Figure 1: Number of incidents reported
The above chart from US-CERT shows how thecyber incidents rose in current internet network environment; this gives requirement of IDSdeployment in network security system.II.
INTRUSION DETECTION SYSTEMTECHNIQUESIntuitively, intrusions in an information systemare the activities that violate the security policy of thesystem, and intrusion detection is the process used toidentify intrusions. Intrusion detection has beenstudied for approximately 20 years. It is based on the beliefs that an intruder’s behavior will be noticeablydifferent from that of a legitimate user and that manyunauthorized actions will be detectable. Intrusiondetection system is classified into three categories.The different types of intrusion Detection techniquesare listed below.A.
Signature based detection systems,B.
Anomaly based intrusion detectionsystemsC.
Specification based detectionsystems.
Signature based detection systems
Signature based detection system (also calledmisuse based), this type of detection is very effectiveagainst known attacks, and it depends on thereceiving of regular updates of patterns and will beunable to detect unknown previous threats or newreleases.One big challenge of signature-based IDS is thatevery signature requires an entry in the database, andso a complete database might contain hundreds or even thousands of entries. Each packet is to becompared with all the entries in the database. Thiscan be very resource- consuming and doing so willslow down the throughput and making the IDSvulnerable to DoS attacks. Some of the IDS evasiontools use this vulnerability and flood the signaturesignature-based IDS systems with too many packetsto the point that the IDS cannot keep up with thetraffic, thus making theIDS time out and drop packets and as a result, possibly miss attacks. Further, this type of IDS is stillvulnerable against unknown attacks as it relies on thesignatures currently in the database to detect attacks.
Anomaly based detection system
This type of detection depends on theclassification of the network to the normal andanomalous, as this classification is based on rules or heuristics rather than patterns or signatures and theimplementation of this system we first need to knowthe normal behaviour of the network. Anomaly baseddetection system unlike the misuse based detectionsystem because it can detect previous unknownthreats, but the false positive to rise more probably.The signature of a new attack is not known beforeit is detected and carefully analyzed. So it is difficultto draw conclusions based on a small number of packets. In this case, anomaly-based systems detectabnormal behaviors and generate alarms based on theabnormal patterns in network traffic or application behaviors. Typical anomalous behaviors that may becaptured include1) Misuse of network protocols such asoverlapped IP fragments and running a standard protocol on a stealthy port;2) Uncharacteristic traffic patterns, such as moreUDP packets compared to TCP ones,3) Suspicious patterns in application payload.The big challenges of anomaly based detectionsystems are defining what a normal network behavior is, deciding the threshold to trigger the alarm, and preventing false alarms. The users of the network are normally human, and people are hard to predict. If the normal model is not definedcarefully, there will be lots of false alarms and thedetection system will suffer from degraded performance.
Specification based detection system
This type of detection systems is responsible for monitoring the processes and matching the actualdata with the program and in case of any abnormal behaviour will be issued an alert and must bemaintained and updated whenever a change wasmade on the surveillance programs in order to be ableto detect the previous attacks the unknown and thenumber of false positives what can be less than theanomaly detection system approach.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 8, August 201245http://sites.google.com/site/ijcsis/ISSN 1947-5500