Implementation of Packet-Based and Flow-Based Network Intrusion Detection System

Abstract

Security became an important issue in networks world. Intrusion Detection Systems (IDSs) are one of the most tested and reliable technologies to monitor and detect attacks. Network Intrusion Detection Systems (NIDSs) collects network traffic information from some point on the network or computer system and then use this information to secure the network. There are two methods basis on the source of data to be analyzed in NIDSs; Packet-Based and Flow-Based. This research implements both methods to detect scanning and flooding attacks. Packet-Based NIDS is done using the misuse-based IDS Snort. Snort is an open-source project. Configured to run in NIDS mode. Attacks are launched from remote host that uses Kali tool. For Flow-Based NIDS, an algorithm is implemented with C language to detect and identify network attack based on Time-based Aggregation Traffic (TAT) feature that extracted from previous exported NetFlow record to detect several scan and Denial of Service (DoS) attacks. After implementing and testing both methods, results showed that Packet-Based can detect scanning attacks and flooding attacks very well and able to made an alert for that but Snort cannot alert every incoming packet because of the inability of Snort to analyze multiples packet in small time. For Flow-Based NIDS detect all scanning and flooding attacks correctly with False Positive almost zeroactually is 0.002 and with True Positive equal 1. Hybrid system for both inspections method is recommended to get the best feature of the both Network Intrusion Detection Systems.