Network Intrusion Detection System – Design And Implementation

Project Detailed Design

The use of internet has increased with the advancement in technology such as smart phones and high-speed internet. With the increase in a number of web users, the demand for online security has increased as well in order to protect digital frameworks from various security breaches. The online security breaches and cyber-attacks resulted in compromising security; integrity and authenticity of a network because it allows cybercriminals to conduct illegal activities such as file modification and unauthorised access to confidential data [1].

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Organisations can use Intrusion Detection System (IDC) which is a software application that monitors the network for policy violations or malicious practices. The detection system are divided in two groups 1. Is Host based intrusion detection system and the other 2. Network based intrusion detection system[2]. In previous few years, the development in network security and network-based services has become a crucial factor for organisations. In order to ensure security of networks and identify different cyber-attacks, companies used anomaly-based network intrusion detection technique. Techniques which are used in anomaly-based network intrusion detection include knowledge-based, machine learning based, and statistical based.

[3] Companies face challenges while using different security methods, which are based on existing network data characters, in order to improve their performance. The Network Intrusion Detection System (NIDS) is installed by corporations at key points of the networkin order to check traffic from and to all hosts that are using a network [4].This report will focus on the network intrusion detection system, and it will include the background of the topic, and requirements of the project. 

  1. Design, implementation and block diagram

Network Intrusion Detection System (NIDS) is further protection which examines network activity to detect attacks or intrusions. NIDS systems can be hardware and software based devices used to examine an attack. NIDS products are being used to observe connection in detect whether attacks have been launched. NIDS systems just monitor and generate the alert of an attack, whereas others try to block the attack.

The network intrusion detection systems can detect several types of the attacks that use the network. NIDS are excellent for detecting access without authority or some kinds of access in excess of authority. A NIDS does not require much modification for production hosts or servers. It is benefit because these servers regularly have close operating system for CPU and installing additional software updates may exceed the systems capacities. Most NIDSs are quite easy to deploy on a network and can observe traffic from multiple machines at once.[5] We are using Snort for the network intrusion detection system. Snort is principally a rule-oriented detection system to capture the intrusion. It can perform real-time traffic monitoring, analysis and packet logging on Internet Protocol (IP) networks. Snort reads the rules at the start-up time which can be predefined or customised and builds internal data structures or chains to apply these rules to captured data. Snort is accessible with a various.

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

Established pre-defined rules to perceive intrusion activity and you can also free to enhance your own rules as per the constraint. Below is the block diagram for the snort architecture

1. Summary of Literature Review

 Block diagram of Network intrusion detection system

The above figure is a bock [6] of network intrusion detection system, where it captures the incoming traffic using wire shark, captured data is sent into the detection mode where it analyses the files in batch mode and before forwarding it to the system, data is being filtered which leads to elimination of the network traffic.[7] Once the data id filtered all the known attacks which are signature based are removed and analysed, after analysing the known attacks it is send to anomaly based detection technique where it uses association pattern analysis to detect the malicious traffic and notes its signature so that it can be stored as signature based detection techniqu

3.Table of weekly Activities for MN692

Week Number


Week -1

Will be authenticating all the details and activity to be performed in this stage of the project from the research done in the previous stage to complete the project effectively. Doing research on some data collection method with the help of some basic tools on network traffic, IP source and destination and packet capture from the network for network intrusion detection system.


To reduce the obscurity and uncontaminated network data for the research method to be used to get the final outcome, the pre-processing research method will be used to relate to the data.


The concept research method is on use are data mining technique, which will be used to exploration and understand the application of decision-tree algorithm.


Considerate and illustrative doubts on One-class support vector machine (1-class SVM).


The software required for packet sniffing is snort, which is required to be installed and configure the rules of snort.


Authentication the rules of snort appropriately and cross checking the software required for snort and works perfectly to initiated the project.


 To build the research method which is the hybrid detection method?


To improve the intrusion detection method and also to assess and random test the system.


To do a complete verification of the project in accordance to our project requirement and accomplishing all the task assigned to compete and to organize for demonstration of project.


Report Writing for the final document.


Ongoing report writing and oral presentation document.


Finishing the final report and assembly the limitation of the project if any or submit the final report and prepare for demonstration

.4. Roles & Responsibilities of each team member 

Week #

Vinod Allam

Solomon waskar

 Rakesh nunna

Abdul Rasheed

Week -1

To comprehend and validating the details of the project and implementing.

Exploration on Network data abstraction.

Extraction of the rules required for snort.

To get acquaintance with ‘Honey D’ and other network configuration for the computer.


Complete understanding of pre-processing methods.

Scrutiny on the pre-processing systems such as Normalization, Discretization and Feature range.

Congregation and substantiating

Configure the snort as per the rules required for the project.

