Analysis of intrusion detection system in switches-based gigabit networks

preprint OA: closed
Full text JSON View at publisher

Abstract

Abstract The development and use of computer networks is increasing quickly by small, medium and large companies for transferring the data. One of the most important concern in today's networks is the requirement for security analysis techniques that can keep up with the growing network traffic as networks get faster. The exponential expansion of networks, incidents of data attacks and security breaches have also proliferated. Although there are several approaches accessible but dynamic environment makes these approaches insufficient. In this context we propose an high speed intrusion detection system(IDS) for protecting networks from attacks. IDS capture information about network traffic data from a system or network address to prevent unauthorized access. Generally, IDS rely upon signatures to identify malicious behaviour. A few hundred Mbps of bandwidth can be handled by the network-based intrusion detection devices which are currently in usage. Higher throughput methods of analysis are either limited in the capacity to identify various types of attacks or are unable to do so. In this research paper we proposed a higher speed of network IDS architecture using alert information, custom signature, access-list and inbound traffic (produce alert or deny packet) using Graphical Network Simulator 3 to secure the network.
Full text 66,641 characters · extracted from preprint-html · click to expand
Analysis of intrusion detection system in switches-based gigabit networks | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Analysis of intrusion detection system in switches-based gigabit networks ritu rani, Rishi pal singh This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-5024957/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract The development and use of computer networks is increasing quickly by small, medium and large companies for transferring the data. One of the most important concern in today's networks is the requirement for security analysis techniques that can keep up with the growing network traffic as networks get faster. The exponential expansion of networks, incidents of data attacks and security breaches have also proliferated. Although there are several approaches accessible but dynamic environment makes these approaches insufficient. In this context we propose an high speed intrusion detection system(IDS) for protecting networks from attacks. IDS capture information about network traffic data from a system or network address to prevent unauthorized access. Generally, IDS rely upon signatures to identify malicious behaviour. A few hundred Mbps of bandwidth can be handled by the network-based intrusion detection devices which are currently in usage. Higher throughput methods of analysis are either limited in the capacity to identify various types of attacks or are unable to do so. In this research paper we proposed a higher speed of network IDS architecture using alert information, custom signature, access-list and inbound traffic (produce alert or deny packet) using Graphical Network Simulator 3 to secure the network. Intrusion detection High-speed network alert information Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 1. Introduction These days, with the Internet growing fast and online process requesting a safe route, it has become an essential (certain to happen or unavoidable) requirement to provide the secure network. It is very clear that firewalls are insufficient to secure a network completely because the malicious committed from outside of the network. IDS are used to detect and prevent attacks, recover data with minimal loss, and examine security problems [ 8 ]. Alternately, a set of signatures saved in a knowledge database, misuse detection IDS will use this information to detect intrusion attempts. Intrusion Detection System detects activities from the secured network and examines them to generate alerts if there is an intrusion. These alerts will be saved in the log file based on the network data stream. The IDS triggers an alert if it is capturing an infected packet. IDS is also able to complete the following tasks [ 4 ]. An intrusion prevention system (IPS) can be compared to an intrusion detection system. While both systems monitor network packets for possibly harmful network traffic, the primary objective of an IPS is to prevent threats once they are identified, rather than to detect and record threats initially. An intrusion detection system is a tool that analyses network traffic for malicious activity and raises a warning when it finds any. Some intrusion detection systems have the ability to take appropriate action when suspicious or abnormal traffic is identified. The main purposes of an IDS are to identify suspicious network traffic and blocking the traffic from suspected IP addresses. Intrusion Detection System detects activities from the secured network and examines them to generate alerts if there is an intrusion [ 3 ]. These alerts will be saved in the log file based on the network data stream. IDS triggers an alert if it is capturing an infected packet. IDS is also able to complete the following tasks [ 4 ]. Keep a watch on the system as well as the activity of the users. Errors in the system must be verified. Evaluating the data files and system integrity. Note down any abnormal activity make statically records. If a network is compromised then it may affect the performance of the network. Routing attacks are most common attack types that happen to almost in every network such as WSN, Ad hoc, SDN, and IoT [ 5 ]. An intrusion detection system is used to find suspicious activity in a network. Hence we are working on it and proposed an intrusion detection and prevention system for secure routing. In our network architecture ,we used 7200 series routers with gigabit networks to increase the network speed and also the switches can be expanded to support gigabit networks in order to increase the speed throughput. Most specifically, the method has to produce a design that allows for the addition of parts as required to keep up with growing network capacity. The overall aim is to find out attacks in high-speed network links. The following parameters described in this research. The router apply a detection method that compares a stream of network events with custom signatures, access list ,event action that produce an alert or indicate an attack scenarios. A collection of signatures, each of which is responsible for recognising a subset of the signatures in the networks to performs detection methods. Every routers operates independently and doesn't exchange information with other routers. Each packet is analysed via a subset of the intrusion detection signature to secure the network . 