International Journal of Computer Application

(Special issue- Issue 5, Volume 2 (January 2015)

Available online on http://www.rspublication.com/ijca/ijca_index.htm
ISSN: 2250-1797

Intrusion Detection System by Layered Approach and

Hidden Markov Model
Mr. Rahul Chinchore1, Prof. S. S. Sambare2
Second Year M.E. Computer (Computer Networks), GHRCEM, Wagholi, Pune, India.
Associate Professor, Department of Computer Engineering, PCCOE, Nigdi, Pune, India.

ABSTRACT
In todays world real challenge is to detect malicious activities over the network. They
can be categorized into four types as follows; Categories are Probe attacks, DoS(Denial of
Services) attacks, R2L(Remote to Local) attacks, and U2R(Unauthorized access to root)
attacks. The field of Intrusion detection exists from 1980, many researches were done in this
field till date, but the most promising and effective method amongst them is Layered
Approach. Here, the number of attacks are categorize into four types, and they are detected on
the particular layer for that only the selected features are checked for particular category of
attack. Instead of 41 features, it uses only few features to detect attack on every layer. But still
the result of attack detection is not compromised. As it will not check all 41 features the time
required for this approach is very less. So, from this our first goal efficiency can be achieved
by this approach. As there is no compromise with result and correct formation of results in
respective category amongst available four categories is done by using importantly selected
features for each category of attack, the chances of wrong categorization of attack is very less,
so we can say that the accuracy is highly maintained in this system. The results of Layered
approach shows that it maintains Accuracy, Efficiency and speed and provides very good
results in attack detection. Also the Hidden Markov Model(HMM) for Intrusion Detection is
implemented which provides almost similar results but the time required for Hidden Markov
Model is very high comparing with Layered Approach.
Key words: intrusion, intrusion detection, IDS, HMM, layered approach

Corresponding Author: Rahul M. Chinchore

INTRODUCTION
According to Intrusion detection strategy, there are mainly two types of intrusion detection,
misuse-based detection and anomaly-based detection. Misuse-based detection is also called as
knowledge-based detection. Knowledge-based detection is set with a record that contains a
CONFERENCE PAPER
National level conference on
"Advances in Networking, Embedded System and Telecommunication 2015(ANEC-2015)"
On 6-8 Jan 2015 organized by
" G.H.Raisoni College of Engg. & Management, Wagholi, Pune, Maharashtra, India."

Page 7

International Journal of Computer Application

(Special issue- Issue 5, Volume 2 (January 2015)
Available online on http://www.rspublication.com/ijca/ijca_index.htm
ISSN: 2250-1797

number of signatures about known attacks [1].Intrusion detection is defined as identifying

unauthorized use, misuse, and abuse of computer systems by both inside and outside
intruders. There are many categories of network intrusions. Examples include SMTP
(SendMail) attacks, password guessing, IP spoofing, buffer overflow attacks, multi scan
attacks, denial of service (DoS) such as ping-of-death, SYN flood, etc. Intrusion detection can
broadly be divided into two categories: misuse detection and anomaly detection [2]. Misuse
detection is based on the knowledge of system vulnerabilities and known attack patterns,
while anomaly detection assumes that an intrusion will always reflect some deviation from
normal patterns. Many AI techniques have been applied to both misuse detection and anomaly
detection. Pattern matching systems like rule-based expert systems, state transition analysis,
and genetic algorithms are direct and efficient ways to implement misuse detection. On the
other hand, inductive sequential patterns, artificial neural networks, statistical analysis and
data mining methods have been used in anomaly detection. Due to the popularization of the
Internet and local networks, intrusion events to computer systems are growing. Intrusion
detection systems are becoming increasingly important in maintaining proper network
security. Most intrusion detection systems are softwares [4]. People use these softwares to
monitor the events occurring in a computer system or network, analyze the system events,
detect suspected intrusion, and then raise an alarm. In this paper, we discuss the related work
till date done by the researchers in the field of Intrusion Detection. Then, what are the layers
for Intrusion Detection and how Layered Approach for ID works, which is specifically used
for improving speed, Accuracy and Efficiency. It also explains the details of Hidden Markov
model which is used to get the good results for Intrusion Detection. Then, we discuss the
actual Architecture implemented for Intrusion detection, and finally the results are shown by
Graph and Comparison.
RELATED WORK AND APPROACHES
The research on intrusion detection and network security was going on since late 1980s. Till
date, a number of techniques, methods and frameworks have been proposed and many IDS
are built to detect intrusions. a variety of techniques such as Surveillance and monitoring
system, association rules, clustering, naive Bayes classifier, Decision trees, support vector
machines, artificial neural networks, and many others have been used to identify intrusions. In
this part, we in brief examine these techniques and frameworks.
A new architecture was proposed for a distributed Intrusion Detection System based on
multiple independent entities working collectively [3]. Data clustering methods like the kmeans and fuzzy c-means have also been useful in intrusion detection [10]. One of the main
drawbacks of the clustering is that it depends on calculating numeric distance between the
observations, and hence, the observations should be numeric. Observations with symbolic
features cannot be simply used in clustering, that resulting in inaccuracy. In addition, the
clustering methods consider the features independently and are unable to capture the
relationship between diverse kind of a particular record, which further degrades attack
detection accuracy [24].Intrusion detection can also be done by Naive Bayes classifiers [11].
However, they make strict independence assumption between the features in an observation
resulting in lesser attack detection accurateness while the characteristics are correlated, which
CONFERENCE PAPER
National level conference on
"Advances in Networking, Embedded System and Telecommunication 2015(ANEC-2015)"
On 6-8 Jan 2015 organized by
" G.H.Raisoni College of Engg. & Management, Wagholi, Pune, Maharashtra, India."

