83 

CHAPTER - 6

TIME ORIENTED USER SERVICE LOG ANALYSIS MODEL FOR

INTRUSION DETECTION SYSTEM IN CLOUD ENVIRONMENT

6.1 INTRODUCTION

The time oriented user service log analysis model is to solve the time

orientation of intrusion detection system in the network. The internet communication

has been performed by transferring the data packets between source and destination in

the form of network packets in the network layer. However, the presence of intermediate

nodes of any network has the significant threat of being malicious. Unlike any other

network threat, IDS is a different one which is generated by some nodes in combined

form. The IDS controller which initiates the danger but supported by the number of

compromised nodes in the network. So that they form a network of malicious nodes

where each of them introduces malicious packets to the system.

The nodes of the IDS do not blindly send the malicious packets to the

network, but they learned the network traffic and based on that they perform a malicious

activity over the network. For example, the IDS controller determines the network

traffic and read the network packet. From the network packet, it can identify where the

service is available, and they can learn what routing strategies are used and what

payload it should have and what kind of acceptance is approved by the destination

servicing node.

If the malicious node is succeeding with the learning process, then it

generates some compromised nodes to produce malicious threats. If the routing protocol

being used is to follow the shortest routing, then it can use the IDS compromised nodes

to support the longer route routing which increases the hop count of the path.

 
 84 
 

In most plans, the flow of packets has been considered which uses the frequency of the

packets to the service point from the source. When it use the flow as the key to

identifying the IDS, it will not be an efficient one. Because the IDS nodes produce

certain packets with limited frequency in normal times and because of they learn the

time when it has higher traffic, it understood that the people access the service in that

particular time window. So the IDS nodes produce an enormous number of packets for

that specific time. It increases the packet drop rate and affects the service performance.

So that considering only the flow as the key for identifying the IDS is not suitable. On

the other side, even the positive node would produce a large number of packets to the

network as they required. It cannot be classified as malicious because of just flow and

frequency. This increases the necessity of other features to be considered in ranking of

packets.

Also, from the point of payload factor detection, the node would produce

higher payload packets to the service point. Similarly, if the service is a sensitive one,

then it can generate some packets as malicious to the service point. In all the cases, the

throughput performance of the service would be affected and spoiled.

6.2 PROBLEM DEFINITION

The behavior of system users can be utilized to perform interruption

recognition and this area portrays such techniques.

Saifullah (2009) proposes a calculation, and the survival limit is thought

little of by the switches in order to shield the server from any sudden introductory attack.

The survival work introduced to insignificant or run of the mill esteems toward the start

of the calculation and the rate is expanded or diminished, in view of the server's input

sent to its kid switches. At last spread descending to all switches, in the progressive

 
 85 
 

rounds of the calculation with an appraisal to uniting the absolute server burden to the

worthy limit run.

Tao Peng et al. (2004) represent another way to deal with differentiate data

transfer capacity attacks by watching the entry rate of new source IP addresses. The

identification framework depends on a progressed nonparametric change discovery

plot. Gilad and Herzberg (2012) present a lightweight burrowing convention, to

counteract arrange traffic against IP ridiculing and flooding attacks. It is sent at system's

correspondence doors.

Shiaeles et al. (2012) achieve DDoS discovery with upgraded time

constrains through non asymptotic fluffy estimators. The estimator sent on mean parcel

between landing times. The issue isolated into two sections; one is genuine DDoS

location, and the other is the recognizable proof of unfortunate casualty IP addresses.

The initial segment is accomplished utilizing strict continuous cutoff points for DDoS

discovery. The second part is a distinguishing proof of injured individual IP tends to

achieved through similarly loosened up limitations. The objective is to recognize

injured individual IP delivers immediately to dispatch included enemy of interruption

applications frequently has specifically services. It's utilizing packet entry time as the

essential measurement of DDoS attack assurance.

6.3 MATERIALS AND METHODS

Intrusion detection methods keep up a list of user log who is recognized as

malignant at the prior time. In light of the log accessible, the procedure decides the

noxious demand and denies the demand. The issue with this methodology is

unidentified pernicious can't be ceased. Additionally, singular hubs utilize different

personalities for them, which bargain the discovery plot. Likewise, the techniques figure

 
 86 
 

the entropy esteem for the parcels got. So dependent on the entropy measure, the

interruption identification has been performed in the proposed methodology.

Cloud  Node  Source node 

Intrusion 
detection based 
Entropy measure User log analysis
on entropy 
measure

Normal data 
process

Figure 6.1 Work flow diagram

Figure 6.1 shows the flow of work with intrusion detection system for better

data communication in cloud environment, also shows its functional components in

cloud.

6.3.1 User Log Analysis

The cloud service request for created by the users are inspected at this stage.

It recognizes the user ask for, User ID, and Service guaranteed and after that interruption

discovery plot process and deal with the service demand to procure the past history. The

user logs are to deal with the service or drop the service ask for dependent on the got

demand. In view of the demand the log record ought to be come back to whole system

for new examination.

 
 87 
 

Algorithm:

The above-discussed algorithm identifies the service request based on the

user id. Also it finds the trust flag rate for entire user in the network. Based on the flag

rate, the user should allow and generate the trace file in the network.

6.3.2 Entropy Measure Monitoring

Entropy is monitored by a systematic approach to be fully received by

registering on the user page. Cloud development process identification calculates the

information from the database about the user logs for real-time, it is accepted, and the

amount of data is later converted. In addition to the number of services, the system

classifies various types of data, such as times and user. The results will be monitored and

user registration will be saved and the further action will be applied.

 
 88 
 

Algorithm:

6.3.3 Intrusion detection Based on Entropy measure

The intrusion detection is performed based on trustworthy ratio computed for

any entropy measure which is calculated using various factors of the user log. Based on

the criteria being computed the services are identified as normal, genuine or dangerous.

This method compute the reliable service measure and classify the service according to

the entropy value and based on that value intrusion detection is performed in the cloud

environment.

 
 89 
 

Algorithm:

6.4 SIMULATION RESULTS

In this section, the results produced by the suggested method are discussed,

and the comparative study on the quality of service parameters is made. Figure 6.2 shows

the snapshot of the placement of nodes in the network at the initial stage with numbers

of nodes. Figure 6.3 shows the snapshot of route discovery and packet forwarding using

the route discovery in the specific region where the destination is located.
 
 90 
 

Figure 6.2 Initial network setup

Figure 6.3 Route Discovery And Packet Forwarding

 
 91 
 

Figure 6.4 Attack discovery position

Figure 6.5 Snapshot of packet transmission

 
 92 
 

Figure 6.4 shows the attack discovery position in network at any point in time.

Here the destination node has track to some other quarter. The snapshot of the route

request propagation, as well as the packet transmission is shown in Figure 6.5.

6.5 SUMMARY

In this chapter, an Intrusion detection Based on Entropy measure has been

discussed. The detection algorithm has been applied to the real-time traffic. The

algorithm reads the incoming packet and performs various analysis over the traffic,

stream and the route as well as on the behavior of sending nodes. Based on the result of

various analysis the method performs detection. The method splits the traces into

different time window, based on the time window easily detect the intrusion in network.