2. Related Work The intrusion detection field has provided a lot of consideration to the prospect of implementing intrusion detection systems on high-speed links. In many practical network installation still require internet traffic analysis on high-speed links networks. The business sector begun to respond to this need and several vendors now demand on having sensors that are compatible with fast on Gigabit Ethernet links. Several intrusion detection sensors receive divided network traffic that is routed to them in sessions. [ 7 ]. This makes it possible for sensors to identify several attack phases in a single session. This could lead to lost attacks if many hosts or sessions being attacked. It is not supported for information to be correlated across many sessions. Sekar et al. [ 9 ] explain a method to perform high- performance network analysis, however they don’t give experimental results collected from real time traffic analysis. Most IDS apply signature-based method that is used to detect misuse of systems and networks [ 11 ].In general, signature-based method is used to identify the known attacks from the database. This raises the challenge of how to recognise new attacks and how to learn these features for known ones. More importantly, its signature set may not contain all the signatures of new attack types, making detection challenging. Link sensors in switched networks have fewer logical connections than they have physical circuits in switched networks, making it harder for them to get data from them. Because switched networks have point-to-point connections to transfer data packets from switches to end systems directly, they present different difficulties in terms of intrusion detection. [ 12 ]. This requires sensors must be dispersed among the network connections (i.e. high -speed networks links, switches, and end systems), rather than to relying solely on links that distribute traffic to several end systems. However, a new intrusion detection strategy is needed to detect network attacks more suspicious activities in switched networks. For network security, IDS can be implemented as a security policy and tool in a wide range of business sizes and types. However, businesses also need to gradually optimise their current security system to comply with the new security policy. [ 13 ]. To intercept and examine every network packet in an IDS, a significant amount of time and system resources are required. The majority of the current IDS detection rate with a high number of applications, the development speed of Fast IDS technology, and even the Gigabit network have all lagged well short of the advancements in network speed. Due to the extensive use of the Internet, network threats are now the main issue for intrusion detection systems. We focus on using Network intrusion detection system (NIDS), which separately performs intrusion detection, to implement more efficient and quick detection techniques. For NIDS, the network becomes the source of data relevant to security. The network and its protocols become the focus of NIDS security concerns, rather than the hosts and their operating systems. Moreover, these NIDSs' scope of use has expanded to encompass detection in difficult and large-scale network topologies. The size and need of networks have increased over the past ten years of use. More specifically, TCP/IP networks are now the primary method used for data exchange and transaction processing. However, the rapidly growing issue of illegal access and data tampering has also been exacerbated by the fast growth of inexpensive computer networks. But as network technology has developed, Gigabit Ethernet has actually taken over as the industry standard for large-scale network deployments. The performance of current NIDSs is being adversely affected by issues like bottlenecks and overhead associated with gathering and evaluating data in a particular part. Consequently, there has been a lot of discussion in the intrusion detection community about the effort of implementing IDS on high-speed network links. RealSecure, ManHunt, and CISCO IDS are actually operated run on high-speed network links. However, due to technical challenges in keeping up with the growing network speed, these NIDSs are still impractical, and real-world performance will probably be lower as well [ 14 ]. There aren't many published research papers that address the problem of high-speed connection intrusion detection. Unfortunately, no real-world experimental data has been provided. 3. A Dissever Approach for High-Speed ID Data security has become an important concern to providing secure data transfer over the internet. In addition, as society progresses toward a digital world, network security challenges are becoming more vital. The responsibility of network security entails ensuring the security of the entire network as well as end systems[ 1 ]. 3.1 IDS capabilities Intrusion detection systems analysis the network activity to identify instances where unauthorised users initiate attacks. IDS accomplish this by offering security professionals any or all the following features: Keeping an eye on the files ,routers, firewalls, key management servers, and that are operational in order to comply with additional security measures aimed to detect, prevent, or recover from attacks. Providing supervisors the ability to organising, modifying, and comprehending pertinent OS audit trails and additional logs that are challenging to monitor or analyse. Containing a substantial attack signature database that allows data from the system to be matched. Recognizing and describing when the intrusion detection identifies that data files have been modified. Generating an alert and informing that security has been dereliction. Putting a stop to attackers or the server upon detection. 3.2 System Architecture At least two networks are connected to the router, and it regulates network traffic, security is essential to prevent illegal network intrusions and unauthorised router access. In order to provide secure networking, secure router technology applies security features like intrusion detection, internet protocol(IP) security, and access control for legacy routers. A router may be in responsible for traffic filtering, allowing certain packets to pass through while rejecting others. In networking device, Open Systems Interconnection network model, Layer 2 and 3 forward the data packets. Layer 3 additionally forwards functions that are often used IP, whereas Layer 2 functions typically Ethernet based [ 2 ]. Routers and switches can communicate, exchange routing information with other devices, when network topology changes because of the dynamic IP routing protocols, such as the Routing Information Protocol, Open Shortest Path First Protocol, Intermediate System-to-Intermediate System Protocol, and Border Gateway Protocol. In the above figure of network model, we assign the rip protocol for communication to other routers. In this paper we used the 9000 switches series. Both Fast Ethernet and Gigabit Ethernet are supported by each of the switches in the 9000 Series pluggable in a Small Form Factor. The 9000 Series of Gigabit Ethernet switches has high performance and brings powerful workplace functionality attributes at a more affordable level, increasing the delivery of integration data for organizational and related systems. It is very difficult to defend against all routing attacks. Thus we have focused on our work to secure the network through RIP routing protocol. The present works analyse the availability of IDS in Gigabit networks. In this paper we show a network model with IDS. In this model we defined basic IDS & IPS, custom signature ,ACL (deny packet/permit ) and produce alert. With 24 fixed configuration 10/100/1000T ports and four ×10/100/1000T-100/1000FX Gigabit-SFP combo ports, the AT-9000/28 is a 28-port managed Gigabit switch. In small environments, this switch enables centralised power to support and detects equipment and POS. A managed gigabit switch with 28 ports, the AT9000/28POE has 4×10/100/1000T̗100/1000 SFP paired access points in addition to 24 fixed configuration 10/100/1000T PoE + ports. In order fulfil the requirements of the today's company, it has power sources and supports Power over Ethernet Plus (PoE+), which offers up to 30W of centralised power for both surveillance and monitoring security applications. The AT˗9000/28SP is a managed gigabit security switch with 24×100/1000 SFP ports and four×10/100/100T-100/1000FX high speed internet and SFP the combined ports. The AT˗ 9000/52 is a 52-port managed Gigabit switch with 48 fixed configuration 10/100/1000T ports and 4XSFP slots [10]. There are currently 28 high-speed ports on the Gigabit Ethernet Managed Switch, including four 10-GBE SFP + ports. There are twenty autosensing 10-/100-/1000-Mbps RJ-45 Ethernet ports available on this capable Layer 2 switch. Furthermore, it comes with four dual-media ports, one SFP port and three RJ-45 connections with speeds of 10/100/1000 Mbps for each [ 6 ]. These dual-media ports may be configured with an SFP to connect to 100- or 1000-Mbps optical fibre, or they can be utilised as normal UTP Ethernet ports. Additionally, the switch also has four SFP + ports that can be used with an SFP + transceiver to handle 1- or 10-Gbps uplinks. The switch comes with full manageability. The built-in Web server makes it possible to manage Web content using a web browser. Switch configuration, system dashboard, maintenance, and monitoring all become possible via this GUI interface. A dual image, port mirroring, LLDP, UPnP, IPv6, SSH, RADIUS, DHCP Client/DHCPv6 Client, SNTP, cable diagnostics, ping, and Telnet client with SSH are additional features of the extensive management and support package. With support for up to four VLANs running at once, you can divide traffic using MAC-based, port-based, or 802.1Q tag-based VLANs. 