120 TEM Journal – Volume 3 / Number 2 / 2014. www.temjournal.com System for Detection of Network Threats based on Classifiers Bilgin Demir 1 , Zoran Gacovski 1 , Vladimir Pivovarov 1 , Lidija Goracinova 1 1 FON University, Bul. Vojvodina, bb, Skopje, Macedonia Abstract – In this paper we present a system that automatically detects and profiles threats on a real network. The realised Threat Detection System (TDS)is based on Snort software and it allows the security experts to evaluate the risk of vulnerability and to retrieve the actual number of threats that are active in the network.Algorithms are presented to determine three properties for each threat: skill, intensity of the attacks and whether the threat is a human or an autonomous computer program. Keywords – Network vulnerabilities, Intrusion detection, Classification methods. 1. Introduction Traditional Intrusion Detection Systems focuses on detecting attack instances on a computer network. The work presented in this paper is different, since the attack instances are used to construct a profile of the actual attacker. An attacker is named “threat” and it can be human or autonomous computer program. The system is therefore named a Threat Detection System (TDS) and it will improve the security of a computer network[1]. Security is often defined as a combination of confidentiality, integrity, and availability of assets [2]. Security means that assets (for example some piece of information) must be kept secret, we must be able to keep the integrity of that piece of information, and the asset should be available to legitimate users when they need it. In the new world based largely on the Internet, security is still important for the same reasons. Figure 1. Definition of threat, exploit, attack, vulnerability and asset When computer systems are connected to the Internet - the systems themselves and the information they contain are assets, and their security can be threatened by hackers, worms, viruses and botnets, which are named threats[2],[3],[7]. These threats, which can be individuals or computer programs, search for weaknesses (named vulnerabilities) of the computers and information (named assets),and try to exploit them using attacks, compromising the assets’ confidentiality, integrity, availability, or a combination of those [2], [12]. The set terms are illustrated in Figure 1. Computer system is secure when threats cannot exploit the vulnerabilities of that system. There are two approaches towards secure computer systems[2]: The first approach consists of removing the vulnerabilities of the system or adding defenses that maketheir exploitation harder. The time and skills required for a threat to compromise the system increase, and the threat will (hopefully) stop attacking voluntarily. It is impossible to locate and eliminate all vulnerabilities of a system, therefore using only this first approach is not the best manner to secure the system [2]. The second approach consists of threats detection while they are attacking the system and stopping them before they are successful in compromising it, for example by removing their access to the system and involving the police. A combination of these two approaches is best, since reacting to threats takes time that can be obtained by eliminating the vulnerabilities [2]. 2. Security threats for network environments The security of a computer network is based on three components: confidentiality, integrity, and availability. These components apply to the assets (data or systems) within the network [12]. To protect these assets, there are two basic approaches that are commonly implemented[2]. The first approach to network security is analog to building a large wall around a city; the bigger and higher the wall is - the harder it is for threats to get inside the city. It is universally accepted that there is no such thing as perfect security, which means that a threat with sufficient capabilities and resources is always able to climb over the wall.