrusion has taken place. These sources can be drawn from different levels of the system, with network, host, and application monitoring most common.
  • Analysis the part of intrusion detection systems that actually organizes and makes sense of the events derived from the information sources, deciding when those events indicate that intrusions are occurring or have already taken place. The most common analysis approaches are misuse detection based (signature based) and anomaly detection.
  • Response the set of actions that system takes once it detects intrusions. These are typically grouped into active and passive measures, with active measures involving some automated intervention on the part of the system, and passive measures involving reporting INTRUSION DETECTION SYSTEM findings to humans, who are then expected to take action based on those reports.


The most common way to classify INTRUSION DETECTION SYSTEM is to group them by information source. Some INTRUSION DETECTION SYSTEMs analyze network packets, captured from network backbones or LAN segments, to find attackers [2]. It can be describe by dividing three different parts.


NIDS are intrusion detection systems that capture data packets traveling on the network media (cables, wireless) and match them to a database of signatures. Depending upon whether a packet is matched with an intruder signature, an alert is generated or the packet is logged to a file or database [8, 48].

Network-based INTRUSION DETECTION SYSTEMs often consist of a set of single-purpose sensors or hosts placed at various points in a network. These units monitor network traffic, performing local analysis of that traffic and reporting attacks to a central management console. As the sensors are limited to running the INTRUSION DETECTION SYSTEM, they can be more easily secured against attack. Many of these sensors are designed to run in “stealth” mode, in order to make it more difficult for an attacker to determine their presence and location [2, 48].


Host-based intrusion detection systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity. Some of these systems are reactive, meaning that they inform you only when something has happened. Some HIDS are proactive; they can sniff the network traffic coming to a particular host on which the HIDS is installed and alert you in real time [8, 48].

These types of INTRUSION DETECTION SYSTEMs run on host to reveal inappropriate activities on these hosts. The HIDSs are used for detecting the attacks from the inside and outside network. They provide snap shot about the existing system files and connect them to the previous. If the important system files were modified or deleted, the warning is sent to the administrator for inspection. The HIDS example is notice able on the machines with significant task; these machines do not expect the change of their configuration [9, 48].


Application-based INTRUSION DETECTION SYSTEMs are a special subset of host-based INTRUSION DETECTION SYSTEMs that analyze the events transpiring within a software application. The most common information sources used by application-based INTRUSION DETECTION SYSTEMs are the application’s transaction log files. The ability to interface with the application directly, with significant domain or application-specific knowledge included in the analysis engine, allows application-based INTRUSION DETECTION SYSTEMs to detect suspicious behavior due to authorized users exceeding their authorization. This is because such problems are more likely to appear in the interaction between the user, the data, and the application [2, 48].


There are two primary approaches to analyzing events to detect attacks: misuse detection and anomaly detection. Misuse detection in which the analysis targets something known to be “bad”, is the technique used by most commercial systems. Anomaly detection, in which the analysis looks for abnormal patterns of activity, has been, and continues to be, the subject of a great deal of research. Anomaly detection is used in limited form by a number of INTRUSION DETECTION SYSTEMs. There are strengths and weaknesses associated with each approach, and it appears that the most effective INTRUSION DETECTION SYSTEMs use mostly misuse detection methods with a smattering of anomaly detection components [2, 48].


Anomaly detection uses models of the intended behavior of users and applications, interpreting deviations from this “normal” behavior as a problem.

A basic assumption of anomaly detection is that attacks differ from normal behavior. For example, we can model certain users’ daily activity (type and amount) quite precisely. Suppose a particular user typically logs in around 10 Am., reads mail, performs database transactions, takes a break between noon and 1 Pm., has very few file access errors, and so on. If the system notices that this same user logs in at 3 Am., starts using compilers and debugging tools, and has numerous file access errors, it will flag this activity as suspicious.

The main advantage of anomaly detection systems is that they can detect previously unknown attacks. By defining what’s normal, they can identify any violation, whether it is part of the threat model or not. In actual systems, however, the advantage of detecting previously unknown attacks is paid for in terms of high false-positive rates. Anomaly detection systems are also difficult to train in highly dynamic environments [5].


Misuse detection systems essentially define what’s wrong. They contain attack descriptions (or “signatures”) and match them against the audit data stream, looking for evidence of known attacks. One such attack, for example, would occur if someone created a symbolic link to a UNIX system’s password file and executed a privileged application that accesses the symbolic link. In this example, the attack exploits the lack of file access checks [5, 10].

The main advantage of misuse-based systems is that they usually produce very few false positives: attack description languages usually allow for modeling of attacks at such fine level of detail that only a few legitimate activities match an entry in the knowledge base.

However, this approach has drawbacks as well. First of all, populating the knowledge base is a difficult, resource intensive task. Furthermore, misuse based systems cannot detect previously unknown attacks, or, at most, they can detect only new variations of previously modeled attacks. Therefore, it is essential to keep the knowledge base up-to-date when new vulnerabilities and attack techniques are discovered. Figure 2 shows how the misuse detection based INTRUSION DETECTION SYSTEM works is [11].


Once INTRUSION DETECTION SYSTEMs have obtained event information and analyzed it to find symptoms of attacks, they generate responses. Some of these responses involve reporting results and findings to a pre-specified location. Others involve more active automated responses. Though researchers are tempted to underrate the importance of good response functions in INTRUSION DETECTION SYSTEMs, they are actually very important. Commercial INTRUSION DETECTION SYSTEMs support a wide range of response options, often categorized as active responses, passive responses, or some mixture of the two [2].


Usually we place a burglar alarm on the doors and windows of our home. We are installing an intrusion detection system (INTRUSION DETECTION SYSTEM) for our house. The INTRUSION DETECTION SYSTEMs used to protect our computer network operate in similar fashion. An INTRUSION DETECTION SYSTEM is a software and possibly hardware that detects attacks against our network. They detect intrusive activities that enter into our network. We can locate intrusive activity by examining network traffic, host logs, system calls, and other areas that signal an attack against our network [14].

There are different benefits that an INTRUSION DETECTION SYSTEM provides. Besides detecting attacks, most INTRUSION DETECTION SYSTEMs also provide some type of response to the attacks, such as resetting TCP connections [14].


There are different characteristics for an ideal intrusion detection system, which are listed below [many references]:

  1. An ideal INTRUSION DETECTION SYSTEM must run with minimum human supervision.
  2. An ideal INTRUSION DETECTION SYSTEM must be easy to deploy.
  3. An ideal INTRUSION DETECTION SYSTEM must be able to detect attacks
    • INTRUSION DETECTION SYSTEM must not produce false negative alarms.
    • INTRUSION DETECTION SYSTEM must not produce false positive alarms.
    • INTRUSION DETECTION SYSTEM must report intrusion as soon as possible after the attacks occur.
    • INTRUSION DETECTION SYSTEM must be general enough to detect different types of attacks.
  4. An ideal INTRUSION DETECTION SYSTEM must be fault tolerant; it must be able to recover from crashes and must restore previous state, either accidental or caused by malicious activities.
  5. An ideal INTRUSION DETECTION SYSTEM must impose minimal overhead on the system.
  6. An ideal INTRUSION DETECTION SYSTEM must be configurable to implement the securities policies of the system.


The perimeter model is an architecture commonly used by today’s organizations to protect critical infrastructures. This security model divides network architectures into two distinct groups; trusted and entrusted. The trusted group is often the finite internal infrastructure, whilst the entrusted group consists of infinite external networks. In this model two types of devices are used; firewall to control the traffic entering and leaving the trusted domain, and INTRUSION DETECTION SYSTEM to detect misbehavior of trust with in the trusted area boundary [18].


Depending upon network topology, the INTRUSION DETECTION SYSTEM can be positioned one or more places. It’s also depends upon what type of intrusion activities should be detected: internet external or both. For example if the external intrusion activities should be detected, and only one router is connected to the internet, the best place for an intrusion detection system may be just inside the router or firewall. If there are many different paths to the internet, then the INTRUSION DETECTION SYSTEM should be placed at every entry point. However, if the internal attacks should be detected then the INTRUSION DETECTION SYSTEM should be placed in every network segment 2. Placement of the INTRUSION DETECTION SYSTEM really depends upon security policies 3 [8].

  1. Note that more intrusion detection systems mean more work and more maintenance costs.
  2. Which defines that what should be protected from the hackers [8]?


The goal of a DoS attack is to disrupt some legitimate activity, such as browsing, web pages, an on line radio and many more. The denial of service is achieved by sending message to the target that interferes with its operation and makes it hang, crash, reboot or do useless work [16].

A denial-of-service attack is different in goal, form, and effect than most of the attacks that are launched at networks and computers. Most attackers involves in cyber crime seek to break into a system, extract its secrets, or fool it into providing a service that they should not be allowed to use. Attackers commonly try to steal credit card numbers or proprietary information, gain control of machines to install their software or save their data, deface Web pages, or alter important content on victim’s machines. Frequently, compromised machines are valued by attackers as resources that can be turned to whatever purpose they currently deem important [16].