Page 8

International Journal of Computer Application

(Special issue- Issue 5, Volume 2 (January 2015)
Available online on http://www.rspublication.com/ijca/ijca_index.htm
ISSN: 2250-1797

is frequently the case for intrusion detection. Bayesian network can also be used for intrusion
detection. To identify abnormal traces of system calls in privileged processes [5]. Decision
trees are also used for intrusion detection [8]. The decision trees pick the best characteristics
for every decision node throughout the building of the tree based on specific well-defined
criteria. One such measure is to use the information gain ratio, which is used in C4.5.
Decision trees commonly have very high speed of function and high attack finding accuracy.
HMM training method can decrease the training time about 60% compared to that of the usual
batch training. It is also experimentally proved that the HMM-based detection model is
capable to perceive all denial-of-service attacks surrounded in testing traces [14]. HMM is
specifically designed for Anomaly based IDS [18]. It can be used is to process the sequences
of system calls in order to distinguish the normal traces of system calls from abnormal ones
[14]. A hidden Markov model (HMM) strategy is used for intrusion detection using
multivariate Gaussian model for interpretation which are then used to forecast an attack that
exists in the form of a hidden state [16]. A Distributed Intrusion Prevention System (DIPS)
consist of numerous IPS in a large network (s), all of which interact with each other or with
the central server, which facilitates superior network monitoring. A Hidden Markov Model is
projected for sensing intrusions in a distributed network environment and to make a one step
ahead prediction beside achievable serious intrusions. DIPS are used based on the predicted
risk level and threat review of the protected asset [16] and [17].
INTRUSION DETECTION USING LAYERED APPROACH
The Layer-based Intrusion Detection System (LIDS) Fig. 1 shows a simple representation of our
framework. The layers are basically act as filters that block any abnormal connection, thus
eliminating the need of further processing at succeeding layers enabling speedy response to
intrusion [20]. The outcome of such a sequence of layers is that the abnormal dealings are
recognized and blocked as soon as they are detected.
Connection Summary

Initial layer
Attribute
Selection

Attribute
Selection

Normal

Normal

Yes
No
Blocked

Yes
No
Blocked

Fig 1: Representation of Layered Approach

In our layered framework, we use a number of separately trained and sequentially arranged
sub systems in order to decrease the number of false alarms and increase the attack detection
coverage [20].
Layered framework has the following advantages:
1) The framework is customizable and domain specific knowledge can be easily incorporated to
build individual layers which help to improve accuracy.
CONFERENCE PAPER
National level conference on
"Advances in Networking, Embedded System and Telecommunication 2015(ANEC-2015)"
On 6-8 Jan 2015 organized by
" G.H.Raisoni College of Engg. & Management, Wagholi, Pune, Maharashtra, India."