802.1p Layer 2 VoIP and video are examples of applications with time constraints that can be prioritised due to Quality of Service (QoS). 3.3 Frame Routing Static routing is used in the diagram's configuration as already explained. A limitation of the static technique is that a significant portion of network packets may be delivered to a single channel depending on the type of traffic. That also becomes impossible to determine the exact number of sensors used to handle a gigabit link due to the static configuration. The actual traffic and situations that are used define each sensor's load[ 7 ]. A basic representation of each fundamental event that a packet supplied by the attacker. The IDS provides an optional feature to make the transmission of data more secure. A digital signature can be added to the system. 4. Experimental Results 4.1 Basic IDS & IPS Intrusion detection is the procedure of continuously detecting and analysing network events that are indications of future attacks, irregularities, or hazards to your security standards. Intrusion prevention is the procedure of performing intrusion detection and then stopping the detected attacks. IDS and IPS are security systems that connect with your network to identify and prevent potential threats. In our work, we configure the signatures on the router. In this firstly we select the interface name and enable it. After that go to virtual sensor and assigned the interface name or value. In this experiment, we select 60000 signatures to produce the alert. After that we defined the Sig ID with ICMP Echo request to produce the alert. After that we can see the details of alert information . 4.2 Custom Signature A customised signature may have an effect on the sensor's performance. Whenever a new signature is introduced, its impact on the sensor's performance should be analysed. To establish a baseline and test the impact of a signature, configure the missed packets threshold and notification interval on the panel. Then allow the sensor to run with the current signature set to see if the sensor is handling the load. Adjust the values id needed, then add a single custom signature and monitor event viewer for any status notification. We must specify a Sig Id and Sub-sig Id. We can override the default values, but each required value must be unique (not used by another signature). For e.g. Signature ID = 60001 Sub-signature ID = 0 Signature Name = ICMP, TCP DATA Alert Notes = My Sig Info User Comments = Sig Comment We can generate signatures, which are called custom signatures. IDS have around 60000 custom signatures. You can configure them for a variety of tasks, including matching of strings on TCP connections ,scan and monitor network floods. But you may also just add additional signatures to your own user configuration file and make your own unique signatures by providing the right information. To generate the custom signatures, we use the custom signature wizard; engine-specific parameters determine what the signature looks for and what causes the signature to fire. We used the following string TCP engine parameters for this signature. Event Action – Produce Alert / Reset TCP Connection Regex String – wr.e. Service ports − 88 In the custom sig, we used the engine–specific parameters that determine what the signature looks for and what causes the signature to fire. We set the following string ICMP engine parameters to define the signature. Event Action = Deny Packet Inline/Produce Alert Specify the minimum length of a match = no String regex = a Direction = to service ICMP Type = 8 4.3 ACL Router Blocking To block the device firstly we go to the Device Login profiles to add the device. In a router blocking device interface blocking device is managed by the sensor. A single sensor can operate various devices, but multiple sensors can’t be used to configure a single device. In this situation, we use a single blocking sensor. In our work we are using two parameters to blocking the interface that are (i) rate limit and (ii) block interface /host. 4.3.1 Rate limit: - Rate limit type is defined in percentage. In our experiment, we select rate limit percentage is 25 to produce the alert. The rate limit establishes the maximum percent of traffic of that type on each rate limiting interface. Blocking IP address: - In blocking device, we defined produce alert/request block the host. After that router deny blocking address. For e.g. IP Address = 20.1.1.2 Remote Host Address (optional) = 127.0.0.1 Device Login Profile = R2 Device type = Cisco Router Response Capabilities = Block, Rate Limit Communication = Telnet ,Tcp We are able to generate Cisco ACL rules that we can execute on a router for the purpose prevent intrusions. The router configuration module after generating the ACL rules, then uses telnet to automatically access the router and configure its ACL rules. The set of experiments described in the following section intends for an early evaluation of our approach's effectiveness and practicality. To execute our experiments we make use of network traffic generated by Wireshark used to detect suspicious activities at the network layer. Using the TCP protocol, the traffic log was passed over the gigabit link. GNS3 simulation shows that the success rate of policy inspections increases to high level and even reached to maximum level for inspection of signatures. All of our experimental results based upon packets lengths ,time ,total packets are shown in the graphs. Figure 2 shows each packet that was transmitted over a 50-second period and how many packets have suspicious activities or doesn’t match signature. The packets transferred, error packets with the maximum packet length are shown in above graphs. In the above Fig. 3 and Fig. 4 , the length of packet is the key parameter where the minimum length and maximum packet length has been considered for the simulation purpose. Figure 3 indicates time on the X-axis and shows all the transfer packets and Fig. 4 shows the packet errors number of packets transferred on the Y-axis. .The simulation results indicate that the network has been transmitting around 3500 packets through high speed network link, with a maximum of 55 error packets. The total transfer packets and error packets with the minimum packet length are shown in Figs. 5 and 6 . Figure 5 indicates time on the X-axis and shows all the transfer packets and Fig. 6 shows the packet errors number of packets transferred on the Y-axis. .The simulation results indicate that the network has been transmitting around 7400 packets through high speed network link and the average number of error packets is 600.IDSs collect network traffic data from the system and then use this information to prevent unauthorized access. 