The effectiveness of the DoS [18] attacks has been much reported in recent years, even though organizations continue to employ perimeter model security devices. Case such as cloud nine incident [53].

DoS attacks prevent a legal network user from performing his/her functions [54]. They overwhelm the victim host to the point of unresponsiveness to the legitimate user of that host [55]. As demonstrated by the CBI/FBI survey [56], these attacks are prevalent ‘in the wild’. With today’s reliance on networks and computing technologies, these attacks can have serious effect on the victim.


To conclude the literature there have been three main research areas identified with in the literature that appertain to the undertaking of this study. By the nature of the research the field of study of the whole project will be between performance and scalability issues with those much more concentrated on that what techniques and algorithms can be used for developing an INTRUSION DETECTION SYSTEM with these characteristics.

In addition the literature review has allowed what security policies should be implemented for securing an INTRUSION DETECTION SYSTEM itself from the attackers. And where there are the actual problems, especially in the area of alarm generation i.e. scalabilities issues.

As a result the literature review has greater focus on the three different research areas:

  1. Scalability issues of INTRUSION DETECTION SYSTEM means how the false alarms can be reduce against the Denial-of-service attacks.
  2. Throughput of the Intrusion detection system means how the better performance can be obtained for better response against the attacks.
  3. INTRUSION DETECTION SYSTEM itself is a target for attackers so that what security policies should be adopted for reducing the risk of attackers for INTRUSION DETECTION SYSTEM.

And the great focus of this study to develop an intrusion detection system by considering these three aspects.


Although intelligent intrusion and detection strategies are used to detect any false alarms within the network critical segments of the network infrastructures, reducing false positives is still a major challenge. Up to this moment, these strategies focus on either detection or response features, but often lack of having both features together. Without considering these features together, intrusion detection systems will not be able to highly detect on low false rates [30].

This chapter describes the analysis part of the project which includes mechanism, algorithms and software development life cycle for developing an intrusion detection system with better performance and scalability. In this research an INTRUSION DETECTION SYSTEM will be developed with better performance and scalability by using the system engineering.


In 1998, under DARPA intrusion evolution program, an environment was set up to acquire raw TCP/IP dump data for a network for simulating a typical US air force LAN. The LAN was operated like a real environment, but was blasted with multiple attacks [31, 30]. For each TCP/IP connection, 41 various quantitative and qualitative features (See appendix A) were extracted [32, 30]. Of this database, a subset of 494021 data were used which compromised normal patterns. Attacks types were divided into the following 4 main categories [30]:

  • PROBING It is class of attacks where an attacker scans a network to gather information in order to find known vulnerability. An attacker with a map of machines and services that are available on a network can manipulate the information to look for exploits. There are different types of probes: some of them abuse computer’s legitimate features; and some of them use social engineering techniques. This class of attacks is most common because it requires very little technical expertise.
  • DENIAL OF SERVICE Denial Of Service is a class of attacks where an attacker make some computing or memory resource too busy or too full to handle legitimate requests, denying legitimate users access to a machine.
  • USER TO ROOT In this attack, an attackers starts with access to a normal user account on the system by gaining root access.
  • REMOTE TO USER This attack happens when an attacker sends packets to a machine over a network that exploits the machine’s vulnerability to gain local access as a user illegally.


System engineering is concerned with all aspect of the development and evolution of complex systems where software plays a major role. System engineering is therefore concerned with hardware development, policy and process design and system deployment and as well as software engineering. System engineers also involved in specifying the system, defining it overall architecture and then integrating the different parts to create the finished system. They are less concern with the engineering of the system components (hardware, software etc.) [41].

A system is a purposeful collection of interrelated components that work together to achieve some objective.

Systems that include software fall into two categories [41]:

  • TECHNICAL COMPUTER BASED SYSTEMS are systems that include hardware and software components but not procedures and processes. Examples of the technical system include televisions, mobile phone and most personal computer software.
  • SOCIO-TECHNICAL SYSTEM includes one or more technical systems but, crucially, also include knowledge of how the system should be used to achieve some broader objective.

Essential characteristics of socio-technical systems are as follow [41].

  1. They have the emergent properties that are the properties of the system as a whole rather than associated with individual parts of the system. Emergent properties depend on both the system components and the relationship between them. As this is so complex, the emergent properties can only be evaluated once the system has been assembled.
  2. They are often nondeterministic. This means that, when presented with a specific input, they may not always produce the same output. The system’s behaviour depends upon the human operators, and people do not always react in the same way. Furthermore, use of the system may create new relationships between the system components and hence change its emergent behavior.
  3. The extent to which the system supports organizational objectives does not just depend on the system itself. It also depends on the stability of these objectives, the relationships and conflicts between organizational objectives and how people in the organization interpret these objectives. New management may reinterpret the organizational objective that a system is designed to support and a successful system may become failure.

A characteristic of all systems is that the properties and the behavior of the system components are inextricably intermingled. The successful functioning of each system component depends on the functioning of some other components. Thus, the software can only operate if the processor is operational. The processor can only carry out computations if the software system defining these computations has been successfully installed [41].

Systems are usually hierarchal and so include other systems. These other systems are called sub-systems. A characteristic of sub-system is that they can operate as independent system in their own right. Therefore, the same geographical information system may be used in different systems [41].


The complex relationships between the components in a system mean that the system is more than simply the sum of its parts. It has properties that are properties of the system as a whole. These emergent properties cannot be attributed to any specific part of the system. Rather, emerge only once the system components have been integrated. Some of these properties can be derived directly from the comparable properties of the sub systems. However, more often, they result from complex sub-system interrelationship that cannot, in practice, be derived from the properties of the individual system components [41].

There are two different types of emergent properties [41]:

FUNCTIONAL EMERGENT PROPERTIES appear when all the parts of the system work together to achieve some objective.

NON FUNCTIONAL EMERGENT PROPERTOES relate to the behavior of the system in its operational environment. Examples of non-functional properties are reliability, performance, safety and security. These are often critical for computer-based systems, as failure to achieve some minimal defined level in these properties may make the system unusable. Some users may not need some system functions so the system may be acceptable without them. However, a system that is unreliable or too slow is likely to be rejected by all its users.

SYSTEM RELIABILITY Reliability is a complex concept that must always be considered at the system level rather than the individual component level. The components in a system are independent, so failure in one component can be propagated through the system and affect the operation of the other components [41].

Like reliability, other emergent properties such as performance or usability are hard to assess but can be measured after the system is operational. Properties such as safety and security, however pose different problems. A secure system is one that does not allow unauthorized access to its data but it is clearly impossible to predict all possible modes of access and explicitly forbid them. Therefore, it may only be possible to assess these properties by default. That is, you only know that a system is insecure when someone breaks into it [41].


System engineering is the activity of specifying, designing, implementing, validating, deploying, and maintaining socio-technical systems. The phases of the system engineering process are shown in Figure 1. This process was an important influence on the waterfall model of the software process.


System requirements definitions specify what the system should do (its function) and its essential and desirable properties. As with software requirement analysis, creating system requirement definitions involves consultation with system customers and end-users. This requirement phase usually concentrates on deriving three types of requirement [41]:

An important part of the requirements definition phase is to establish a set of overall objectives that the system should meet. These should not necessarily be expressed in terms of system’s functionality but should define why the system being procured for a particular environment [41].

To illustrate that what this means, we are specifying a system for a company’s network to provide the protection against the attacks, worms and viruses. A statement of objective based on system functionality might be:

To provide an intrusion detection system for the network that will provide internal and external warning of unauthorized intrusion.

This objective states explicitly that there needs to be a detection system that provides warnings of undesired events. By contrast, a broader statement of objectives might be:

To ensure that the normal functioning of the work carried out over the network is not seriously disrupted by events such as virus, worm or unauthorized intrusion.

If we set out the objective like this, we can broaden and limit the design choices, this objective allows for intrusion detection using sophisticated pattern’s signatures. It may also exclude the signatures which can affect the working of overall network [41].

WICKED PROBLEM It is a problem that is so complex and where there are so many related entities that there is no definitive problem specification. The nature of the problem emerges only as solution is developed. For example no one can create the signature which can detect all the expected attacks [41]. We can just create the signatures base on previous attacks.


Current countermeasures to DoS rely on the perimeter model of network security. However, this model, which relies on firewalls and Intrusion Detection Systems (INTRUSION DETECTION SYSTEM), does not provide the defence required against DoS attacks as long as these devices are an internal part of the victim system. This is because they only respond to an attack, rather than prevent them from being successful. Consequently, when the attacks are detected the services are shut down [18].


