IJRET: International Journal of Research in Engineering and Technology eISSN: 2319-1163 | pISSN: 2321-7308 _______________________________________________________________________________________ Volume: 03 Issue: 11 | Nov-2014, Available @ http://www.ijret.org 471 A COMBINED APPROACH TO SEARCH FOR EVASION TECHNIQUES IN NETWORK INTRUSION DETECTION SYSTEM Rutuja R. Patil 1 , P. R. Devale 2 1 Research Scholar, Department of Information Technology, Bharati Vidyapeeth Deemed, University College of Engineering, Pune, Maharashtra, India 2 Professor, Department of Information, Technology, Bharati Vidyapeeth Deemed, Pune, Maharashtra, India Abstract Network Intrusion Detection Systems (NIDS) whose base is signature, works on the signature of attacks. They must be updated quickly in order to prevent the system from new attacks. The attacker finds out new evasion techniques so that he should remain undetected. As the new evasion techniques are being developed it becomes difficult for NIDS to give accurate results and NIDS may fail. The key aspect of our paper is to develop a network intrusion detection system using C4.5 algorithm where Adaboost algorithm is used to classify the packet as normal packet or attack packet and also to further classify different types of attack. Apriori algorithm is used to find real time evasion and to generate rules to find intrusion These rules are further given as input to Snort intrusion detection system for detecting different attacks. Keywords: NIDS, Evasion, Apriori Algorithm, Adaboost Algorithm, Snort ---------------------------------------------------------------------***---------------------------------------------------------------- 1. INTRODUCTION Many established businesses have to maintain a huge important information and data. Security measures should protect this information from unauthorized access. The functioning of burglar alarm in the real world can be mapped to the working of IDS function in the digital world. The conflict between the attackers and IDS developers is never ending because the attackers keep on finding new ways to get access to the system, while system developers keep on finding new ways to restrict the attackers. Intrusion is a technique where in an attacker tries to get unauthorised access into the system with wrong intention. Intrusion Detection systems (IDS) is a network security appliance that monitors network traffic as well as system activities to check for malicious activity. Intrusion Detection System can be categorized in two ways Network based (NIDS) and host based (HIDS) intrusion detection systems. 1.1 Network Based Intrusion Detection System As the packets on the network are monitored in this system so it is called as Network Based IDS. Its motive is to check whether an attacker is trying to get access to the system. The analysis of the network traffic is done in order to check for various malicious actions. These systems can be broadly classified into two major categories. These are mainly: i) Anomaly based NIDS (ii)Signature based NIDS. In this paper, we focus on Signature based NIDS. 1.2 Signature Based Intrusion Detection System The signatures of the attacks are stored in the database A signature based IDS compares these signatures with the packets on the network. Many of the antivirus software detects malware in the similar fashion. However if a new threat is discovered it will require some time span to discover the signature of the threat [2]. This situation causes attackers to find new evasions over the signatures of these systems. The overall concept of intruder is to carry out attack in a way that the Intrusion Detection System should not be able to detect it as an attack. Following is the simplified explanation of Evasion: Let us consider 2 strings “ malicious “ and “anamalous “which represented as known malicious code. The entry to the system is prohibited when an IDS finds these strings in the request. However if “ annamil “ and “lousmousci” were part of a request, the system would not recognise it as malicious strings “malicious “ and “anamalous “ which are merged together and reconstructed in a new form and the attacker can get access to the system. The IDS does not interfere and entry would be allowed. The effort of this project is to develop a framework that looks to find novel evasive techniques by analyzing NIDS behavior. 2. RELATED WORK Methodology of Network Intrusion Detection Evasion system is described in several papers. In paper [2] the authors proposed the concept of evasion and concludes that the evasion will be successful if the implementation of NIDS differs from the endpoint implementation.