5. Conclusion In this paper, we presented a simulation study of network intrusion detection model. Since the development of the Internet brings up many challenges, we focused here on security-related problems. The research on the Intrusion Detection System with high speed networks against different types of attacks is concluded in this paper. We used open source tools like Graphical Network Simulator (GNS3). The research paper presented a number of cryptographic methods that are used to secure the networks. We described how to configure the GNS3 network simulator to collect data from open-source routers. In this research, we proposed the architecture for high-speed link real-time intrusion detection and traffic analysis. And proposed the signature technique and detection process to enable more effective intrusion detection. Also, it’s capable of supporting the effective response on fast ethernet and Gigabit links.. For future work, we’ll then go on to simulating an attack in a cloud network and the detection of attacks. We'll continue working to enhance the detection mechanism's performance on high-speed links. References Naveed, Muhammad, Shams un Nihar, and Mohammad Inayatullah Babar. "Network intrusion prevention by configuring acls on the routers, based on snort ids alerts." 2010 6th International Conference on Emerging Technologies (ICET). IEEE, 2010 Kumar, Shyam Nandan. "Review on network security and cryptography." International Transaction of Electrical and Computer Engineers System 3.1 (2015): 1-11. Choudhary, Sarika, and Nishtha Kesswani. "Detection and prevention of routing attacks in internet of things." In 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 1537-1540. IEEE, 2018. Asif, Muhammad K., "Network intrusion detection and its strategic importance ” 2013 IEEE Business Engineering and Industrial Applications Colloquium (BEIAC). IEEE,2013. https://www.alliedtelesis.com/sites/default/files/documents/datasheets/9000_series_ds_rev_p_reduced. pdf http://www.cisco.com/en/US/tech/tk389/tk214/tech_brief09186a0080091a8a.html (Accessed 25.01.2024) Kruegel, Christopher, et al. "Stateful intrusion detection for high-speed network's." Proceedings 2002 IEEE Symposium on Security and Privacy . IEEE, 2002 Aydın, M. Ali, A. Halim Zaim, and K. Gökhan Ceylan. " A hybrid intrusion detection system design for computer network security." Computers & Electrical Engineering 35.3 (2009): 517-526 R. Sekar, V. Guang, S. Verma, and T. Shanbhag. A High-performance Network Intrusion Detection Sys- tem. In Proceedings of the 6th ACM Conference on Computer and Communications Security , November 1999. CISCO. CISCO Intrusion Detection System. Techni- cal Information, Nov 2001. Loo, Chong Eik, et al. "Intrusion detection for routing attacks in sensor networks." International Journal of Distributed Sensor Networks 2.4 (2006): 313-332. Tarman, Thomas D., and Edward L. Witzke. "Intrusion detection considerations for switched networks." Enabling Technologies for Law Enforcement and Security . Vol. 4232. SPIE, 2001. Research on computer network IDS Kim, Byoung-Koo, et al. "Design and implementation of high-performance intrusion detection system." Computational Science and Its Applications–ICCSA 2004: International Conference, Assisi, Italy, May 14-17, 2004, Proceedings, Part IV 4 . Springer Berlin Heidelberg, 2004. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-5024957","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":373411203,"identity":"2a0c9457-2bf5-43af-b5cf-6707bfd37821","order_by":0,"name":"ritu rani","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABBklEQVRIiWNgGAWjYDCCAzwMB4AUDwMD88EHHyqATGbmBuK08DCwJRvOOAPSwkhYCxjwMPCoSfO2gZgEtPAdP3vwME/NPRl7iRw2Cd55tdH87UAtPyq24dQieSYv4TDPsWIeHoncwxaS247nzjjM2MDYc+Y2Ti0GB3IMDvOwJQC15CXeMNx2LLcBqIWZsQ2PlvNvgFr+gbTkGEgkzjmWO5+glhtAW3jbwFqMJA421ORuIKRF8sYbg4Nz+4BazjxLNmw4diB3I1DLQXx+4TufY/zhzbcEe/b25IOP/9TU5c47f/jggx8VuLWAABMPgn0YTB7Aqx4IGH8g2HWEFI+CUTAKRsEIBAD/k2CXxIRsNwAAAABJRU5ErkJggg==","orcid":"https://orcid.org/0000-0002-1363-2977","institution":"Guru Jambheshwar University of Science \u0026 Technology","correspondingAuthor":true,"prefix":"","firstName":"ritu","middleName":"","lastName":"rani","suffix":""},{"id":373411204,"identity":"3ccc5a1a-891f-4241-821e-ca9147a4e6e2","order_by":1,"name":"Rishi pal singh","email":"","orcid":"https://orcid.org/0000-0002-3552-1864","institution":"Guru Jambheshwar University of Science \u0026 Technology","correspondingAuthor":false,"prefix":"","firstName":"Rishi","middleName":"pal","lastName":"singh","suffix":""}],"badges":[],"createdAt":"2024-09-03 12:28:20","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-5024957/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-5024957/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":69007216,"identity":"7a81449d-e070-4e38-99d7-b3b75b23f690","added_by":"auto","created_at":"2024-11-14 12:58:01","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":74866,"visible":true,"origin":"","legend":"\u003cp\u003eIDS Network Architecture\u003c/p\u003e","description":"","filename":"1.png","url":"https://assets-eu.researchsquare.com/files/rs-5024957/v1/8ccb6b396bb7d28784d6047f.png"},{"id":69007531,"identity":"f9e0bdf0-4f57-4e08-8f28-0aeb34086da5","added_by":"auto","created_at":"2024-11-14 13:06:01","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":38150,"visible":true,"origin":"","legend":"\u003cp\u003eshow data packets with suspicious activity\u003c/p\u003e","description":"","filename":"2.png","url":"https://assets-eu.researchsquare.com/files/rs-5024957/v1/3ae6c7a7c855e0b9a5cfe255.png"},{"id":69007213,"identity":"38155abe-57d6-4020-92cf-aa86d2c7cfd4","added_by":"auto","created_at":"2024-11-14 12:58:01","extension":"png","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":37047,"visible":true,"origin":"","legend":"\u003cp\u003eshows maximum length of data packets\u003c/p\u003e","description":"","filename":"3.png","url":"https://assets-eu.researchsquare.com/files/rs-5024957/v1/fa18813ade6f41364e4bf29c.png"},{"id":69007534,"identity":"99021d9e-cc1d-4f21-8658-5565b0a5ea88","added_by":"auto","created_at":"2024-11-14 13:06:02","extension":"png","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":24853,"visible":true,"origin":"","legend":"\u003cp\u003eshows unauthorized packets in data\u003c/p\u003e","description":"","filename":"4.png","url":"https://assets-eu.researchsquare.com/files/rs-5024957/v1/20911e7439af1f1994b519b0.png"},{"id":69007532,"identity":"5d2e7567-f70e-4a5b-8868-9e1e4911a94b","added_by":"auto","created_at":"2024-11-14 13:06:01","extension":"png","order_by":5,"title":"Figure 5","display":"","copyAsset":false,"role":"figure","size":36377,"visible":true,"origin":"","legend":"\u003cp\u003eshows minimum length of data packets\u003c/p\u003e","description":"","filename":"5.png","url":"https://assets-eu.researchsquare.com/files/rs-5024957/v1/987dde8c472a1d0a66043404.png"},{"id":69007218,"identity":"cb6ace71-97ac-4a9e-bac7-04cff2d0ffe7","added_by":"auto","created_at":"2024-11-14 12:58:01","extension":"png","order_by":6,"title":"Figure 6","display":"","copyAsset":false,"role":"figure","size":26371,"visible":true,"origin":"","legend":"\u003cp\u003eshows unauthorized packets in data\u003c/p\u003e","description":"","filename":"6.png","url":"https://assets-eu.researchsquare.com/files/rs-5024957/v1/bf563f3059aeed3e6c4efaf5.png"},{"id":79006814,"identity":"a872917a-8a31-4944-89e4-6922d6fa8603","added_by":"auto","created_at":"2025-03-22 08:37:21","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":559967,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-5024957/v1/4c738b4b-2c83-4c18-b6bb-f211bf85ed22.pdf"}],"financialInterests":"","formattedTitle":"Analysis of intrusion detection system in switches-based gigabit networks","fulltext":[{"header":"1. Introduction","content":"\u003cp\u003eThese days, with the Internet growing fast and online process requesting a safe route, it has become an essential (certain to happen or unavoidable) requirement to provide the secure network. It