In February 2000, a series of massive denial-of-service (DoS) attacks disabled several high-visibility Internet e-commerce sites, including Yahoo, Ebay and many more. Then, In January 2001 Microsoft’s name server infrastructure was incapacitated by similar attacks. The root DNS server were beleaguered in 2002, over the last six years, denial-of- service attacks against highly visible sites or services have become commonplace. However, the vast majority of attacks is not publicized and includes wide range of global victims, from small commercial sites, to educational institutions, public chat servers and government organizations [17].

Using backscatter analysis, we have established the presence of roughly 2,000{3,000 active denial-of-service attacks per week. Over a three-year period we have collected 22 distinct traces, revealing 68,700 attacks on over 34,700 distinct Internet hosts belonging to more than 5,300 distinct organizations. We are also able to estimate a lower-bound on the intensity of such attacks | some of which are in excess of 100,000 packets-per-second (pps) | and characterize the nature of the sites victimized [17].


Denial of service targets the heart of today’s information economy, connectivity, by preventing the access to service to the legitimate users. This may be achieved in number of ways. However, 94 percent attacks utilize TCP to achieve their aim [20, 22].

A number of approaches have been proposed to counter the denial of service problem. These mechanism include payment for network resources [20, 23], strong authentication [20, 24], Pushback [20, 25], traffic identification [20, 26], D-WARD [16, 26, 28], and NETBOUNCER [16, 27]. However, issues such as their inability to scale differentiate malicious from benign traffic with little overhead, requirement for state full information, or deal with little overhead, requirement for state full information, or deal with high- volume flows has ensured that these approaches have not achieved widespread development. There for new approach is required [20].


The role of the INTRUSION DETECTION SYSTEM starts when any organization deploy INTRUSION DETECTION SYSTEM, it must monitor the system and respond to the alerts that it reports. Deployment issues to address include placement of sensors to maximize protection for the most critical assets, configuring the INTRUSION DETECTION SYSTEM to reflect security policy, installing appropriate signatures and other initial conditions, establishing forensic procedures to preserve evidence for possible prosecutions, and determining when (if ever) and what automatic responses are allowed. Users must develop procedures for handling INTRUSION DETECTION SYSTEM alerts and consider how to correlate alerts with other information such as system or application logs [3].

INTRUSION DETECTION SYSTEMs themselves are logical targets for attack. Smart intruders who realize that an INTRUSION DETECTION SYSTEM has been deployed on a network they are attacking will likely attack the INTRUSION DETECTION SYSTEM first, disabling it or forcing it to provide false information [3].

Although signature based INTRUSION DETECTION SYSTEM provides various benefits but there are some drawbacks as well. Some of them are listed below:

  • Updating signature database
  • False negative
  • False positive
  • Inability to detect unknown attacks
  • Maintaining the state information (Event horizon 4)

4 To detect an attack, a signature based INTRUSION DETECTION SYSTEM examines the data presented to it, sometime many pieces of data are necessary to match an attack signature. The maximum amount of time over which an attack signature can be successfully detected is known as the event horizon.

The biggest drawback of a signature based INTRUSION DETECTION SYSTEM is its inability to detect previously unpublished attacks. Signature based INTRUSION DETECTION SYSTEM detects the attack on the basis of previous attack signatures. So it is very hard to detect a new attack by using the old signatures .


INTRUSION DETECTION SYSTEM generate alarm to signal when attacks are occurring on the network. When an attack is generating because of the normal behavior, the alarm is known as false positive.


When an INTRUSION DETECTION SYSTEM fails to generate an alarm for known intrusive activity, it is called a false negative. False negative represent an actual attacks that the INTRUSION DETECTION SYSTEM missed even though it is programmed to detect the attack.


Packet classification is important function in network security appliances such as firewalls and intrusion detection system. Signature based INTRUSION DETECTION SYSTEM use the deep packet inspection in that different multi pattern algorithms are used. These packet matching algorithms check whether the packet payload or flow content contains a specified signature in the signature set [36].

Rapid expansion of the network traffic has increased the significance of the NIDS performance. Most of the INTRUSION DETECTION SYSTEM relies on exact string matching from network packet payloads against thousand of intrusion signatures. The performance of signature based INTRUSION DETECTION SYSTEM has been shown to be conquered by the speed of string matching algorithms used to judge packet against signatures. A NIDS must utilize an efficient string matching algorithm because an underperforming passive system drops many packets and may miss many attacks, while an underperforming inline system creates a bottleneck for network performance [57].

The quality of INTRUSION DETECTION SYSTEM is described by the percentage of true attacks detected combined with the number of false alerts. However, even a high quality pattern matching algorithm is not effective if its processing cost is too high, since the resulting loss of packets increases the probability that an attack is not detected [58].

Usually, the performance of an intrusion detection system is characterized by the probability that an attack is detected in amalgamation with the number of false alerts. Though, uniformly important is the system’s capacity to process traffic at the maximum rate offered by the network with minimal packet loss. Significant packet loss can leave a number of attacks undetected and reduce the overall efficiency of the system. A higher performance sensor is not only able to process packets at a higher rate, but can also apply more complicated detection techniques to reduce the number of false alert [58].

Multi-pattern matching is known to require exhaustive memory access and is often a performance bottle neck [59].


Even though, a network in that a intrusion detection system has been used to improve the security, making sure that intrusion detection system is as secure as possible will make the data more trustworthy. If someone breaks into the intrusion detection system, there is no reason to trust the alerts that it sends, thereby making the system completely useless [41].

Because that intrusion detection system requires a operating system. With that said, an intrusion detection system installation is subject to attacks, both in intrusion detection system itself and in the underlying operating system. Why? Even if we want to get in remotely (SSH), and we will probably want to store the alerts in a database like MySQL. And we will probably want to view the alerts with a dapper interface that might require a web server. Any listening service is possible surfaces for attacks, and some driver attacks can even target a listening interface that is not advertising any services in particular at all. This makes our intrusion detection system just like any other application [41].

Frequently an operating system creates a single process that has at least one thread with which an application runs. A number of operating systems permit and support the capability for a single process to be composed of multiple threads. This is significant because sometimes a single process needs to do numerous things at the same time (parallel) [41].

Threads can be consideration of as individual processes with special attribute that make them more resourceful for today’s more complex applications. The unique attributes threads contain are shared process address space, global variables, registers, stack, state and other process type information. In addition to sharing all of these resources, threads also preserve their own separate data as well. For instance, individual threads deal with their own registers, stack and state [41].

The main point is that threads are becoming ordinary and the majority of software applications today are being keenly written to a threaded model. In addition, multiprocessor systems are becoming somewhat commonplace throughout the home, corporate world and the data centers by way of inexpensive and dominant new technologies and architectures, such as dual-core processors that offer a substantial increase in performance and a good return on the investment [41].

So, the method in which the operating system interacts with the CPUs may be an area where you can realize performance gains. Even though some application cannot take clear advantage of multiple processors, there are ways in which we can “help” these applications to exploit their use, provided artistic gene is up for it [41]!


A with any other system that is planned to attach to a network, it is crucial to consider the security of the network’s intrusion detection system. Can it be hacked? Will it need to be patched? What known attacks are available and are being used against a intrusion detection system? What type of threat could it pose to the network if an attacker managed to compromise the system? These are the important questions for any system, but they are doubly important if one of the most important security devices is considered [60] .

When designing the security policies for any network, it is always wise to take a defense in depth approach. Of course, all the network systems should be protected to the best of network administrator ability. However, it’s also wise to plan so that not even a single point of failure exists. All the systems of the network should be susceptible to attack. A robust plan of defense will consider the security of each individual system, including the intrusion detection system of a network, and it should be definite that no one machine would be a single point of failure [60].

There are two classes of attacks against intrusion detection system. The first is designed to make an intrusion detection system ineffective. Programs like stick and snot. They can be used to attempt to overwhelm INTRUSION DETECTION SYSTEM with noisy garbage alerts, perhaps distracting an analyzer from the real attack hidden somewhere in all that junk. Denial-of-service attacks against INTRUSION DETECTION SYSTEM, such as the ICMP header size DoS [61] attack took place against snort 5. The second category of attacks is designed to use intrusion detection system an exploitable network service, aiming to execute code or gain privilege on the intrusion detection system itself [60].

5Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and over 250,000 registered users, Snort has become the de facto standard for IPS

The main purpose of the project is development of an Intrusion Detection System with better performance and scalability against the Denial-Of-Service attacks. For achieving that purpose different mechanism and algorithms can be used. And we can also divide the signature into different parts for reducing the false positive and false negative.


System design (Figure 2) is concerned with how the system functionality is to be provided by the components of the system. The activities involved in the process are [41]:

  • PARTIONING REQUIREMENT We analyze the requirements and organize them into related groups. There are usually several possible partitioning options and we may suggest a number of alternatives at this stage of process.

    Intrusion Detection system for DoS attack requires partitioning because there are several functions that has to be done with in itself.

    First of all the network packets from the wire should be captured, for that a sniffer is required. That can sniff the network packets and can forward it for further processing.