Page 9

International Journal of Computer Application

(Special issue- Issue 5, Volume 2 (January 2015)
Available online on http://www.rspublication.com/ijca/ijca_index.htm
ISSN: 2250-1797

2) Individual intrusion detection sub systems are light weight and can be trained separately.
3) Different anomaly and hybrid intrusion detectors can be incorporated in our framework.
The discussed two main requirements for an intrusion detection system: accuracy of detection
and efficiency in operation. Given the data, we at start select four layers matching to the four
attack groups (Probe, DoS, R2L, and U2R) and carry out feature selection for every layer [21]. It
uses domain information together by means of the practical importance and the practicability of
each feature earlier than selecting it for a particular layer. Thus, amng the total 41 features, we
have selected only 5 features for Probe layer, DoS layer 9 features, R2L layer consist of 14
features, and last U2R layer consist of 8 features. As every layer is independent of all other
layers, the attribute set for the layers is not disjoint [25]. However, the distinction is that we are
applying only the chosen features in every layer rather than using all the 41 features.
Layered Approach consists of four layers as follows:
A. Probe layer:
The probe attacks are meant for acquiring information regarding the target network from a
source which is external to the network. Hence, fundamental connection level features such as
the duration of connection and source bytes are significant while features like number of
files creations and number of files accessed are not able to provide information for detecting
probe attacks.
B. DoS layer:
In the DoS layer, traffic features like the percentage of connections having same destination
host as well as same service and packet level features such as the source bytes and
percentage of packets with errors is also important. To identify DoS attacks, it might not be
essential to know about user logged in or not.
C. R2L layer:
The R2L attacks are very difficult to detect as they consist of the network level and the host
level features. So, we have selected both the network level features duration of connection and
service requested and the host level features such as the number of failed login attempts
among 41 features for detecting R2L attacks.
D. U2R layer (User to Root attacks):
The U2R attacks consist of the semantic information that is extremely difficult to confine at
an early stage. These attacks are habitually content based and target an application. Hence, for
U2R attacks, we have chosen features like as number of file creations and number of shell
prompts invoked, same time we have ignored features such as protocol and source bytes
[24].
Algorithm for IDS using Layered Approach
Training
Step 1: Choose the number of layers, n, for the entire system.
Step 2: Discretely carry out features selection for every layer.
Step 3: Train model one by one for each layer with the features elected from Step2.
Step 4: Connect the trained models in sequence such that simply the connections labeled as
normal shall passed to the next layer.
Testing
Step 5: For each (next) test case perform Steps 6 through 9.
Step 6: Test the case and mark it either as attack or normal.
CONFERENCE PAPER
National level conference on
"Advances in Networking, Embedded System and Telecommunication 2015(ANEC-2015)"
On 6-8 Jan 2015 organized by
" G.H.Raisoni College of Engg. & Management, Wagholi, Pune, Maharashtra, India."

Page 10

International Journal of Computer Application

(Special issue- Issue 5, Volume 2 (January 2015)
Available online on http://www.rspublication.com/ijca/ijca_index.htm
ISSN: 2250-1797

Step 7: If the instance is marked as attack, block it and recognize it as an attack represented by
the layer name in which it is detected and go to Step 5. Else pass the case to the next layer.
Step 8: If the present layer is not the end layer in the system, test the instance and move at Step 7
Else move to Step 9.
Step 9: Test the instance and tag it either as normal or as an attack. If the instance is marked as
an attack, block it and categorize it as an attack analogous to the layer name.
HIDDEN MARKOV MODEL FOR INTRUSION DETECTION
Hidden Markov Model has as well proved as a good means to model normal behaviors of
privileged processes for anomaly intrusion detection. An easy and efficient HMM training
system is proposed by the innovative combination of several observations training and
incremental HMM training. Our proposed scheme first divides the long observation sequence
into various subsets of sequences. Then each subset of data is used to infer one sub model, and
then this sub model is incrementally combined into the final HMM model. The experimental
results demonstrate that the HMM training scheme can decrease the training time upto 60%
compared to that of the conventional batch training [13].
EXPERIMENTS
We need a system which detects nearly all of the attacks, gives extremely a small number of
false alarms, copes with huge quantity of data, and is adequate to make real-time decisions. We
have first goal to develop the attack detection accuracy. The second goal is improvement in the
speed of operation of the system. Hence, we have implemented the LIDS and pick a small set of
features for every layer instead of using all the 41 features.
System Architecture of Layered Approach
Connection Summary

Probe Layer
Attributes

Yes

Yes
DoS Layer
Attributes

Nomal

Normal

A
No

No
Blocked

Blocked
R2L Layer
Attributes

Normal

yes

U2R Layer
Attributes

No
Blocked

Normal

yes
No
Blocked

Fig 2: The real time representation of Layered approach

Here we are using KDD file as a dataset. We are first passing this dataset as an input for the
system, After that this file will be processes further for labeling. After labeling the file will be
given for the layered approach, where the input count and output count will be calculated for

CONFERENCE PAPER
National level conference on
"Advances in Networking, Embedded System and Telecommunication 2015(ANEC-2015)"
On 6-8 Jan 2015 organized by
" G.H.Raisoni College of Engg. & Management, Wagholi, Pune, Maharashtra, India."