Reading from IEEE journals on SVM (support vector machine) model to create decomposed subnet.

2. Objectives of the Project


To get acquaintance with decision tree algorithm

To better understand the gain based decision tree algorithm and research on gain calculation for the implementation.

 To build a normal algorithm for the requirement of project.

To contribute the known from the svm and explain the team member for construct hybrid detection system


To understand all the documentation and research done and illustrative the quires with supervisor and team member as start the project.

To see all the documentation and research done and illustrative the quires with supervisor and team member as begin the project implementation.

Joining all the exploration done till now and illustrative the questions with all team member and supervisor to begin building of the project.

Consolidating all the examination done till now and illustrative the questions with all the team member and supervisor to begin building and introducing the project.


Install virtual box and wire-shark.

Installation of snort subscription software and win-cap.

To understand and configure the rules for snort.

To test if the configured snort is running correctly as per requirement.


Enduring the configuration steps of software.

Continuing the configuration steps of Snort.

To check for more better configuration of snort

To check if the snort is capturing data as per requirement.


Structure the decision-tree algorithm.

Script test situation to the logic of decision-tree algorithm.

Scripting test circumstances to one-class SVM.

Construction of the one-class SVM detection algorithm.


Continuation building the decision-tree algorithm.

 Extension testing the logic of decision-tree algorithm.

Additional testing the logic of one-class SVM.

Building the one-class SVM detection algorithm.


Assess and start acceptance test.

Evaluate and start acceptance test.

Appraise and start acceptance test.

Gage and start acceptance test.


For the final report divide the task equally and to complete report.

Writing on the fix and evaluation part of the report and also fix issues in project.

To complete the writing on weekly report and problem fixing of project.

Scrutiny of the project and its limitation if any.


Structuring the final report and dividing the oral presentation to each team member.

Preparing for presentation on evaluation step by step procedure.

Oral presentation on decision tree and one class svm.

Will be writing troubleshooting steps.


To collect all the data and ready for the demonstration on the project

Fixing any trouble shooting in the project and demonstration.

Finding any project limitation and fixing it.

Compiling all the document and oral presentation and giving it for final proof reading. 

  1. Installation

                Network intrusion detection system, virtual box is installed in the computer in order to simulate the process. Windows is used as the main platform in order to perform. Windows 10 OS is installed in virtual Box, after installing windows snort is being installed and configured according to requirements in order to monitor incoming traffic. Honey D is being deployed in the system in order to capture the attacker’s details. All these applications are being installed to neutralise the attacks using algorithms.  

5.1 Implementation

Snort [8] is being deployed to monitor the malicious traffic using signature and anomaly based detections, it displays required information regarding the incoming and outgoing traffic that is being captured by the wire shark and analyses the traffic by using algorithms.  All this applications are being deployed inside the OS and incoming traffic is being monitored regularly. HoneyD acts as a trap in order to capture the incoming requests by the attackers by acting as a main server and noting attacker’s details.


3. Detailed Design

6.1 Software Requirements

Applications that are being installed







Virtual Box






6.2 Hardware requirements

2 personnel computers


8 GB ram

I5 processor

2 GB graphic card

500 GB hard disk 

  1. Detection methods

IDS is mainly classified into two types (i) signature based (ii) anomaly based detection system

 7.1 Signature based:

Signature based detection algorithm [9] notes all the signatures of the malicious activities that has happened before and stores it signatures in order to detect it. Signature based detection is mainly based on the attacks that has been happened before

7.2 Anomaly based

Anomaly based detection[9] is mainly based on the behaviour of the traffic, each packet is analysed thoroughly and divided into parts and in case of any malicious  behaviour is found the packet is being dropped.

Implementation of snort

Linux should be used to implement Snort. The process is made painless and easy by Ubuntu – easier than to install Snort as well as to configure Windows server. Snort sensors must be seen as apparatuses (such as UPS or a router) and hence, do not require to coordinate with the server infrastructure. Actually, one presumably have other system apparatuses running on some versions of Linux. One final thought is if ones’ intrusion detecting framework is on a similar platform like the rest of the  frameworks, it might progress toward becoming compromised alongside different systems in case of an effective intrusion.

For minor fittings, a single PC can house the organization applications (ACID and Snort Center and) screen the network. In bigger organizations, one will presumably need to isolate these capacities. One PC can play out the administration roles while different PCs acts like sensors. Fig 1 demonstrates a common course of action of sensors inside a medium measured system. Ubuntu is intended to give a safe, lightweight condition and, in this way, runs just a negligible arrangement of ordinary Linux services.

Operating with Snort

So as to utilize Snort like an Intrusion Detecting System, first snort should be downloaded from its official site ( Then snort should be designed through the following steps.