    At the present time there are several standard present over the network for data link layer means like FDDI, Token ring, Ethernet and many more. So it is mandatory that intrusion detection system should detect the attack on any kind of interface so a system is required which can convert every type any kind of data in to a particular standard.

    After getting the data in particular standard it is required that it should be controlled by using some congestion control algorithms. So that another sub-system is required that can control the traffic and forward it for further processing.

    Later than a system is required which can detect the attacks within the controlled traffic and can generate the alarms.

    After that these generated alarms should be saved somewhere where they can be utilized for further processing.

  • IDENTIFY SUB-SYSTEM Sub-systems that can individually or collectively meet the requirements. Group of requirements are usually related to Sub-systems, so this activity and requirements partitioning may be mingled.

    As conclude the partitioning requirement there are five sub systems required for developing an intrusion detection system.

    1. Libpcap
    2. Decoder
    3. Traffic control system
    4. Detection engine
    5. Output generating system
    6. ASSIGN REQUIREMENTS TO THE SUB-SYSTEMS In practice; there is never a clean match between requirements partitions and identified sub-systems.
    7. SPECIFY THE SUB-SYSTEM FUNCTINALITY Specification of the specific function provided by each sub system should be cleared. This may be seen as part of the system design phase or, if the subsystem is a software system, part of requirements specification activity for that system.
    8. DEFINE SUB-SYSTEM INTERFACE We should define the interface that are provided and required by each sub-system. Once these interfaces have been agreed upon it becomes possible to develop these sub-systems in parallel.

    Libpcap will capture the traffic from the wire and forward it to the decoder then decoder will convert that data into a particular standard and forward it to the traffic control system. Traffic control system will use the congestion control algorithm for controlling the traffic. And it will divide the traffic into two different parts first will be the normal traffic means if there is no congestion then the traffic control system will forward the traffic normally otherwise it will drop the traffic. In both cases it will forward the traffic to the detection engine. After getting the data from the traffic control system detection engine will match this data against the pre-defined rules. By using the multi pattern matching algorithms. If there is any match then it will generate the alarms and forward it to the output plug-ins. Then the output plug-ins will save the data for data analyst or network administrator.


    During the system requirements and design activities, system may be modeled as a set of components and relationship between these components. These are normally illustrated graphically in a system architecture model that gives the reader an overview of the system organization [41].

    For example figure 3 shows the decomposition of a reliable intrusion detection system for DoS attacks into its principle components.

    Figure 3 IDS for DoS attacks data flow

    • LIBPCAP The Libpcap can be used to read record, inject and in general deal with network packets at a higher level than raw sockets. Essentially Libpcap can be used to easily collect up or manipulate the packets. Libpcap function also abstract a lot of the difference between operating systems network API making programs that leverage Libpcap generally more portable or perhaps saving the programmer headache of writing their own network API layer [42].
    • DECODER The packet decoder takes packets from different types of network interfaces and prepares the packets to pass through congestion control part or to be sent to the detection engine. The interface may be Ethernet, SLIP, and PPP [38].
    • TRAFFIC CONTROL SYSTEM This system will be used for controlling the congestion of the network by using the different congestion control algorithms like RED and DROPTAIL etc.
    • DETECTION ENGINE Its responsibility is to detect if any intrusion activity exists in a packet. The detection engine matches the packet with already saved signatures and employs the rules for this purpose [38].
    • OUTPUT PLUG-IN The purpose of output plug-in is to dump altering data to another resource of file. Multiple outputting plug-in is to dump altering data to another resource or file [43].

    At this level of detail, the system is decomposed into a set of interacting sub-systems. Each sub-system should be represented in a similar way until the system is decomposed into functional components. Functional components are the components that, when viewed from the perspective of the subsystem, provide a single function. By contrast, a sub system usually is multi functional. Of course when viewed from another perspective, a functional component may itself be a system in its own right [41].

    SUB-SYSTEM DEVELOPMENT During the sub-system development, the subsystem identified during system design is implemented. This may involve starting another system engineering process for individual sub-system or, if the sub-system is software, software process involving requirements, design implementation and testing.


    Some prior labor is required to send the packets into the congestion control system and the detection engine. So we can use the LIBPCAP as packet capture and is a platform independent facility. It can be run on every popular combination of hardware and OS. We can utilize the Libpcap library to grab the packets off the wire [43].

    The responsibility for grabbing packets directly from the network interface card belongs to Libpcap. It makes the capture facility for raw packets provided by the underlying operating system available to other. Figure 4 shows the different elements of the packet capture process [47].

    • RAW PACKET It is a packet that is left in its original, unmodified form as it had traveled across the network from client to server. A raw packet has all its protocol header information left intact and unaltered by the operating system. Network applications typically do not process raw packets; they depend on the OS to read protocol information and properly forward payload data to them.


    Once Libpcap captured the packet, it passes into the packet decoder. Exactly where the packet enters the decoders depends on the link layer from where it is being read [45]. As soon as the packets have been gathered, INTRUSION DETECTION SYSTEM must decode the specific protocol elements for each packet. The packet decoder is actually series of decoders that each decodes specific protocol element. It works up the network stack, starting with lower level Data link protocols, decoding each protocol as it moves up. A packet follows this flow as it moves through the packet decoder (see figure 4)

    Figure 4 Decoder data flow

    As packets move through the various protocol decoders, a data structure is filled up with decoded packet data. As soon as packet data is stored in a data structure it is ready to be analyzed by the detection engine [43].

    Regardless of which link layer is being used, all of the decoders work in the same general fashion. For the particular layer being decoded, pointers in the packet structure are set to point to various parts of the packet. Based on the decoded information, it calls into appropriate higher-layer decoders until no more decoders are available [45].

    The result of the decoding process is fully populated packet structure. This structure contains pointer into various parts of the packet and allow for the quick access into the packet from other area of intrusion detection system. Because most of the work is based on simply setting pointers into the structure, you can decode a packet very quickly. This packet structure represents the core of intrusion detection system’s capability to share information about a packet among the different components within it. The packet structure is passed into traffic control system, into the detection engine, and into the output plug-ins. being able to read this structure is essential to being able to add capabilities to intrusion detection system [41].


    Traffic control system is the system which controls the network traffic by using the congestion control algorithms. Congestion control algorithms are basically used for controlling the traffic entry into the telecommunication network, so as to avoid over subscription of any of the processing or link capabilities of the network resources. Figure 5 shows the traffic control system takes the traffic from Libpcap and by using the congestion control algorithms it control the traffic i.e. some packet traffic make be dropped if congestion of the traffic increase dramatically.

    Figure 5 shows the different components of the traffic control system.

    Within the traffic control system the congestion control algorithm are adapted for use in the state-full signatures for detecting the denial-of-service attacks. During this type of attack a large number of traffic are observed. To demonstrate the way in which this is achieved in traffic control system, a figure first in first out (FIFO) queue is used. The available space with in traffic control system FIFO queue is divided into two sub-queues to allow comparison of packets whilst in the queue. An incoming packet to the INTRUSION DETECTION SYSTEM is placed in the queue, If due to the bandwidth limitation the packet cannot be immediately forwarded to next device. These packets are placed in either the first or second sub-queue at the IDS based on first-come first served basis [20, 21].

    Packets placed in the queue, and its sub-queues, are dequeued and forwarded to their destination. If the threshold of the total queue limit is exceeded the INTRUSION DETECTION SYSTEM begins to drop the packets to ensure that packets already in queue are forwarded and that new incoming packets can be placed in queue. In this way, no statefull information is held about the queue apart from whether the queue limit has been exceeded, thereby reducing the computational overhead placed on the INTRUSION DETECTION SYSTEM [20, 21]. At periods where congestion occurs, packets are dropped. Prior to the packet dropped, the IP header is accessed and the destination address obtained. This IP destination is accessed and the destination address obtained. This IP address is compared to the previous packet's IP destination address. If they are same, then the IP destination address is stored for comparison with the next packet and the packet is passed to the stateless signatures analysis. If the destination addresses are not the same, the destination IP address is still stored for comparison with the next packet, but the packet is dropped [20, 21].


    The detection engine is the primary component of the INTRUSION DETECTION SYSTEM. It has two major functions, rule parsing and signature detection. The detection engine builds attack signatures by parsing INTRUSION DETECTION SYSTEM rules. DoS INTRUSION DETECTION SYSTEM rules are read by line by line, and are loaded into internal data-structure. The rules are loaded only when the INTRUSION DETECTION SYSTEM service is started, meaning that to modify, add, or delete a rule you must refresh the INTRUSION DETECTION SYSTEM daemon [45, 42, and 43].