Page 11

International Journal of Computer Application

(Special issue- Issue 5, Volume 2 (January 2015)
Available online on http://www.rspublication.com/ijca/ijca_index.htm
ISSN: 2250-1797

each layered (DOS, R2L, U2R, Probe). The KDD file will be uploaded to the Weka tool further
will be classifies using C4.5 and Nave Bayes algorithm.
The real time representation of Layered approach is shown in fig 3. It shows the packets are
passed through each layer, Each layer checks every packet on the basis of features for which it is
trained and detects any kind of malicious activity, called as Intrusion.
Finally, we Compare all four methods i.e. Layered Approach, HMM, C4.5 and Nave Bayes
Algorithm with their results and performance in terms of accuracy and speed.
Results for 4 Attacks Categories using Layered approach
Layered approach consists of four layers Probe, DoS, R2L and U2R they are also called
as categories of attacks respectively. By using our system we got following results shown in
Table I.
Detection rate in % = Total number Of Correct Classified instances *100
Total Number of Instances
Table 1: Layered Approach Results for ID
Layers & Attack
Type
Probe
DoS
R2L
U2R

Input Output
Count Count
11026
8172
1028
60

10873
8044
322
52

Detection
Rate

Overall
Detection Rate

98.61
98.43
31.32
86.66

95.09%

5.3 Comparison of Algorithms in Intrusion Detection

Table 2: Comparing four Algorithms
Detection Rate
100.00%
80.00%
60.00%
40.00%
20.00%
0.00%

Algorithms

Detection Rate

Layered Approach

95.09%

Decision Tree

81.53%

Nave Bayes

65.10%

HMM

95.05%

Fig. 3: Graphical Comparison of Algorithms for ID

CONFERENCE PAPER
National level conference on
"Advances in Networking, Embedded System and Telecommunication 2015(ANEC-2015)"
On 6-8 Jan 2015 organized by
" G.H.Raisoni College of Engg. & Management, Wagholi, Pune, Maharashtra, India."

Page 12

International Journal of Computer Application

(Special issue- Issue 5, Volume 2 (January 2015)
Available online on http://www.rspublication.com/ijca/ijca_index.htm
ISSN: 2250-1797

The above table shows the results we got in our system for four different algorithms.
However, the Decision tree and Nave Bayes algo are directly called through Weka Tool.
From the above table and graph, we can say that the results of Layered Approach are
better than all other algorithms. After that we also get good results for HMM but the time
required for HMM algorithm is high comparing all others.
CONCLUSION
In this paper, we have categorized four types of attacks which can be separately detected on
four different layers. As we know this term was coined in 1980. So, right from 1980 to till
date what are the different techniques were proposed, implemented and deployed by
researchers that we have studied. The recent approach which is good for increasing speed and
accuracy of Intrusion detection is Layered Approach, because it gives us opportunity to find
out Intrusion on different layers. So it becomes useful in increasing speed of a system. Along
with that the HMM method is also implemented and compared with Layered Approach. These
methods are used for Anomaly based Intrusion Detection. We have compared it with Decision
tree and Nave Bayes methods and we find Layered Approach is better than these approaches
in terms of Intrusion Detection Accuracy and Speed.
REFERENCE
[1] J.P. Anderson, Computer Security Threat Monitoring and Surveillance,
http://csrc.nist.gov/publications/history/ande80.pdf, 1980.
[2] Mahamood Hossain, Data mining approaches for intrusion detection: Issues and research
directions 2001.
[3] Jai Sundar Balsubramaniyam, Jose Omar Garsia, An Architecture for Intrusion Detection
using Autonomous Agents, 1998.
[4] L. Portnoy, E. Eskin, and S. Stolfo, Intrusion Detection with Unlabeled Data Using
Clustering, Proc. ACM Workshop Data Mining Applied to Security (DMSA), 2001.
[5] C. Warrender, S. Forrest, and B. Pearlmutter, Detecting Intrusions Using System Calls:
Alternative Data Models, Proc. IEEE Symp. Security and Privacy (SP 99), pp. 133-145,
1999.
[6] Sandeep Kumar, Classification and Detection of Computer Intrusions Purdue University
thesis, 1995
[7] Z. Zhang, J. Li, C.N. Manikopoulos, J. Jorgenson, and J. Ucles, HIDE: A Hierarchical
Network Intrusion Detection System Using Statistical Preprocessing and Neural Network
Classification, Proc. IEEE Workshop Information Assurance and Security (IAW 01), pp.
85-90, 2001.
[8] T. Abraham, IDDM: Intrusion Detection Using Data Mining Techniques,
http://www.dsto.defence./gov.au/ publications/2345/DSTO-GD-0286.pdf, 2008.
[9] Y.-S. Wu, B. Foo, Y. Mei, and S. Bagchi, Collaborative Intrusion Detection System
(CIDS): A Framework for Accurate and Efficient IDS, Proc. 19th Ann. Computer Security
Applications Conf. (ACSAC 03), pp. 234-244, 2003.
[10] J.T. Yao S.L. Zhao L. V. Saxton, A study on fuzzy intrusion detection, 2004
CONFERENCE PAPER
National level conference on
"Advances in Networking, Embedded System and Telecommunication 2015(ANEC-2015)"
On 6-8 Jan 2015 organized by
" G.H.Raisoni College of Engg. & Management, Wagholi, Pune, Maharashtra, India."