  • using VirtualBox, install a virtual machine Ubuntu.
  • introduce and then design Snort in the Ubuntu machine.
  • Open up a terminal by hitting the highest symbol on the left corner to scan for the terminal application.
  • After opening the terminal, type across the board line (in the accompanying summon):”sudo aptget install flex bison buildessential checkinstall libpcapdev libnet1dev libpcre3dev libmysqlclient15dev libnetfilterqueuedeviptablesdev”
  • Password will be asked for and the login password will be entered to the VM.
  • The chosen applications are by then being installed. A prompt might sometime arise requesting to proceed, type “y”‘ then proceed.

Building and installation of libdnet from the source code.

  1. Type “wget”. Press enter.
  2. If you key in “ls”, the file will be downloaded to the home directory. The command: tar xvfvz libdnet1.12.tgz will be issued. Press Enter.
  3. This will unpack every file that was inside the libdnet112.tgz folder and forms a libdnet112 manual. Convert to the libdnet112 directory.
  4. Type: ./configure “CFLAGS=fPIC”. Press enter. The “fPIC” C flag is important when it is compiled on 64bit basis.
  5. Type “make”. Key in enter.
  6. Key in “sudo checkinstall”. The command, checkinstall above will form .deb package. Then will ask several questions. Agree default values.
  7. Install .deb package, then create a representative link where Snort search for libdnet. Key in the commands: “sudo dpkg I libdnet_1.121_amd64.deb” then “sudo ln s/usr/local/lib/libdnet.1.0.1/usr/lib/libdnet.1”.

Downloading, building and Installing Data Acquisition Library (DAQ).

  1. One can download DAQ from 0.6 is the latest version. Usually, downloads are positioned in the Ubuntu OS’s Downloads directory.
  2. The steps for the libdnet install unpack the files, configure, make, and install are going to be repeated.
  3. The command, “sudo checkinstall” will follow the following stages as it did f0r the libdnet process. Figures below indicates the first “sudo checkinstall command” and the final result.
  4. The package is Installed through running: “sudo dpkg i daq_2.0.61_amd64.deb”
  • Download, building and Installation of
  1. Snort, Much like Data Acquisition Library might be taken from: is the recent version. Again the copied file exist in the Ubuntu OS’ Downloads directory.
  2. The steps for the libdnet as well as daq install -unpack the files, configure, make, and install are going to be repeated.
  3. The command, “sudo checkinstall” will go thru the following stages as from the libdnet and daq process. The following figures indicates the first “sudo checkinstall command” then the result.
  4. By running: “sudo dpkg i snort_2.9.8.01_amd64.deb” the package is installed
  5. By running: “sudo ln s /usr/local/bin/snort/usr/sbin/snort” symbolic link for snort is created.
  6. Run the ldconfig command, so that dynamic linker runtime bindings for libdnet and DAQ libraries are properly set up.
  7. By running “snort V” verification of whether snort is properly installed is done. Something like the one below will be gotten:

 Snort will successfully be installed and configured as Intrusion Detecting System after following the above stages.

To test the Snort, one rule was added to offer an alarm whenever there was an access to Facebook. The command was: alert tcp any any -> any any (content:”facebook”; msg=”Someone is accessing to facebook!!”; sid:1000001;)

Therefore after accessing Facebook, Snort generated an alarm message as illustrated through Figure 3.2.

Testing snort

Testing the attempted invasion can be achieved through scanning of the basic intrusion access areas by the intruders of the network. A plan must be fixed to allow fruitful testing to occur.

Testing snort basic principles

One must examine the basic principles governing snort application in remote sensor network:

Snort security matters

  • Data packets’ confidentiality
  • Access control in the network
  • Outgoing and incoming transmission of the data packets.
  • Accessibility of services.
  • Snort’s functionality.
  • Check for available services.
  • Check hacker’s action from public networks that are entering to private networks.

Verification of snort intrusion:

This is intended to recognize any intrusion into the network with an aim of deciding and giving affirmation that there is no any point of intrusion into the system from external system. This additionally assists to identify the attempted attack. Along these lines, the snort ought to have the capacity to distinguish the attempted hacking.Result Analysis as well as evaluation

Project Implementation and Evaluation

The concentration in this structure is to look at the activity of snort in a remote sensor system to recognize arrange attack by use of WIDS. Adequate outcomes will be received from the way snort is composed, installed and designed in the Remote Network that protects the system from any intrusion or attack. The snort structures execution, dataset employed as well as the testing ought to encourage adequate outcomes to be acknowledged in WIDS found in the server that have different standards and guidelines.The report demonstrates that several forms of intrusions are noted after the installing snort, firewall as well as other safety devices that assist in detecting the attacks.