    In this research we will use the detection engine as used by snort. Snort maintains its detection rules in a two dimensional linked list of what are termed chain headers and chain options. These are the list of rules that have been condensed down to a list of common attributes in the chain headers, with the detection modifier option contained in the chain options. For example, if forty five CGI-BIN probes detection rules are specified in a given Snort detection library file, they generally all share common source and destination IP addresses and ports. To speed the detection processing, these commonalities are considered in to a single chain header and then individual detection signatures are kept in chain option structures [45, 46].

    Figure 6 Rule chain logical structure of detection engine

    These rule chains are searched recursively for each packet in both directions. The detection engine checks only those chain options which have been set by the rules parser at run-time. The first rule that matches a decoded packet in the detection engine triggers the action specified in the rule definition and returns [45].

    A major overhaul of the detection engine is in the planning and development stage. The next version of the engine will include the capability for users to write and distribute plug-in modules and bind them to keywords for the detection engine rules language. This will allow anyone with an appropriate plug-in module to add significant detection functionality to snort and customize the program for specific jobs [45, 46].

    The detection engine processes the rule header and rule option differently. The detection engine builds a linked list decision tree. The nodes of the tree have rules for TCP. The packet is then tested to see whether it matches a source address in a rule; if so, it passes down the corresponding rule chains. This process happens until the packet either matches an attack signature or test clean and is dropped. The important thing to remember is that snort commences testing a packet after it has found a signature to match the packet. Even if the packet could possibly match another signature, the detection engine moves on to the next packet. This is why it is most valuable to organize the rules so that the most malicious signatures are loaded first [43].

    A detection engine that uses the signature detection matches the network traffic it sees against a list of signatures. These signatures are typically important bits and pieces of the attack that the INTRUSION DETECTION SYSTEM should look for in incoming network packets and flag as “bad” traffic. These signatures are matched by using the multi pattern matching algorithms for increasing the performance of matching device.

    Rules and signatures matching for network traffic is a time critical part of INTRUSION DETECTION SYSTEM. Depending upon how powerful the machine is and how many rules has defined; it may take different amount of time to respond the different packets. If the network is too high then it may possible that INTRUSION DETECTION SYSTEM drop some packets and may not get a true real time response [38].


    The purpose of the output plug in is to dump alerting data to another resource of file [43]. Output modules or plug-ins can do different operations depending on how you want to save output generated by the logging system of the INTRUSION DETECTION SYSTEM. Basically these modules control the type of output generated by the logging and alerting system. Depending on the configuration, output modules can do things like the following [8]:

    • Simply logging the logs in a particular given location.
    • Sending SNMP traps
    • Sending messages to the Sys-log facility.
    • Logging to the database servers.
    • Generating XML output and many more.

    Other tools can also be used to send alerts in other formats such as email messages or viewing alerts using a web interface [8].


    To document the system specification a technique is used which is known as system modeling. System models are the graphical representation that describes the problem to be solved and the system that is to be developed. There are different types of models are based upon different approaches to abstraction. For example a data-flow model concentrates on the flow of data and functional transformation on the data. It leaves out details of the data structures. By contrast, a model of data entities and their relationships documents the system data structures rather than its functionality [41].


    Architectural model describe the environment of a system. However, they do not show the relationships between the other systems in the environment and the system that is being specified. Figure 6 is an architectural model that can illustrates the structure of the intrusion detection system.

    FIGURE 7 shows an architectural model of the INTRUSION DETECTION SYSTEM for DoS attacks.

    Simple architectural models are normally supplemented by other models, such as process models, that show the process activities supported by the system Data-Flow models may also be used to show the data that is transferred between the system and the other system in its environment [41]. Figure 8 illustrate a process model for the process or function provided by the different parts of the INTRUSION DETECTION SYSTEM system. This involves the specifying the algorithm required i.e. congestion control algorithm and pattern matching algorithms. In figure 8 the dotted lines encloses the activities that are within the system boundary. The other activities are the boundaries of the system. The arrows show the data flow between the different parts of the system [41].

    Figure 8 Shows process model of the intrusion detection system.

    We have already discussed many of these parts above the remaining parts functioning and processes are listed below.


    Pattern matching is crucial component of network intrusion detection system it is the act of inspection for occurrence of constituents of a given pattern or rules with respect the network packets. Pattern matching is used to test whether things have the desired structure, to find the relevant structure.

    Pattern matching can be divided into different parts:


    • Given an input string P and a pattern string T, whether T appears in P.


    • Given an input string P and a set of pattern strings T1, T2 ... Tm, whether any Ti appears in P?

    With the increasing types and number of malicious attacks in the Internet [33 - 36], network security appliances such as firewall and INTRUSION DETECTION SYSTEM systems [36, 37], need an effective tool to detect such attacks. Developing an efficient multi-pattern matching algorithm is a still difficult issue in research [36], there are three different kinds of algorithms usually used to tackle this problem: (1) the Bloom filter algorithm (2) the Aho-corasick (AC) algorithm and its extensions; and (3) Boyer-Moores algorithm (BM) and its extension [36].

    There is natural problem when aggregating rules into pattern groups for performing multi-pattern-matching not seen with single pattern Boyer-Moore strategies [40]. Generally signature matching used in INTRUSION DETECTION SYSTEM Packet classification, which involves examining the value of packet header and deep packet inspection, in which the packet payload is matched against a set of predefined pattern [39].

    When the Intrusion detection engine receives a packet, it identifies the group to which it belongs. Then the payload of the packet matched against the pattern matching algorithm. Aho-Corasick algorithm identifies all the rules whose content option is matched. For each of these rules, an interpreter checks whether the other payload and non-payload options are satisfied by the packet. If all the options of a rule are satisfied, then a match is announced for that rule [39].


    In many information retrieval and text-editing applications it is necessary to be able to locate quickly some or all occurrences of user-specified pattern of words and phrases in the text. Aho-Corasick algorithm is an efficient algorithm to locate all occurrences of any of a finite number of keywords and phrases in an arbitrary text string [62, 63].

    An Aho-Corasick algorithm can be divided into three different parts:


    Let A be a finite alphabet. A trie is a rooted tree with the following properties:

    i. The edge of the tree marked with letter out of A (so- called labels)

    ii. For each node k of the tree and for each letter c of A. there is at most one edge which starts in k and is marked with c.

    Given a node k of the trie, path (k) denotes the string built by the labels on the way from the root to k.

    Lets P be a set of strings, then trie (P) is the smallest (with respect number of nodes) trie with the following property.

    For all part of P exists a node k < such that part = path (k)

    For example P = {ab, ba, babb, bb}


    Let g: Q × A -> Q + {fail} stand for the transition function of a deterministic finite automaton (A, Q, init, g, T), where A is an input alphabet, Q is a finite set of states, init is the initial state and T is the set of terminal states [62, 63].

    The value g (q, a) is the state reached from state q by the transition labeled by the input symbol a. We can also say that for the word w, g (q, w) denotes, if it exists, the state reached after reading the word w in the automaton from the state q [62, 63].


    For reasons of economy we allow g to be a partial function.


    Let Q be the set of states of an Aho/Corasick automation.

    Let h : Q -> Q + {fail} denotes the failure function.

    Let q, q’ be the states of Q.

    The failure function of the Aho-Corasick automation is defined as follows:

    h (Q) = q’ if among the states of Q, q’ deliver the longest true suffix of path (q) [62, 63]

    3. The Aho/Corasick String Matching Automaton

    An Aho/Corasick String Matchin Automaton for a given finite set P of patterns is a (deterministic) finite automaton G accepting the set of all words containing a word of P as a suffix [62, 63].

    G consists of the following components:

    1. finite set Q of states
    2. finite alphabeth A
    3. transition function g: Q × A -> Q + {fail}
    4. failure function h: Q -> Q + {fail}
    5. initial state q0 in Q
    6. a set F of final states

    Example: P = {ab, ba, babb, bb}

    Aho/Corasick String Matching Automaton.


    For achieving early detection, both state full and stateless signatures should be utilized. Statefull signatures store the state of the packet so they can generate the alert for unusual traffic loads towards a target or host or network. Whereas stateless signatures verify that an attack is indeed taking place. By using the stateless signatures we can also reduce the number of false positive. In traditional INTRUSION DETECTION SYSTEM, there are no combinations of the two types of signature. Systems are either one type or other type i.e. misuses based or anomaly based INTRUSION DETECTION SYSTEM [20, 21].


    When any attack takes place like SYN flood attack generates the congestion with in networks. For controlling the congestion the some network devices like router uses the congestion control algorithms, such as RED [49] or CHOKE [50], to ensure that they will work properly when faced with high levels of traffic [20, 21].

    With in the traffic control system the congestion control algorithm are adapted for use in the statefull signatures for detecting the denial-of-service attacks. During this type of attack a large number of traffic are observed. To demonstrate the way in which this is achieved in traffic control system, a first in first out (FIFO) queue is used. The available space with in traffic control system FIFO queue is divided into two sub-queues to allow comparison of packets whilst in the queue. An incoming packet to the INTRUSION DETECTION SYSTEM is placed in the queue, If due to the bandwidth limitation the packet cannot be immediately forwarded to next device. These packets are placed in either the first or second sub-queue at the IDS based on first-come first served basis [20, 21].