is very clear that firewalls are insufficient to secure a network completely because the malicious committed from outside of the network. IDS are used to detect and prevent attacks, recover data with minimal loss, and examine security problems [\u003cspan citationid=\"CR8\" class=\"CitationRef\"\u003e8\u003c/span\u003e]. Alternately, a set of signatures saved in a knowledge database, misuse detection IDS will use this information to detect intrusion attempts. Intrusion Detection System detects activities from the secured network and examines them to generate alerts if there is an intrusion. These alerts will be saved in the log file based on the network data stream. The IDS triggers an alert if it is capturing an infected packet. IDS is also able to complete the following tasks [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e]. An intrusion prevention system (IPS) can be compared to an intrusion detection system. While both systems monitor network packets for possibly harmful network traffic, the primary objective of an IPS is to prevent threats once they are identified, rather than to detect and record threats initially. An intrusion detection system is a tool that analyses network traffic for malicious activity and raises a warning when it finds any. Some intrusion detection systems have the ability to take appropriate action when suspicious or abnormal traffic is identified. The main purposes of an IDS are to identify suspicious network traffic and blocking the traffic from suspected IP addresses.\u003c/p\u003e \u003cp\u003eIntrusion Detection System detects activities from the secured network and examines them to generate alerts if there is an intrusion [\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e]. These alerts will be saved in the log file based on the network data stream. IDS triggers an alert if it is capturing an infected packet. IDS is also able to complete the following tasks [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e].\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eKeep a watch on the system as well as the activity of the users.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eErrors in the system must be verified.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eEvaluating the data files and system integrity.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eNote down any abnormal activity make statically records.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eIf a network is compromised then it may affect the performance of the network. Routing attacks are most common attack types that happen to almost in every network such as WSN, Ad hoc, SDN, and IoT [\u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e5\u003c/span\u003e]. An intrusion detection system is used to find suspicious activity in a network. Hence we are working on it and proposed an intrusion detection and prevention system for secure routing.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003eIn our network architecture ,we used 7200 series routers with gigabit networks to increase the network speed and also the switches can be expanded to support gigabit networks in order to increase the speed throughput. Most specifically, the method has to produce a design that allows for the addition of parts as required to keep up with growing network capacity. The overall aim is to find out attacks in high-speed network links. The following parameters described in this research.\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eThe router apply a detection method that compares a stream of network events with custom signatures, access list ,event action that produce an alert or indicate an attack scenarios.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eA collection of signatures, each of which is responsible for recognising a subset of the signatures in the networks to performs detection methods.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eEvery routers operates independently and doesn't exchange information with other routers.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eEach packet is analysed via a subset of the intrusion detection signature to secure the network .\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e"},{"header":"2. Related Work","content":"\u003cp\u003eThe intrusion detection field has provided a lot of consideration to the prospect of implementing intrusion detection systems on high-speed links. In many practical network installation still require internet traffic analysis on high-speed links networks. The business sector begun to respond to this need and several vendors now demand on having sensors that are compatible with fast on Gigabit Ethernet links. Several intrusion detection sensors receive divided network traffic that is routed to them in sessions. [\u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e]. This makes it possible for sensors to identify several attack phases in a single session. This could lead to lost attacks if many hosts or sessions being attacked. It is not supported for information to be correlated across many sessions. Sekar et al. [\u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e9\u003c/span\u003e] explain a method to perform high- performance network analysis, however they don\u0026rsquo;t give experimental results collected from real time traffic analysis. Most IDS apply signature-based method that is used to detect misuse of systems and networks [\u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e].In general, signature-based method is used to identify the known attacks from the database. This raises the challenge of how to recognise new attacks and how to learn these features for known ones. More importantly, its signature set may not contain all the signatures of new attack types, making detection challenging.\u003c/p\u003e \u003cp\u003eLink sensors in switched networks have fewer logical connections than they have physical circuits in switched networks, making it harder for them to get data from them. Because switched networks have point-to-point connections to transfer data packets from switches to end systems directly, they present different difficulties in terms of intrusion detection. [\u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e12\u003c/span\u003e]. This requires sensors must be dispersed among the network connections (i.e. high -speed networks links, switches, and end systems), rather than to relying solely on links that distribute traffic to several end systems. However, a new intrusion detection strategy is needed to detect network attacks more suspicious activities in switched networks. For network security, IDS can be implemented as a security policy and tool in a wide range of business sizes and types. However, businesses also need to gradually optimise their current security system to comply with the new security policy. [\u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e]. To intercept and examine every network packet in an IDS, a significant amount of time and system resources are required. The majority of the current IDS detection rate with a high number of applications, the development speed of Fast IDS technology, and even the Gigabit network have all lagged well short of the advancements in network speed. Due to the extensive use of the Internet, network threats are now the main issue for intrusion detection systems. We focus on using Network intrusion detection system (NIDS), which separately performs intrusion detection, to implement more efficient and quick detection techniques. For NIDS, the network becomes the source of data relevant to security. The network and its protocols become the focus of NIDS security concerns, rather than the hosts and their operating systems. Moreover, these NIDSs' scope of use has expanded to encompass detection in difficult and large-scale network topologies. The size and need of networks have increased over the past ten years of use. More specifically, TCP/IP networks are now the primary method used for data exchange and transaction processing. However, the rapidly growing issue of illegal access and data tampering has also been exacerbated by the fast growth of inexpensive computer networks. But as network technology has developed, Gigabit Ethernet has actually taken over as the industry standard for large-scale network deployments.