Title of invention
Secure Anomaly Based Efficient Real time Distributed Intrusion Detection System (SABER-DIDS).
Field of invention and use of Invention
The present invention falls in the domain of computer networks and cyber security. More precisely it pertains to intrusion detection, detecting and analysing known and unknown security threats as well as breaches.
Prior art and problem to be solved
The year is 2016, and the way of communication between people has changed dramatically. Today most of the people use internet to communicate, to interact and to do online money transactions.
People are becoming dependent on the internet for their day-to-day work. The youth thinks as if virtual world is their real world, which increases the usage of internet to enormous limits. Since many people are using internet and are online, this also leads to the unauthorized access or attempt of authorized activity on a system or information system infrastructure. But in this entire system where does the privacy lie? What about the security of the data of people?
With the increasing threat of intrusion attacks on the servers or the Internet has created a high need of a system through which Internet Service Providers can offer safer Internet access to their customers without any interruption to the operation of the network and the servers due to such intrusion attacks.
The intrusion attack can be classified into 2 techniques that are:
(a) Host based (b) Network based
Host based protection helps the customer to protect their system offline. It actually runs on the host system. It is installed on the host server to monitor the system and keeps the record of unauthorized activities on the server. But it requires additional network packets, which makes it little bit slower.
Whereas Network based detection system runs on the network itself. It can be installed on the system or on the Local Area Network or behind the firewall to monitor and analyze the traffic of the network. It requires that port spanning be enabled to ensure that the LAN traffic is scanned.
A normal Intrusion Detection System has many drawbacks. The attackers are smart and get smarter day by day. A simple Intrusion Detection System cannot keep up with them. Attackers usually find ways to circumvent the IDS present on machines. Even Network level Intrusion Detection System can be fooled nowadays.

A system is needed which can actually evolve as the attackers do. An Intrusion Detection System that can learn from attackers and change its behaviour to their attempts.
The idea is basically to design an intrusion detection system which can dynamically detect and monitor attack and can successfully generate logs and alarms with a low false alarm rate. We are using the anomaly based detection which leads us to use the intrusion detection system on real-time packet analysis and also the load is distributed on a network which can kill the bottleneck.
Object of invention
Primarily the object of the system is to detect various types of known as well as new malicious attacks.
A further object of the system is to monitor host based threats on each individual system in the network.
Statement of invention
We intend to implement a System that uses Multiple IDS agents in a Distributed fashion, where each agent utilizes a different methodology of detection and handles a different aspect of the system's behaviour.
We also intend to use different machine learning as well as use entropy calculation as a basis for detecting attacks on the system as well as generate a real time graph of the entropy of the system.
Summary of the invention
One embodiment of the current invention provides a distributed system that uses various machine learning algorithms to monitor the behaviour of network traffic to identify attacks and finally optimize the result that is more accurate.
Another embodiment of the present invention provides a cluster of light weighted intrusion detection systems to identify the packet as attack packet or normal packet. This system will be designed to minimize the time required to process the data.
A further embodiment of the current invention provides a machine learning ensemble algorithm that will be used to make the machine learn to identify new attacks. By minimizing the delay we can increase the chances of protecting the system in situations such as loss of critical data and unavailability.

Detailed description of the invention with reference to drawing/examples
• The input is coming as raw input and we have a training database and the classification of the packet is done on network level as shown in figure-1.On the host level the access permissions of data are monitored and all the illegal operations are stored in logs.
• On the first level when the packet enters, the decision tree algorithm classifies it as attack or normal packet. On the second level, if the packet is normal it is passed through the system. If the packet has been classified as attack then it is handled by using different routines as per the type of attack as shown in figure-2.
• A raw socket is used to capture the network packets within a time window. Then entropy of the packets in the time window is calculated. After entropy is calculated, the entropy analysis is returned and the sniffer will pass the data to distributer module as shown in figure-3.
There are three cases:
1. Both decision tree and entropy classify that a packet is an attack than it is definitely a known attack.
2. If only entropy or only decision tree classify that it is an attack, then it is a new attack.
3. If both decision tree and entropy classify it as normal, than it is definitely a normal packets.