    Packets placed in the queue, and its sub-queues, are dequeued and forwarded to their destination. If the threshold of the total queue limit is exceeded the INTRUSION DETECTION SYSTEM begins to drop the packets to ensure that packets already in queue are forwarded and that new incoming packets can be placed in queue. In this way, no statefull information is held about the queue apart from whether the queue limit has been exceeded, thereby reducing the computational overhead placed on the INTRUSION DETECTION SYSTEM [20, 21]. At periods where congestion occurs, packets are dropped. Prior to the packet dropped, the IP header is accessed and the destination address obtained. This IP destination is accessed and the destination address obtained. This IP address is compared to the previous packet's IP destination address. If they are same, then the IP destination address is stored for comparison with the next packet and the packet is passed to the stateless signatures analysis. If the destination addresses are not the same, the destination IP address is still stored for comparison with the next packet, but the packet is dropped [20, 21].

    There are many congestion control algorithms that can be used with in this statefull signature module. Several algorithms proposed recently try to provide an efficient solution to the problem. In one of these, Active queue management (AQM) with explicit congestion notification (ECN), in other algorithms, packet is dropped to avoid and control congestion at gateways. Thus, different senders of the data can be required to reduce their traffic [64].

    We have already discussed First-In-First-Out (FIFO) algorithm. And in this study we will compare this algorithm against the Drop-Tail algorithm.


    Drop tail (DT) is the simplest and most commonly used algorithm in the existing internet gateways, which drops packets from the tail of the full queue buffer. Its main advantages are simplicity, appropriateness to heterogeneity and its decentralized nature [64].

    However, this approach has some grave disadvantages, such as lack of fairness, no protection against the mischievous or non responsive flows [64].

    Generally DT is used as a baseline case for assessing the performance of all the newly proposed gateway algorithms [64].

    If the input queue is filled when a datagramarrives, discard the datagram [65].

    The name tail-drop arises from the effect of policy on an arriving sequence of datagram. Once the queue fills, the router begins discarding all additional datagram. That is, the device discards the ‘tail’ of the sequence [65].

    Tail drop has an interesting effect on TCP. In the simple case where datagram traveling through a device carry segment from a single TCP connection, the loss causes TCP to enter slow start, which reduces throughput until TCP begins receiving ACKs and increases the congestion window. A more severe problem can occur, however, when the datagram traveling through the device carry segments from many TCP connections because tail-drop can cause global synchronization. To see why, observe that datagram are typically multiplexed, with successive datagram each coming from a different source. Thus, a tail-drop policy makes it likely that the router will discard one segment from N connections rather than N segments from one connection. The simultaneous loss causes all N instances of TCP to enter slow start at the same time [65].


    A software system usually consist of a number of separate programs, configuration files, which are use to set up these programs, system documentation, which describe the structure of the system and the user documentation, which explain how to use the system and websites for users to download recent users information [41].

    A software process is a set of activities that leads to the production of software product. These activities lead to the production of the software product [41].



    This proposed solution of signature based INTRUSION DETECTION SYSTEM can be implemented by using three different ways:

    1. By developing a software system.
    2. By doing some small modifications in existing intrusion detection systems like Snort and Bro.
    3. By using some open source network simulators like network simulator-3 or Metasploit.


    The implementation stage of software development is the process of converting a system specification into an executable system. It always involves process of software design and programming but, if an evolutionary approach to development is used, may also involve refinement of the software specification [41].

    A software design is a description of the structure of the software to be implemented, the data which is the part of the system, the interfaces between system components and, sometimes, algorithm used [41].

    As discussed above in the designing part signature based INTRUSION DETECTION SYSTEM for DoS attacks can be divided into different sub-systems:

    1. LIBPCAP
    2. DECODER

    There are different services, data structures and Algorithms are used in these components. The traffic control system will provide the congestion control of the incoming traffic. Different congestion control algorithms can be used by this sub-system. And the controlled packets will be stored in a specific data structure.

    And the detection engine will use a multi-pattern matching algorithm for matching the incoming traffic against a predefine set of rules and signatures.


    Pseudo code is a dense and easy high-level description of a computer programming algorithm that uses the structural convention of a programming language, but is projected for human reading rather than the machine reading. Pseudo code typically omits details that are not necessary for human understanding of the algorithm, such as variable declaration, system specific code and subroutines. The programming language is increased with natural language description of details, where suitable, or with compact mathematical notation. The purpose of using pseudo-code is that it is easier for humans to understand than conservative programming language code, and that is a compressed and environment-independent explanation of the key principles of an algorithm.

    1. Select the device for sniffing

    //* device = pcap_lookupdev (errbuf);

    If (device= NULL)


    Print no device;

    } *//

    2. Define the properties of the device.

    // * if (pcap_lookupnet (device, &net, &mask, errbuf ) == -1)


    Print error;

    } *//

    3. Open the session.

    //* handle=pcap_open_live (dev, BUFSIZ, 1, 1000, errbuf);

    If (handle == null);


    Print error;

    } *//

    4. Grab the packet.

    // * Packet = pcap_next (handle, &header);

    Print its length; *//

    5. Send the packet to the traffic control system.

    6. Store the destination address of the packet.

    If (Average queue<=maximum)


    6.a admit the new packet.

    6.b Enqueue.

    6.c Dequeue.

    6.d End




    6.e Draw the packet

    6.f If (Packet Destination address = previous destination address)


    6.f.1. Send to stateless detection engine.

    6.f.2. End




    6.f.3 Drop the packet

    6.f.4 End



    Detection engine first of all the by using the Aho-Corasick multi pattern matching algorithm the incoming traffic will be matched with the stored database of rules and signatures. The Aho-corasick algorithm needs a tri-like DFA and a failure function. And searching through a database using a Aho-Corasick algorithm is done by traversing the DFA and using the failure function whenever a transition fails.

    7. a. create tri like DFA by using algorithm written below

    DFA dfaConstruction(Dictionary d)


    DFA dfa = new DFA();

    String w;

    State state, nextState;

    state = dfa.newState();


    while ((w = d.remove()) ! = null)


    state = dfa.getStartState();

    for (int i = 0; i < w.length(); i++)


    nextState = dfa.getTransition(state, w.charAt(i))

    if (! nextState.isValid())


    nextState = dfa.newState();

    dfa.addTransition(state, w.charAt(i), nextState);


    state = nextState;




    return dfa;


    7.b. Create a failure function by using the following algorithm

    FailureFunction failureConstruction(DFA dfa)


    FailureFunction f = new FailureFunction();

    Queue q = new Queue();

    State state, nextState, s;

    char ch;


    f.setFailure(dfa.getStartState(), null);

    while (! q.isEmpty())


    state = q.remove();

    for (i = 0; i < dfa.getAlphabetLength(); i++)


    ch = dfa.getAlphabetSymbol(i);

    nextState = dfa.getTransition(state, ch);

    if (nextState.isValid())


    s = f.getFailure(state);

    while ((s ! = null) && dfa.getTransition(s,ch).isValid())


    s = f.getFailure(s);


    if (s ! = null)


    f.setFailure(nextState, dfa.getTransition(s,ch));




    f.setFailure(nextState, dfa.getStartState());


    if (f.getFailure(nextState).isAcceptState())








    7. c. Search through the database using searching algorithm.

    Results ahoCorasickSearch(Dictionary dict, Database ruleset)


    DFA dfa = dfaConstruction(dict);

    FailureFunction f = failureConstruction(dfa);

    State state, nextState;

    char ch;

    Results r = new Results();

    state = dfa.getStartState();

    while (! ruleset.eof())


    ch = ruleset.getChar();

    nextState = dfa.getTransition(state,ch);

    if (! nextState.isValid())


    nextState = f.getFailure(state);

    while ((nextState ! = null) && ! dfa.getTransition(nextState,ch).isValid())


    nextState = f.getFailure(nextState);


    if (nextState ! = null)


    nextState = dfa.getTransition(s,ch);




    nextState = dfa.getStartState();



    if (nextState.isAcceptState())




    state = nextState;


    return r;


    8. Now we have to write the signature set for SYN flood attack which will be used by Aho-Corasick algorithm.

    8.a. while if ( SYN received time== large than limit )


    Drop the packet, and confirm that it is an attack.


    If (connection == half open or long)


    Drop the packet and confirm attack.



    Match the incoming pattern against the rule database.

    If (pattern == rules)


    Drop the packet, and confirm that it is an attack




    Confirm that it is not attack and forward the traffic


    9. Output plug-ins will save the data in text format means the generated alarms from the detection engine will save into the text format for further evaluation by the network administrator.

    That pseudo code can be converted into group of program by using programming language like C, C++ and JAVA.