\u003c/p\u003e \u003cp\u003eThe performance of current NIDSs is being adversely affected by issues like bottlenecks and overhead associated with gathering and evaluating data in a particular part. Consequently, there has been a lot of discussion in the intrusion detection community about the effort of implementing IDS on high-speed network links. RealSecure, ManHunt, and CISCO IDS are actually operated run on high-speed network links. However, due to technical challenges in keeping up with the growing network speed, these NIDSs are still impractical, and real-world performance will probably be lower as well [\u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e14\u003c/span\u003e]. There aren't many published research papers that address the problem of high-speed connection intrusion detection. Unfortunately, no real-world experimental data has been provided.\u003c/p\u003e"},{"header":"3. A Dissever Approach for High-Speed ID","content":"\u003cp\u003eData security has become an important concern to providing secure data transfer over the internet. In addition, as society progresses toward a digital world, network security challenges are becoming more vital. The responsibility of network security entails ensuring the security of the entire network as well as end systems[\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e].\u003c/p\u003e \u003cdiv id=\"Sec4\" class=\"Section2\"\u003e \u003ch2\u003e3.1 IDS capabilities\u003c/h2\u003e \u003cp\u003eIntrusion detection systems analysis the network activity to identify instances where unauthorised users initiate attacks. IDS accomplish this by offering security professionals any or all the following features:\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eKeeping an eye on the files ,routers, firewalls, key management servers, and that are operational in order to comply with additional security measures aimed to detect, prevent, or recover from attacks.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eProviding supervisors the ability to organising, modifying, and comprehending pertinent OS audit trails and additional logs that are challenging to monitor or analyse.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eContaining a substantial attack signature database that allows data from the system to be matched.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eRecognizing and describing when the intrusion detection identifies that data files have been modified.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eGenerating an alert and informing that security has been dereliction.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ePutting a stop to attackers or the server upon detection.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec5\" class=\"Section2\"\u003e \u003ch2\u003e3.2 System Architecture\u003c/h2\u003e \u003cp\u003eAt least two networks are connected to the router, and it regulates network traffic, security is essential to prevent illegal network intrusions and unauthorised router access. In order to provide secure networking, secure router technology applies security features like intrusion detection, internet protocol(IP) security, and access control for legacy routers. A router may be in responsible for traffic filtering, allowing certain packets to pass through while rejecting others. In networking device, Open Systems Interconnection network model, Layer 2 and 3 forward the data packets. Layer 3 additionally forwards functions that are often used IP, whereas Layer 2 functions typically Ethernet based [\u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2\u003c/span\u003e]. Routers and switches can communicate, exchange routing information with other devices, when network topology changes because of the dynamic IP routing protocols, such as the Routing Information Protocol, Open Shortest Path First Protocol, Intermediate System-to-Intermediate System Protocol, and Border Gateway Protocol. In the above figure of network model, we assign the rip protocol for communication to other routers.\u003c/p\u003e \u003cp\u003eIn this paper we used the 9000 switches series. Both Fast Ethernet and Gigabit Ethernet are supported by each of the switches in the 9000 Series pluggable in a Small Form Factor. The 9000 Series of Gigabit Ethernet switches has high performance and brings powerful workplace functionality attributes at a more affordable level, increasing the delivery of integration data for organizational and related systems. It is very difficult to defend against all routing attacks. Thus we have focused on our work to secure the network through RIP routing protocol. The present works analyse the availability of IDS in Gigabit networks. In this paper we show a network model with IDS. In this model we defined basic IDS \u0026amp; IPS, custom signature ,ACL (deny packet/permit ) and produce alert.\u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003eWith 24 fixed configuration 10/100/1000T ports and four \u0026times;10/100/1000T-100/1000FX Gigabit-SFP combo ports, the AT-9000/28 is a 28-port managed Gigabit switch. In small environments, this switch enables centralised power to support and detects equipment and POS. A managed gigabit switch with 28 ports, the AT9000/28POE has 4\u0026times;10/100/1000T̗100/1000 SFP paired access points in addition to 24 fixed configuration 10/100/1000T PoE\u0026thinsp;+\u0026thinsp;ports. In order fulfil the requirements of the today's company, it has power sources and supports Power over Ethernet Plus (PoE+), which offers up to 30W of centralised power for both surveillance and monitoring security applications. The AT˗9000/28SP is a managed gigabit security switch with 24\u0026times;100/1000 SFP ports and four\u0026times;10/100/100T-100/1000FX high speed internet and SFP the combined ports. The AT˗ 9000/52 is a 52-port managed Gigabit switch with 48 fixed configuration 10/100/1000T ports and 4XSFP slots [10].\u003c/p\u003e \u003cp\u003eThere are currently 28 high-speed ports on the Gigabit Ethernet Managed Switch, including four 10-GBE SFP\u0026thinsp;+\u0026thinsp;ports. There are twenty autosensing 10-/100-/1000-Mbps RJ-45 Ethernet ports available on this capable Layer 2 switch. Furthermore, it comes with four dual-media ports, one SFP port and three RJ-45 connections with speeds of 10/100/1000 Mbps for each [\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e]. These dual-media ports may be configured with an SFP to connect to 100- or 1000-Mbps optical fibre, or they can be utilised as normal UTP Ethernet ports. Additionally, the switch also has four SFP\u0026thinsp;+\u0026thinsp;ports that can be used with an SFP\u0026thinsp;+\u0026thinsp;transceiver to handle 1- or 10-Gbps uplinks. The switch comes with full manageability. The built-in Web server makes it possible to manage Web content using a web browser. Switch configuration, system dashboard, maintenance, and monitoring all become possible via this GUI interface. A dual image, port mirroring, LLDP, UPnP, IPv6, SSH, RADIUS, DHCP Client/DHCPv6 Client, SNTP, cable diagnostics, ping, and Telnet client with SSH are additional features of the extensive management and support package. With support for up to four VLANs running at once, you can divide traffic using MAC-based, port-based, or 802.1Q tag-based VLANs. 802.1p Layer 2 VoIP and video are examples of applications with time constraints that can be prioritised due to Quality of Service (QoS).