Using Genetic Algorithms for Network Intrusion Detection and Integration into nProbe

Posted · Add Comment

Conference: OSCON 2010
Presentation Link: Ignite Track
Presented by: Brian Lavender

SNORT is popular Network Intrusion Detection System (NIDS) tool that currently uses a custom rule based system to identify attacks. This presentation emphasizes on writing the algorithm to write generate the rules through GA and the integration of them into nProbe, a similar network monitoring tool written by Luca Deri with a plug-in architecture.

Genetic Algorithms are dependent upon identifying attributes to describe a problem and evolving a desired population. In this case, the problem is an attack through the network and identifying the attack through connection property attributes. Genetic Algorithms depends upon training data. DARPA datasets provide training data, in categorized format (attack vs. normal) along with a corresponding raw network recorded format called tcpdump. nProbe has a plug-in architecture allowing for customization.

This presentation explains original code in C to evolve rules. It uses the same chromosome attributes used by Gong. The development verifies and contrasts against the research performed by Gong. It also presents the code for integration into nProbe.