    And by using the snort and network simulators we can also achieve that purpose. Snort is an open source intrusion detection system. It most famous for being full-fledged open source intrusion detection system, but Snort is also a feature rich packet sniffer and a useful packet logger. Snort is like a vacuum that sucks up all the items of a particular kind means all the network packets and allows doing different things to them once captured [60].

    There several reason behind popularity of the snort. Except this snort has many features that are very useful in live network. It provides the fast packet processing, it is platform independent system, its new preprocessors have been designed to handle protocol hiccups and Tom foolery in a variety of common implementations. But this study is not to discuss about the features of snort. The main concern is that how we can use snort for implementing the intrusion detection system for DoS attacks.

    Snort is an open source network intrusion detection system. The latest version of the snort provides the facility of Dynamic Snort preprocessors and dynamic Snort detection engine. These dynamic facilities within both sub-systems of the Snort allow it to create dynamically loaded, shared object rules, definition, preprocessors and detection capability written in C [60, 46]. These facilities can be added by simply compiling the standalone dynamic preprocessor, placing it in the correct dictionary, and restarting Snort, new functionality can be added to the system [46, 60].

    So we can write a code in C of traffic control system which can be further used by the preprocessor of Snort. And apart from this the preprocessor of the Snort already has four different parts.

    According to the [21] frag3 starts to implement the concept of “target based” intrusion detection system, that is, analyzing the traffic as the “target”. And except this The Flow Processor is a part of frag3. Flow, contained in spp_flow.c was written by Chris Green in 2003 to start unifying the state keeping mechanisms of Snort in a single place. The point of flow is to establish who is talking to whom, and on what port and IP they are talking. Who is client? Who is server? These are the questions that flow answer for us [46, 60]. So by doing the small changes in this preprocessor the purpose can be resolved.

    ns-3 is a discrete-event network simulator for Internet systems, targeted primarily for research and educational use. ns-3 is free software, licensed under the GNU GPLv2 license, and is publicly available for research, development, and use [67].

    ns-3 is intended as an eventual replacement for the popular ns-2 simulator. The project acronym “nsnam” derives historically from the concatenation of ns (network simulator) and nam (network animator) [67].


    There some basic things which can make the intrusion detection system more secure are listed below:

    • Turn off all the services that are not needed Services like Telnet, FTP, NFS and NIS should not be running on the system on that system. In addition other useless services should not run for example echo, discard and chargen [41].
    • Maintain system integrity Tripwire is a freeware application that checks for those backdoors and Trojans that cannot be easily suspected. There are many of other freeware application like Tripwire AIDE and Samhain [41].
    • Firewall or TCP wrap services like SSH and MySQL should be TCP wrapped or firewalled because they have their own security holes as well, and access should be restricted to the smallest possible set of necessary users. For services that you can’t TCP wrap such as Apache, make sure these should also be configured as securely as possible. An IP table is the latest version of Linux firewall, and there are plenty of references on how to implement it [41].
    • Encrypt and use public key authentication Public key authentication should be enabled only for open SSH. Another thing can be done to consider doing for Apache for using it to view logs is to use Apache-SSL and digital certificates should be used for client side authentication [41].
    • No matter how secure the OS is, it is critical that the security updates and patches for the operating system should be monitored continuously. Because we are talking about an intrusion detection system, it seems appropriate to mention the security aspect of the operating system of choice. A commitment to security is must on both the Linux distro and the user’s end [41].


    In this section, we will evaluate that how that proposed system can be better than other systems which can be used for DoS attacks. In this study we developed a signature based intrusion detection system for denial of service attack with better scalability and with better performance by using the different multi-pattern and congestion control algorithm and for achieving better scalability the signature have been divided into two different parts state-full and stateless signatures.

    A congestion control algorithms have been adopted within the state-full signature module for detecting the denial of service attacks. State-full signature module is a part of the traffic control system. According to [19, 20, and 21] when this type of attack is target on any victim a large number of traffic are observed. As describe in figure 10 and 11, the control traffic fits the normal probability plot well, even as the rise in the traffic caused by a TCP SYN flood is apparent.

    To demonstrate the way in which this will be achieved in the proposed IDS, a first-in-first-out queue is used and its throughput will be measure against drop-tai and REDl7 algorithm.

    Rather than purely dropping packets when the IDS threshold is met, packets that are to be dropped from the queue inspected by the traffic control system. This enables intervention of state-full information about traffic flow and whether these abnormal flows are attributable to a particular destination. It is the random examination that allows the state interference. If two or more packets dropped with the same destination, they are passed for stateless signature inspection as it indicates the possibility of a large flow of traffic in one direction.

    According to [19, 20 and 21], about 19,500 attack packets were forwarded at the victim node by two attacking nodes. This represents an attack consisting of roughly 1,000 packets per second once the congestion algorithm was invoked by the router, 798 attack and rightful packets were to be dropped. Of this number, 742 packets were actual attack packets whilst the reminders were the legitimate traffic. There for, out of a total of 19,500 attacks packets, only 4 percent of this amount was inspected. By using the stateless and state-full signature analysis with FIFO algorithm shown in figure 10, 697 packets were detected out of the 742 inspected ensure a 94 percent detection rate. Therefore use of this algorithm is extremely efficient. [19, 20, 21 and 68]

    According [21] the example is tested on two systems to calculate the impact of this algorithm on the router. The methodology used is to compute the impact of the simulation on the processor by using the FIFO algorithm (figure). This program measures the load by applications on the processor in the UNIX/Linux operating system.

    7 Drop-tail and RED are most commonly used algorithm for controlling the traffic means most commonly used congestion control algorithm.

    To offer a conclusion with current network standard, the memory and processor usage were tested against Drop-tail and RED algorithm. This judgment allows us to see the impact on processor and memory efficiency in implementing FIFO algorithm.


    P II 400 MHz 128Mb RAM

    AMD 2 GHz 256 Mb RAM




    Memory usage

    Processor load

    Memory usage

    Processor load













    Table 1 Shows impact on memory and processor of FIFO versus RED and Drop Tail algorithms.

    As demonstrated by table 1, the impact of the simulation routing algorithm affected the memory usage of both computers. The drop tail routing algorithm requested less memory usage. However, FIFO and RED will use the same memory space. But in terms of processor load by using the FIFO algorithm is more efficient against the both algorithm. One key measure of usage of FIFO algorithm is its performance within the network environment. To measure the performance FIFO used system in the network it is compared to the routing algorithms above [21].

    However, to test the impact of FIFO on the queue and the network, the number of datagrams and packets passed from a algorithm enabled device with in the attack domain to the second device is measured. This impact is illustrated in the following figure showing Drop tail and FIFO algorithm used by DiDDeM.


    [1] Richard P. Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, and Marc A. Zissman, Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line Intrusion Detection Evaluation, Lincoln Laboratory MIT

    [2]Rebecca Bace3, Peter Mell, Intrusion Detection Systems, NIST Special Publication on Intrusion Detection Systems

    [3] John McHugh, Alan Christie, and Julia Allen, Defending Yourself: The Role of Intrusion

    Detection Systems, IEEE SOFTWARE S e p t e m ber

    e r / O c t o b e r 2 0 0 0

    [4] Real Secure 2.5 User Manual, Chapter 6. Internet Security Systems, Atlanta, GA

    [5] Richard A. Kemmerer and Giovanni Vigna, Intrusion Detection: A Brief History and Overview, Reliable Software Group, 2002

    [6] Pfleeger, C. F., & Pfleeger, S. L. (2003). Security in computing (3rd ed.). Upper Saddle River, NJ: Pearson Education

    [7] Moses Garuba, Chunmei Liu, and Duane Fraites, Intrusion Techniques: Comparative Study of Network Intrusion Detection Systems, Fifth International Conference on Information Technology: New Generations, 2008 IEEE

    [8] Rafeeq Ur Rehman, Intrusion Detection Systems with Snort Advanced INTRUSION DETECTION SYSTEM Techniques UsingSnort, Apache, MySQL, PHP, and ACID, Prentice Hall 2003

    [9] Liberios Vokorokos, Alzbeta Kleinova, Ondrej Latka, Network Security on the Intrusion Detection System Level, IEEE 2006

    [10] K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State Transition Analysis: A Rule-Based Intrusion Detection System,” IEEE Trans. Software Eng. vol. 21, no. 3, Mar. 1995, pp. 181199.

    [11] Christopher kruegel, Fredrik Valeuar, Giovanni vigna, Intrusion detection and correlation, challenges and solutions, series - Advances in information security, , XIV, 122 p. 16 illus., Hardcover , ISBN: 978-0-387-23398-7, 2005

    [12] Earl Karter, Cisco secure intrusion detection system, Cisco press, 2001

    [13] M. Roesch, "SNORT - Lightweight Intrusion Detection for Networks", Proceedings of LISA '99: 13th System Administration Conference, Seattle - Washington, November 1999.