• The packet sniffer module and entropy calculator works together in order verify whether a packet is an attack packet or a normal one as shown in figure-4. In this, first the sniffer catches the packet on the network and then extracts the packet for to gather information about its attributes. Then the entropy is calculated for a 1 second window. Then the entropy is verified and its value decides whether it is an attack or a normal packet. If it is any previous denial of service attack, which the machine has already learnt, then it can be detected directly, else new rules are created.
• The size as well as the source and destination information from array to the window is received and then calculation of e (packet size entropy) is done using packet size. Now eSD i.e. entropy based on source and destination ip addresses is calculated. Then attack condition is checked and e and eSD values are sent to plotter, which classifies whether it is an attack or not as shown in figure-5.
• Window of packet is passed to the distributed module. A scheduler spreads the data across the cluster along with the machine learning function to be performed by each node. After computation nodes return the values obtained by machine learning

modules. This classification information is returned to cluster head (sniffer) as shown in figure-6.
• The calculated entropy values are used to plot the graph against time as shown in figure-7.
• The packet information is received and then a decision tree module has been developed for classification of the packets received from the network and then the system is trained to predict the outcome for future packets. New attack patterns, if detected, are updated in the database used for training the classifier and then the classifier is retrained to accommodate the new pattern as shown in figure-8.
• Host based module:-On the first level the file permissions are checked. This is also where the firewall module is present. Whereas on the second level the illegal operations are handled and then a logger is created for any super user login attempts as shown in figure-9.
• The issued command is compared with the list of illegal commands and if a match is found then alarm is generated for notification of suspicious action as shown in figure-10.
• The rule modifier sub-module of the host module is shown in figure-11. A client waits for a connection after creating a socket. Whenever the server suspects unusual behaviour from a user accessing an internal IP address in the network, then it sends iptables command for blocking the user's IP address.
• The normal packet behavior is shown in graph form. The graph indicates normal packets going through the system as shown in figure-12.
• The attack packets are shown in graph form. The straight line indicates that an attack is detected by the system as shown in figure-13.

The following Specification describes the invention. We claim:
1. A network based intrusion detection system comprising:
■ A packet logging module which captures the packets entering the server. The attributes which are logged and studied are (a) Packet size and (b) Source and destination IP addresses (c) Input traffic volume.
■ An entropy calculator which calculates three values i.e. packet size entropy, eSD(entropy based on source and destination ip addresses) and input traffic volume(number of packets per unit time) which helps us to differentiate between normal and attack packets.
■ A cluster of machines to identify the attack packets. Python dispy module has been used to distribute packets which enter the server. The cluster of machines independently calculates whether a packet can be classified as (a) attack or (b) normal.
■ A module for automated updating of network firewall policies has also been created which sets the iptables policies on each machine.
■ A module to communicate with the hosts to inform them of the change in security policies.
2. A host based intrusion detection system comprising:
■ A program which checks for user inputs. A list of illegal commands is given to the program. The program checks if the command entered by the user matches with the command in the list. If the user attempts to use such commands which will hamper security of the system, the program will generate an alarm.
■ A module to communicate with the cluster and update its individual security policies at set time intervals.
■ A module to detect whether an external usb drive is plugged into the host and generates an alarm.
3. An alarm system comprising:
■ On entering illegal commands the system will generate an alarm to notify about it.

" Whenever an intrusion is detected, alarm system will ring to notify the user so that the event does not go unnoticed and proper action can be taken.
4. A classification and prediction model comprising:
• A decision tree module has been developed for classification of the packets received from the network and then we train the system and predict the outcome for future packets. New attack patterns if detected are updated in the database used for training the classifier and then the classifier is retrained to accommodate the new pattern. Different sub trees create themselves for different attack patterns
5. Real time graph module comprising:
■ A graph module is created where the entropies of packets entering in the time window of 1 second are calculated and plotted on a real time graph.
■ Two graphs are generated one for packet size entropy and one for eSD respectively.