International Journal of Scientific and Research Publications, Volume 2, Issue 7, July 2012 1 ISSN 2250-3153 www.ijsrp.org Network Intrusion Detection and Prevention techniques for DoS attacks Suchita Patil, Dr. B.B.Meshram VJTI, Mumbai, India Suchitapatil26@gmail.com Abstract: The Intrusion prevention system is the extension of Intrusion detection system. Network Intrusion Detection and Prevention system works on analyzing the packets coming and going through the interface. The paper illustrates the idea of detecting the DoS Attack. There are many methods available to Detect and avoid the DoS attack. On the network there are many types of DoS attack occurs due to which the service gets interrupted. This paper mainly deals with the DoS attacks. Index Terms - IDS (Intrusion Prevention System), IPS (Intrusion Prevention System), NIDS(Network Intrusion Detection System) I. INTRODUCTION An Intrusion Prevention System is extension of Intrusion Detection System which is made by combining the Intrusion Detection System and Firewall. The majority of intrusion prevention systems utilize one of three detection methods: signature-based, statistical anomaly- based, and stateful protocol analysis. [3][3][8] Signature-based Detection: This method of detection utilizes signatures, which are attack patterns that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exp loits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit said vulnerability. Statistical Anomaly-based Detection: This method of detection baselines performance of average network traffic conditions. After a baseline is created, the system intermittently samples network traffic, using statistical analysis to compare the sample to the set baseline. If the activity is outside the baseline parameters, the intrusion prevention system takes the appropriate action. Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity.”[3] Intrusion detection is a set of techniques and methods that are used to detect suspicious activity both at the network and host level. Intrusion detection systems fall into two basic categories: signature-based intrusion detection systems and anomaly detection systems. Intruders have signatures, like computer viruses, that can be detected using software. You try to find data packets that contain any known intrusion-related signatures or anomalies related to Internet protocols. Based upon a set of signatures and rules, the detection system is able to find and log suspicious activity and generate alerts. Anomaly-based intrusion detection usually depends on packet anomalies present in protocol header parts. In some cases these methods produce better results compared to signature-based IDS. Usually an intrusion detection system captures data from the network and applies its rules to that data or detects anomalies in it. Snort is primarily a rule-based IDS, however input plug-ins are present to detect anomalies in protocol headers. 1.1 Network IDS or NIDS[3,4] NIDS are intrusion detection systems that capture data packets traveling on the network media (cables, wireless) and match them to a database of signatures. Depending upon whether a packet is matched with an intruder signature, an alert is generated or the packet is logged to a file or database. One major use of Snort is as a NIDS. 1.2 Host IDS or HIDS[3,4] Host-based intrusion detection systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity. So me of these systems are reactive, meaning that they inform you only when something has happened. Some HIDS are proactive; they can sniff the network traffic coming to a particular host on which the HIDS is installed and alert you in real time. II. RELAT ED WORK As mensioned in the paper[1] efficient adaptive sequential and batch-sequential methods for an early detection of attacks that lead to changes in network traffic, such as denial-of-service attacks, worm-based attacks, port scanning, and man-in-the- middle attacks. These methods employ a statistical analysis of data from multiple layers of the network protocol to detect very subtle traffic changes. The a lgorithms are based on change-point detection theory and utilize a thresholding of test statistics to achieve a fixed rate of false alarms while allowing us to detect changes in statistical models as soon as possible. Existing intrusion detection systems (IDSs) can be classified as either signature detection systems or anomaly detection systems (see, e.g., [14]). Signature detection systems detect