    [14] Cisco Secure Intrusion detection system, Earl carter , Cisco press

    [15] Mastering in computer network security

    [16] Internet Denial of Service: Attack and Defense Mechanisms

    By Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher

    [17] ACM Journal Name, Vol. V, No. N, Month 20YY, Pages 1, Inferring Internet Denial-of-Service Activity


    [18] Beyond the Perimeter: the Need for Early Detection of Denial of Service Attacks

    John Haggerty, Qi Shi, Madjid Merabti

    [19] Early Detection and Prevention of Denial-of-Service

    Attacks: A Novel Mechanism With Propagated

    Traced-Back Attack Blocking

    John Haggerty, Member, IEEE, Qi Shi, Member, IEEE, and Madjid Merabti, Member, IEEE

    [20] DiDDeM: A System for Early Detection of TCP SYN Flood Attacks

    J. Haggerty, T. Berry, Q. Shi and M. Merabt

    [21] statistical signature for J. Haggerty, T. Berry, Q. Shi and M. Merabti

    [22] Moore, D., Voelker, G. M., & Savage, S. ‘Inferring Internet Denial-of-Service Activity,’ Proceedings of 10th Usenix Security Symposium, 2001, Washington, DC.

    [23] Mankins, D., Krishnan, R., Boyd, C., Zao, J., Frentz, M., ‘Mitigating Distributed Denial of Service with Dynamic Resource Pricing,’, Proceedings of the Annual Computer Security Applications Conference (ACSAC) 2001, New Orleans, Louisana, USA, 2001.

    [24] Meadows, C., ‘A cost-based framework for analysis of denial of service in networks,’ Journal of Computer Security, 9, pp. 143-164, 2001.

    [25] Ioannidis, J., Bellovin, S. M., ‘Implementing Pushback: Router-based Defense Against DdoS Attacks,’ Proceedings of the Network and Distributed Systems Security Symposium, San Diego, CA, USA, 2002.

    [26] J. Mirkovic, D-WARD: Source-End Defense Against Distributed Denial-of-Service Attacks, PhD thesis, University of California Los Angeles, August 2003,

    [27] O'Brien. "NetBouncer: A Practical Client-Legitimacy-Based DDoS Defense via Ingress Filtering,"

    [28] J. Mirkovic, G. Prier, and P. Reiher, "Attacking DDoS at the Source," Proceedings of the 10th International Conference on Network Protocols (ICNP 2002), November 2002, pp. 312322

    [29] Insertion, Evasion and denial of service : Eluding network Intrusion detection


    Nor Badrul Anuar1, Hasimi Sallehudin2, Abdullah Gani3, Omar Zakari

    [31] Kendall, K. 1999, A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems, S.M. Thesis, MIT Department of Electrical Engineering and Computer Science, 1999.

    [32] Wenke Lee, Sal Stolfo and Kui Mok, A Data Mining Framework for Building Intrusion Detection Models. Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, 1999.

    [33] Darrell M. Kienzle, Matthew C. Elder, “Recent worms: a survey and trends,” Proceedings of the 2003 ACM workshop on Rapid Malcode (WORM’2003), Pages: 110, October


    [34] Nicholas Weaver, Vern Paxson, Stuart Staniford, Robert Cunningham, “A taxonomy of computer worms,” Proceedings of the 2003 ACM workshop on Rapid Malcode (WORM’2003), Pages: 11- 18, October 2003.

    [35] D. Moore, C. Shannon, and J. Brown, “Code-Red: a case study on the spread and victims of an Internet worm,” Proceedings of the Internet Measurement Workshop 2002, Marseille France, November 2002.

    [36] A Fast Multi-pattern Matching Algorithm for Deep Packet Inspection on a Network Processor Jia Ni1, Chuang Lin1, Zhen Chen1,2 and Peter Ungsunan

    [37] V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time,” Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999. Also see

    [38] Intrusion Detection Systems with Snort, Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID, Rafeeq Ur Rehman

    [39] Fast Packet Classification for Snort by Native Compilation of Rules, Alok Tongaonkar, Sreenaath Vasudevan, and R. Sekar, 22nd Large Installation System Administration Conference (LISA ’08)

    [40] Marc Norton, Dan Roelker,

    [41] Ian sommerville, software engineering


    [43] Jack Koziol, Intrusion Detection with Snort


    [45] ay Beale, Andrew R. Baker, Joel Esler, Toby Kohlenberg, Stephen Northcutt, SNORT IDS AND IPS toolokit



    [47] ye wang, A correlation approach for network intrusion detection system

    [48] Pusparaj mohapatra, intrusion detection techniqes

    [49] Floyd, S., Jacobson, V., ‘Random Early Detection Gateways for Congestion Avoidance,’ IEEE/ACM

    Transactions on Networking, 3(4), pp. 365-386, 1993.

    [50] Pan, R., Prabhakar, B., Psounis, K., ‘CHOKE: A

    Annual Computer Security Applications Conference Stateless Active Queue Management Scheme for

    Approximating Fair Bandwidth Allocation’,

    proceding of IEEE infocom, Tel Aviv, Israel, 2000

    [51] RFC 4987

    [52] Alok Tongaonkar, Sreenaath Vasudevan, and R. Sekar, Fast Packet Classification for Snort by Native Compilation of Rules.

    [53] Richardson, T., "Cloud Nine blown away, blames hack attack", The Register, 30 September 2009,, downloaded 2009

    [54] Muftic, S., Patel, A., Sanders, P., Colon, R., Heijnsdijk, J. & Pulkkinen, U., Security Architecture in Open Distributed Systems, John Wiley & Sons, Bath, UK, 1993.

    [55] Dietrich, S., Long, N. & Dittrich, D., "Analyzing Distributed Denial of Service Tools: The Shaft Case," 14th Systems Administration Conference (LISA 2000), New Orleans, Louisiana, 2000.

    [56] Power, R., "2001 CSI/FBI Computer Crime and Security Survey", Computer Security Institute/Federal Bureau of Investigation Technical Report, vol. 7, no. 1, Spring 2001

    [57] A Fast String-Matching Algorithm for Network Processor-Based Intrusion Detection System, RONG-TAI LIU National Tsing-Hua University NEN-FU HUANG BroadWeb Corporation CHIH-HAO CHEN and CHIA-NAN KAO National Tsing-Hua University

    [58] Characterizing the Performance of Network Intrusion Detection Sensors, Lambert Schaelicke, Thomas Slabach, Branden Moore and Curt Freeland

    [59] Fast and Scalable Pattern Matching for Content Filtering, Sarang Dharmapurikar John Lockwood

    [60] Snort 2.1 intrusion detection, Jay Beale, Andrew R. Baker, Brian Caswell, Mike Poor



    [63] Aho, Alfred V.; Margaret J. Corasick (June 1975). "Efficient string matching: An aid to bibliographic search". Communications of the ACM 18 (6): 333340.

    [64] Congestion Control Algorithms in High Speed Telecommunication Networks. Aun Haider, Harsha Sirisena, Krzysztof Pawlikowski and Michael J. Ferguson.

    [65] Douglas E. Comer, internetworking with TCP/IP principle, protocols and architecture.

    [66] Naomi Nishimura, pseudocode,


    [68] Security and Privacy in the Age of Ubiquitous Computing, IFIP International Federation for Information Processing


    41 features of KDD Cup ‘99

    1 duration: continuous.

    2 protocol_type: symbolic.

    3 service: symbolic.

    4 flag: symbolic.

    5 src_bytes: continuous.

    6 dst_bytes: continuous.

    7 land: symbolic.

    8 wrong_fragment: continuous.

    9 urgent: continuous.

    10 hot: continuous.

    11 num_failed_logins: continuous.

    12 logged_in: symbolic.

    13 num_compromised: continuous.

    14 root_shell: continuous.

    15 su_attempted: continuous.

    16 num_root: continuous.

    17 num_file_creations: continuous.

    18 num_shells: continuous.

    19 num_access_files: continuous.

    20 num_outbound_cmds: continuous.

    21 is_host_login: symbolic.

    22 is_guest_login: symbolic.

    23 count: continuous.

    24 srv_count: continuous.

    25 serror_rate: continuous.

    26 srv_serror_rate: continuous.

    27 rerror_rate: continuous.

    28 srv_rerror_rate: continuous.

    29 same_srv_rate: continuous.

    30 diff_srv_rate: continuous.

    31 srv_diff_host_rate: continuous.

    32 dst_host_count: continuous.

    33 dst_host_srv_count: continuous.

    34 dst_host_same_srv_rate: continuous.

    35 dst_host_diff_srv_rate: continuous.

    36 dst_host_same_src_port_rate: continuous.

    37 dst_host_srv_diff_host_rate: continuous.

    38 dst_host_serror_rate: continuous.

    39 dst_host_srv_serror_rate: continuous.

    40 dst_host_rerror_rate: continuous.

    41 dst_host_srv_rerror_rate: