It is difficult to implement an efficient detection approach for Intrusion Detection Systems (IDS) and many factors contribute to this challenge. One such challenge concerns establishing adequate boundaries and finding a proper data source. Typical IDS detection approaches deal with raw traffics. These traffics need to be studied in depth and thoroughly investigated in order to extract the required knowledge base. Another challenge involves implementing the binary decision. This is because there are no reasonable limits between normal and attack traffics patterns. In this paper, we introduce a novel idea capable of supporting the proper data source while avoiding the issues associated with the binary decision. This paper aims to introduce a detection approach for defining abnormality by using the Fuzzy Rule Interpolation (FRI) with Simple Network Management Protocol (SNMP) Management Information Base (MIB) parameters. The strength of the proposed detection approach is based on adapting the SNMP-MIB parameters with the FRI. This proposed method eliminates the raw traffic processing component which is time consuming and requires extensive computational measures. It also eliminates the need for a complete fuzzy rule based intrusion definition. The proposed approach was tested and evaluated using an open source SNMP-MIB dataset and obtained a 93% detection rate. Additionally, when compared to other literature in which the same test-bed environment was employed along with the same number of parameters, the proposed detection approach outperformed the support vector machine and neural network. Therefore, combining the SNMP-MIB parameters with the FRI based reasoning could be beneficial for detecting intrusions, even in the case if the fuzzy rule based intrusion definition is incomplete (not fully defined).
Nowadays, computers and network resources face different type of attacks. Modern attacks are implemented ingeniously, i.e. intruders are keeping themselves up to date with recent detection mechanisms to avoid detection. One efficient solution is the IDS detection mechanism. The IDS is currently one of the primary components used for protecting computers and networks against attacks. However, implementing an efficient IDS detection mechanism is not a straightforward task. IDS uses data sources to detect the different types of attacks. Therefore, the IDS detection mechanism requires a proper data source to be able to analyze the inbound and outbound traffics and use them to detect any abnormalities.
The typical IDS detection mechanism uses the raw network traffic as a data source to detect abnormalities within the network. Dealing with raw traffics requires in depth analysis and review to extract the information relevant for helping the attack detection [1]. The SNMP-MIB parameters can also offer the required information, yet reducing the extensive processing time necessary for analyzing the raw traffics. The SNMP-MIB can be considered as a rich data collection fetched from a series of devices for producing realistic information about the health of a network, which can be also beneficial for detecting attacks. Moreover, the binary decision related to the attack events poses another challenge for implementing an efficient IDS detection mechanism, because there is no clear decision line between normal and abnormal traffic patterns [2]. The fuzzy system provides an effective solution for dealing with the issues associated with establishing normal and abnormal decision boundaries. The fuzzy system has the ability to offer results in an explicit scheme and, consequentially, to determine the level of the attack. When as a binary decision, the degree of attack level generates an alarm, the provided attack level can help the administrator better understand the current network security status. On the other hand applying classical fuzzy reasoning methods i.e. Mamdani [3] and Takagi-Sugeno [4], the fuzzy rule base representing the attack level needs to be complete. Thus the rule base size grows exponentially with the number of the observed network parameters. In the case of partially defined incomplete fuzzy rule bases, the classical fuzzy reasoning methods could not offer the expected results for all the possible network parameter observations [5], [6].
In application areas such as IDS, it is challenging to generate complete fuzzy rule base capable of handling all possible expected observations. As a result, it is imperative to implement a fuzzy concept, especially for the IDS application area, that benefits from extending the binary decision to the continuous space and at the same time can efficiently handle the situation of the incompletely defined fuzzy rule base. Hereby, this paper proposes a novel IDS concept which implements the fuzzy rule interpolation as a detection mechanism based on the SNMP-MIB parameters. The strength of FRI methods comes from the combination of the fuzzy concept and the interpolation techniques. The FRI methods offer the required conclusion (the approximated level of attack) even when the fuzzy rules describing the attack situations are not completely defined. Consequently, the fuzzy rule base construction can be dramatically simplified. The FRI based IDS methods can achieve a satisfactory detection rate even using only a relatively small number of fuzzy rules. In this paper, we break down the implementation of the proposed FRI IDS detection approach into three main steps:
To identify how the SNMP-MIB parameters can be used as a useful data source for detecting abnormality.
To implement the proposed detection approach based on the strength of the fuzzy rule interpolation and the SNMP-MIB parameters.
To highlight and discuss the difference between the proposed detection approach and other approaches that detect intrusions based on SNMP-MIB parameters.
The rest of the paper is organized as follows: section (II) illustrates recent works related to the application of intrusion detection based on SNMP-MIB parameters. Section (III), investigates and analyzes the SNMP-MIB dataset which is illustrated in detail. Then, section (IV) introduces the fuzzy rule interpolation. Section (V) introduces the proposed detection approach in detail followed by the simulation and results in section (VI). Lastly, section (VII) concludes the paper.
This section presents some relevant works related to the application of the detection mechanism for intrusion detection. It also provides a brief overview of different methods and approaches that are used for intrusion detection using the SNMP-MIB parameters. Typically, the SNMP is used to collect information from different data sources such as switches, routers, etc. This information is used to manage and troubleshot different network devices. The typical IDS de
This content is AI-processed based on open access ArXiv data.