Experiment one

Aims to inspect whether snort enforces security on outgoing and incoming spoofing as well as spying traffic.


Backdoor is an implementable program that might be employed to spoof and spy the targeted host. After installation, it offers a hidden way through passing normal verification that has wireless access. The software masquerades itself as ICQ program that failed when being installed. Once installation is completed, it will expose a port that will allow intruders or attackers to access network. The backdoor comprises of two portions for the server and client. The server links to the clients as implementable files that the users install without suspecting any issue. After installation, client ports are opened and it starts an attack.

Results Analysis

From the alarm. Ids file demonstrates Remote Procedure Call (RPC) a threat based on the buffer overflow exploitation which is categorized as miscellaneous activity and rank it as lower level insecurity as per the WIDS snort standards based ranking. The enemy executing an attacks to a host with an Internet Protocol Address of aiming host with an Internet Protocol Address of that in this circumstance is the mail server. Port 52 is the one that is being used, where snort cannot detect. Port 53 is then open, where backdoor attacks use to survey network services categorized as attempted proprietor privileges gains the Priority. This indicates that the enemy have administrative rights, therefore can fully access the network services. TCP is the protocol used in this situation. When administrator receive the report, it is ease to screen all traffic through TCP port-52 implementing the principle on Snort.Experiment2

Aim: To examine whether snort applies configured policies and rules towards outgoing and incoming traffic.

 The death of the ping attack is tested through DOS attack

The point of applying death of ping attacks is to test whether snort has capacity to recognize the traffic from public and internal network. The apparatus went for installed server by sending limitless data parcels. Central servers that are targeted should respond to every ping packet directed to internal system. Designed snort must stop the death ping after it shows up. The command applied ping < IP target host> – t – 1 65500, will transfer packets at a speed of 125 kbs. Target hosts test is the mail server, IP address of like demonstrated below:- Results Analysis

The report indicates that traffic timestamp, time, date, packets NETBIOS Unicode data have accesses categorized by the name generic protocol command on decode precedence, DOS, and SMB. Report evaluation demonstrates that alarm activities contained heavy traffic, from external and internal towards port 53 address, applied for NETBIOS.  Services of NETBIOS are used to let communication in internal LAN. The report offers details concerning the position of the host within private network. Through port 53, traffic is noticed. The other attacks include the Finger protocol, HTTP and the Trojan horse.


 For regression analysis, clustering and classification, WEKA tool is applied. To classify the data,  a folder in WEKA is opened and Decision tree organizer is used. The outcome is demonstrated using Figure 3.14.Conclusion

The aim of this report was to decide the viability and execution of the intruders detecting system:  Comparing it with the outstanding IDS, Snort, is a quick system. Snort was evaluated on different steps on a super PCs with different conventions and packet sizes as well as protocols. A huge amount of packets reduces while using virtualization resulting from changing aspects of virtualization where the assigned physical memory RAM to the host PC is a distributed disc space as well as virtual RAM. It will respectfully impact the function of Suricata and creates packet drops. As the amount of packets received by the network card get higher than the amount received by virtual machines, this thought is conceptualized due to the bottleneck resulting from exchange of low circle data. 


[1]R. von Solms and J. van Niekerk, “From information security ton cyber security”, Computers & Security, vol. 38, pp. 97-1.2, 2013.

[2]h. Liao, C. Richard Lin, Y. Lin and K. Tung, “Intrusion detection system: A comprehensive review”, Journal of Network and Computer Applications, vol. 36, no. 1, pp. 16-24, 2013.

[3] N. Thanh Van, T. Ngoc Thinh and L. Sach, “An anomaly-based Network Intrusion Detection System using Deep learning”, 2017, pp. 1-2.

[4] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods, Systems and Tools. 2014, pp. 30-34.

[5]U. Modi and A. Jain, “An Improved Method to Detect Intrusion Using Machine Learning Algorithms”, Informatics Engineering, an International Journal, vol. 4, no. 2, pp. 17-29, 2016. 

[6]P. Casas, J. Mazel and P. Owezarski, “Unsupervised Network Intrusion Detection Systems: Detecting the Unknown without Knowledge”, Computer Communications, vol. 35, no. 7, pp. 772-783, 2012.

[7] M. H. Bhuyan, D. Bhattacharyya, and J. Kalita, Network Anomaly Detection: Methods, Systems and Tools. 2014, pp. 30-34.

[8] Cleland-Huang, J., 2017. Safety Stories in Agile Development. IEEE Software, 34(4), pp.16-19.

[9]M. Sazzadul Hoque, “An Implementation of Intrusion Detection System Using Genetic Algorithm”, International Journal of Network Security & Its Applications, vol. 4, no. 2, pp. 109-120, 2012.