\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec6\" class=\"Section2\"\u003e \u003ch2\u003e3.3 Frame Routing\u003c/h2\u003e \u003cp\u003eStatic routing is used in the diagram's configuration as already explained. A limitation of the static technique is that a significant portion of network packets may be delivered to a single channel depending on the type of traffic. That also becomes impossible to determine the exact number of sensors used to handle a gigabit link due to the static configuration. The actual traffic and situations that are used define each sensor's load[\u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e]. A basic representation of each fundamental event that a packet supplied by the attacker. The IDS provides an optional feature to make the transmission of data more secure. A digital signature can be added to the system.\u003c/p\u003e \u003c/div\u003e"},{"header":"4. Experimental Results","content":"\u003cdiv id=\"Sec8\" class=\"Section2\"\u003e\n \u003ch2\u003e4.1 Basic IDS \u0026amp; IPS\u003c/h2\u003e\n \u003cp\u003eIntrusion detection is the procedure of continuously detecting and analysing network events that are indications of future attacks, irregularities, or hazards to your security standards. Intrusion prevention is the procedure of performing intrusion detection and then stopping the detected attacks. IDS and IPS are security systems that connect with your network to identify and prevent potential threats. In our work, we configure the signatures on the router. In this firstly we select the interface name and enable it. After that go to virtual sensor and assigned the interface name or value. In this experiment, we select 60000 signatures to produce the alert. After that we defined the Sig ID with ICMP Echo request to produce the alert. After that we can see the details of alert information .\u003c/p\u003e\n\u003c/div\u003e\n\u003cdiv id=\"Sec9\" class=\"Section2\"\u003e\n \u003ch2\u003e4.2 Custom Signature\u003c/h2\u003e\n \u003cp\u003eA customised signature may have an effect on the sensor\u0026apos;s performance. Whenever a new signature is introduced, its impact on the sensor\u0026apos;s performance should be analysed. To establish a baseline and test the impact of a signature, configure the missed packets threshold and notification interval on the panel. Then allow the sensor to run with the current signature set to see if the sensor is handling the load. Adjust the values id needed, then add a single custom signature and monitor event viewer for any status notification. We must specify a Sig Id and Sub-sig Id. We can override the default values, but each required value must be unique (not used by another signature). For e.g.\u003c/p\u003e\n \u003cp\u003eSignature ID\u0026thinsp;=\u0026thinsp;60001\u003c/p\u003e\n \u003cp\u003eSub-signature ID\u0026thinsp;=\u0026thinsp;0\u003c/p\u003e\n \u003cp\u003eSignature Name\u0026thinsp;=\u0026thinsp;ICMP, TCP DATA\u003c/p\u003e\n \u003cp\u003eAlert Notes\u0026thinsp;=\u0026thinsp;My Sig Info\u003c/p\u003e\n \u003cp\u003eUser Comments\u0026thinsp;=\u0026thinsp;Sig Comment\u003c/p\u003e\n \u003cp\u003eWe can generate signatures, which are called custom signatures. IDS have around 60000 custom signatures. You can configure them for a variety of tasks, including matching of strings on TCP connections ,scan and monitor network floods. But you may also just add additional signatures to your own user configuration file and make your own unique signatures by providing the right information. To generate the custom signatures, we use the custom signature wizard; engine-specific parameters determine what the signature looks for and what causes the signature to fire. We used the following string TCP engine parameters for this signature.\u003c/p\u003e\n \u003cp\u003eEvent Action \u0026ndash; Produce Alert / Reset TCP Connection\u003c/p\u003e\n \u003cp\u003eRegex String \u0026ndash; wr.e.\u003c/p\u003e\n \u003cp\u003eService ports \u0026minus;\u0026thinsp;88\u003c/p\u003e\n \u003cp\u003eIn the custom sig, we used the engine\u0026ndash;specific parameters that determine what the signature looks for and what causes the signature to fire. We set the following string ICMP engine parameters to define the signature.\u003c/p\u003e\n \u003cp\u003eEvent Action\u0026thinsp;=\u0026thinsp;Deny Packet Inline/Produce Alert\u003c/p\u003e\n \u003cp\u003eSpecify the minimum length of a match\u0026thinsp;=\u0026thinsp;no\u003c/p\u003e\n \u003cp\u003eString regex\u0026thinsp;=\u0026thinsp;a\u003c/p\u003e\n \u003cp\u003eDirection\u0026thinsp;=\u0026thinsp;to service\u003c/p\u003e\n \u003cp\u003eICMP Type\u0026thinsp;=\u0026thinsp;8\u003c/p\u003e\n\u003c/div\u003e\n\u003cdiv id=\"Sec10\" class=\"Section2\"\u003e\n \u003ch2\u003e4.3 ACL Router Blocking\u003c/h2\u003e\n \u003cp\u003eTo block the device firstly we go to the Device Login profiles to add the device. In a router blocking device interface blocking device is managed by the sensor. A single sensor can operate various devices, but multiple sensors can\u0026rsquo;t be used to configure a single device. In this situation, we use a single blocking sensor. In our work we are using two parameters to blocking the interface that are (i) rate limit and (ii) block interface /host.\u003c/p\u003e\n \u003cp\u003e\u003cstrong\u003e4.3.1 Rate limit: -\u003c/strong\u003e Rate limit type is defined in percentage. In our experiment, we select rate limit percentage is 25 to produce the alert. The rate limit establishes the maximum percent of traffic of that type on each rate limiting interface.\u003c/p\u003e\n \u003cp\u003e\u003cstrong\u003eBlocking IP address: -\u003c/strong\u003e In blocking device, we defined produce alert/request block the host. After that router deny blocking address. For e.g.\u003c/p\u003e\n \u003cp\u003eIP Address\u0026thinsp;=\u0026thinsp;20.1.1.2\u003c/p\u003e\n \u003cp\u003eRemote Host Address (optional)\u0026thinsp;=\u0026thinsp;127.0.0.1\u003c/p\u003e\n \u003cp\u003eDevice Login Profile\u0026thinsp;=\u0026thinsp;R2\u003c/p\u003e\n \u003cp\u003eDevice type\u0026thinsp;=\u0026thinsp;Cisco Router\u003c/p\u003e\n \u003cp\u003eResponse Capabilities\u0026thinsp;=\u0026thinsp;Block, Rate Limit\u003c/p\u003e\n \u003cp\u003eCommunication\u0026thinsp;=\u0026thinsp;Telnet ,Tcp\u003c/p\u003e\n \u003cp\u003eWe are able to generate Cisco ACL rules that we can execute on a router for the purpose prevent intrusions. The router configuration module after generating the ACL rules, then uses telnet to automatically access the router and configure its ACL rules. The set of experiments described in the following section intends for an early evaluation of our approach\u0026apos;s effectiveness and practicality. To execute our experiments we make use of network traffic generated by Wireshark used to detect suspicious activities at the network layer. Using the TCP protocol, the traffic log was passed over the gigabit link.\u003c/p\u003e\n \u003cp\u003eGNS3 simulation shows that the success rate of policy inspections increases to high level and even reached to maximum level for inspection of signatures. All of our experimental results based upon packets lengths ,time ,total packets are shown in the graphs. Figure \u003cspan class=\"InternalRef\"\u003e2\u003c/span\u003e shows each packet that was transmitted over a 50-second period and how many packets have suspicious activities or doesn\u0026rsquo;t match signature.\u003c/p\u003e\n \u003cp\u003eThe packets transferred, error packets with the maximum packet length are shown in above graphs. In the above Fig. \u003cspan class=\"InternalRef\"\u003e3\u003c/span\u003e and Fig. \u003cspan class=\"InternalRef\"\u003e4\u003c/span\u003e, the length of packet is the key parameter where the minimum length and maximum packet length has been considered for the simulation purpose. Figure \u003cspan class=\"InternalRef\"\u003e3\u003c/span\u003e indicates time on the X-axis and shows all the transfer packets and Fig. \u003cspan class=\"InternalRef\"\u003e4\u003c/span\u003e shows the packet errors number of packets transferred on the Y-axis. .The simulation results indicate that the network has been transmitting around 3500 packets through high speed network link, with a maximum of 55 error packets.