Page 13

International Journal of Computer Application

(Special issue- Issue 5, Volume 2 (January 2015)
Available online on http://www.rspublication.com/ijca/ijca_index.htm
ISSN: 2250-1797

[11] Nahla Ben Amor, Salem Benferhat, Zied Elouedi, Naive Bayes vs Decision Trees in
Intrusion Detection Systems, 2004.
[12] Karen Scarfone, Peter Mell, Guide to Intrusion Detection and Prevention Systems
(IDPS), NIST, 800-94, 2007
[13] X. D. Hoang and J. Hu, An Efficient Hidden Markov Model Training Scheme for
Anomaly Intrusion Detection of Scheme for Anomaly Intrusion Detection of Server
Applications Based on System Calls, 2004 IEEE.
[14] Veselina Jecheva, About Some Applications of Hidden Markov Model in Intrusion
Detection Systems, CompSysTech06, 2006.
[15] Rahul Khanna, Huaping Liu, System Approach to Intrusion Detection Using Hidden
Markov Model, IWCMC06.
[16] Kjetil Haslum, Ajith Abraham and Svein Knapskog,DIPS: A Framework for Distributed
Intrusion Prediction and Prevention Using Hidden Markov Models and Online Fuzzy Risk
Assessment, Third International Symposium on Information Assurance and Security, 2007.
[17] Davide Ariu, Giorgio Giacinto, and Roberto Perdisci, Sensing attacks in Computers
Networks with Hidden Markov Models, 2007.
[18] Juan J. Flores, Anastacio Antolino, and Juan M. Garcia, Evolving Hidden Markov
Models For Network Anomaly Detection, 2009.
[19] J. Gmez, C. Gil, N. Padilla, R. Baos, and C. Jimnez, Design of a Snort-Based Hybrid
Intrusion Detection System, Springer-Verlag Berlin Heidelberg 2009.
[20] Kapil Kumar Gupta, Baikunth Nath, Ramamohanarao Kotagiri, Layered Approach
Using Conditional Random Fields for Intrusion Detection, IEEE transactions on dependable
and secure computing, vol. 7, no. 1, january-march 2010.
[21] B.Bhanu Chander, K. Radhika, D. Jamuna, An Approach On Layered framework For
Intrusion Detection System, Asian Journal of Computer Science and Information
Technology, 2012.
[22] Alireza Shameli Sendi, Michel Dagenais, Masoume Jabbarifar, Real Time Intrusion
Prediction based on Optimized Alerts with Hidden Markov Model, Journal of networks, vol.
7, no. 2, february 2012.
[23] K.Shweta, V. Gupta, A new Approach for Intrusion Detection and Prevention,
International Journal of Emerging trends in Engg and Development, Issue 3, vol 1, 2013.
[24] Mr. Rahul Chinchore, Prof. S. S. Sambare, A Survey of Techniques for Intrusion
Detection System, International Journal of Research in Computer and Communication
Technology, Vol 2, Issue 10, October- 2013, ISSN (Online) 2278- 5841.
[25] Mr. Rahul Chinchore, Prof. S. S. Sambare, Layered Approach and Hidden Markov
Model for Intrusion Detection, cPGCON, 2014.

CONFERENCE PAPER
National level conference on
"Advances in Networking, Embedded System and Telecommunication 2015(ANEC-2015)"
On 6-8 Jan 2015 organized by
" G.H.Raisoni College of Engg. & Management, Wagholi, Pune, Maharashtra, India."

Page 14