\u003c/p\u003e\n \u003cp\u003eThe total transfer packets and error packets with the minimum packet length are shown in Figs. \u003cspan class=\"InternalRef\"\u003e5\u003c/span\u003e and \u003cspan class=\"InternalRef\"\u003e6\u003c/span\u003e. Figure \u003cspan class=\"InternalRef\"\u003e5\u003c/span\u003e indicates time on the X-axis and shows all the transfer packets and Fig. \u003cspan class=\"InternalRef\"\u003e6\u003c/span\u003e shows the packet errors number of packets transferred on the Y-axis. .The simulation results indicate that the network has been transmitting around 7400 packets through high speed network link and the average number of error packets is 600.IDSs collect network traffic data from the system and then use this information to prevent unauthorized access.\u003c/p\u003e\n\u003c/div\u003e"},{"header":"5. Conclusion","content":"\u003cp\u003eIn this paper, we presented a simulation study of network intrusion detection model. Since the development of the Internet brings up many challenges, we focused here on security-related problems. The research on the Intrusion Detection System with high speed networks against different types of attacks is concluded in this paper. We used open source tools like Graphical Network Simulator (GNS3). The research paper presented a number of cryptographic methods that are used to secure the networks. We described how to configure the GNS3 network simulator to collect data from open-source routers. In this research, we proposed the architecture for high-speed link real-time intrusion detection and traffic analysis. And proposed the signature technique and detection process to enable more effective intrusion detection. Also, it\u0026rsquo;s capable of supporting the effective response on fast ethernet and Gigabit links.. For future work, we\u0026rsquo;ll then go on to simulating an attack in a cloud network and the detection of attacks. We'll continue working to enhance the detection mechanism's performance on high-speed links.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\n \u003cli\u003eNaveed, Muhammad, Shams un Nihar, and Mohammad Inayatullah Babar. \u0026quot;Network intrusion prevention by configuring acls on the routers, based on snort ids alerts.\u0026quot; 2010 6th International Conference on Emerging Technologies (ICET). IEEE, 2010\u003c/li\u003e\n \u003cli\u003eKumar, Shyam Nandan. \u0026quot;Review on network security and cryptography.\u0026quot; International Transaction of Electrical and Computer Engineers System 3.1 (2015): 1-11.\u003c/li\u003e\n \u003cli\u003eChoudhary, Sarika, and Nishtha Kesswani. \u0026quot;Detection and prevention of routing attacks in internet of things.\u0026quot; In 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 1537-1540. IEEE, 2018.\u003c/li\u003e\n \u003cli\u003eAsif, Muhammad K., \u0026quot;Network intrusion detection and its strategic importance \u0026rdquo; 2013 IEEE Business Engineering and Industrial Applications Colloquium (BEIAC). IEEE,2013.\u003c/li\u003e\n \u003cli\u003ehttps://www.alliedtelesis.com/sites/default/files/documents/datasheets/9000_series_ds_rev_p_reduced. pdf\u003c/li\u003e\n \u003cli\u003ehttp://www.cisco.com/en/US/tech/tk389/tk214/tech_brief09186a0080091a8a.html (Accessed 25.01.2024)\u003c/li\u003e\n \u003cli\u003eKruegel, Christopher, et al. \u0026quot;Stateful intrusion detection for high-speed network\u0026apos;s.\u0026quot; \u003cem\u003eProceedings 2002 IEEE Symposium on Security and Privacy\u003c/em\u003e. IEEE, 2002\u003c/li\u003e\n \u003cli\u003eAydın, M. Ali, A. Halim Zaim, and K. Gökhan Ceylan. \u0026quot; A hybrid intrusion detection system design for computer network security.\u0026quot; Computers \u0026amp; Electrical Engineering 35.3 (2009): 517-526\u003c/li\u003e\n \u003cli\u003eR. Sekar, V. Guang, S. Verma, and T. Shanbhag. A High-performance Network Intrusion Detection Sys- tem. In \u003cem\u003eProceedings of the 6th ACM Conference on Computer and Communications Security\u003c/em\u003e, November 1999.\u003c/li\u003e\n \u003cli\u003eCISCO. CISCO Intrusion Detection System. Techni- cal Information, Nov 2001.\u003c/li\u003e\n \u003cli\u003eLoo, Chong Eik, et al. \u0026quot;Intrusion detection for routing attacks in sensor networks.\u0026quot; \u003cem\u003eInternational Journal of Distributed Sensor Networks\u003c/em\u003e 2.4 (2006): 313-332.\u003c/li\u003e\n \u003cli\u003eTarman, Thomas D., and Edward L. Witzke. \u0026quot;Intrusion detection considerations for switched networks.\u0026quot; \u003cem\u003eEnabling Technologies for Law Enforcement and Security\u003c/em\u003e. Vol. 4232. SPIE, 2001.\u003c/li\u003e\n \u003cli\u003eResearch on computer network IDS\u003c/li\u003e\n \u003cli\u003eKim, Byoung-Koo, et al. \u0026quot;Design and implementation of high-performance intrusion detection system.\u0026quot; \u003cem\u003eComputational Science and Its Applications\u0026ndash;ICCSA 2004: International Conference, Assisi, Italy, May 14-17, 2004, Proceedings, Part IV 4\u003c/em\u003e. Springer Berlin Heidelberg, 2004.\u003c/li\u003e\n\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Intrusion detection, High-speed network, alert information","lastPublishedDoi":"10.21203/rs.3.rs-5024957/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-5024957/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eThe development and use of computer networks is increasing quickly by small, medium and large companies for transferring the data.\u003cstrong\u003e \u003c/strong\u003eOne of the most important concern in today's networks is the requirement for security analysis techniques that can keep up with the growing network traffic as networks get faster.\u003cstrong\u003e \u003c/strong\u003eThe exponential expansion of networks, incidents of data attacks and security breaches have also proliferated. Although there are several approaches accessible but dynamic environment makes these approaches insufficient. In this context we propose an high speed intrusion detection system(IDS) for protecting networks from attacks. IDS capture information about network traffic data from a system or network address to prevent unauthorized access. Generally, IDS rely upon signatures to identify malicious behaviour. A few hundred Mbps of bandwidth can be handled by the network-based intrusion detection devices which are currently in usage. Higher throughput methods of analysis are either limited in the capacity to identify various types of attacks or are unable to do so. In this research paper we proposed a higher speed of network IDS architecture using alert information, custom signature, access-list and inbound traffic (produce alert or deny packet) using Graphical Network Simulator 3 to secure the network.\u003c/p\u003e","manuscriptTitle":"Analysis of intrusion detection system in switches-based gigabit networks","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2024-11-14 12:57:56","doi":"10.21203/rs.3.rs-5024957/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"af85919a-7325-4aa8-8c0a-7d6a10590059","owner":[],"postedDate":"November 14th, 2024","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2025-03-22T08:29:13+00:00","versionOfRecord":[],"versionCreatedAt":"2024-11-14 12:57:56","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-5024957","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-5024957","identity":"rs-5024957","version":["v1"]},"buildId":"qtupq5eGEP_6zYnWcrvyt","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2024) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00