Intrusion Detection System: Survey & Analysis of

NIDS
Pragya Vashishtha#1, Riya Khandelwal$2, Anpurna Aggarwal%3
#1
UG,CSE,MITRC,Alwar,Rajasthan
vashishtha.pragya.2798@gmail.com
$2
UG,CSE,MITRC,Alwar,Rajasthan
riyakhandelwal0008@gmail.com
%3
UG,CSE ,MITRC,Alwar,Rajasthan
Anpurnaaggarwal05@gmail.com
Vinod Rampure
Assistant Professor,MITRC,Alwar,Rajasthan
Vinodrampure_cs@mitrc.ac.in

Abstract-It is very important to provide problems. IDS provide three important

a high level security to protect highly security functions; monitor, detect and
sensitive and private information. respond to unauthorized activities.
Intrusion Detection System is an Intrusion Detection System monitors the
essential technology in Network operations of firewalls, routers,
Security. This paper includes an management servers and files critical to
other security mechanisms.
overview of intrusion detection systems
Intrusion Detection System can make the
and introduces the reader to some
security management of system by non-
fundamental concepts of IDS expert staff possible by providing user
methodology. In this also discuss the friendly interface. Intrusion detection
primary intrusion detection techniques. systems usually provide the following
In this paper, we have included mainly Services:
network based intrusion detection  Observing and analysing computer
system. and/or network system activity.
 Audit the system configurations
and vulnerabilities.
Keywords:
 Evaluating the integrity of critical
system and data files.
I. INTRODUCTION  Estimating abnormal activities.

II. IDS TAXONOMY

Intrusion Detection is a key technique in
Information Security plays an important
role detecting different types of attacks and
secures the network system. Intrusion
detection is the process of observing and
Analysing the events arising in a computer
or network system to identify all security
IDSs are divided into two broad
categories: host-based
(HIDS) and network-based (NIDS) .A
host-based IDS
Requires small programs (or agents) to be
installed on
Individual systems to be supervised. The
agents monitor the
operating system and write down data to
log files and/or trigger alarms. A network-
based Intrusion Detection System Usually
consists of a network application (or
sensor) with a Network Interface Card
(NIC) working in promiscuous mode and a
separate management of interface.
IDS are placed on a network segment or
boundary and monitor all traffic on that
segment. The current trend in intrusion
detection is to combine both host based
and network based information to develop
hybrid systems that have more efficient.
1.HOST BASED INTRUSION
DETECTION(HIDS):
Host based intrusion detection (HIDS)
refers to intrusion detection that takes
place on a single host system. The data is
collected from an individual host system.
The HIDS agent monitors activities such
as integrity of system, application action,
file changes, host based network traffic,
and system logs. By using common
hashing tools, file timestamps, system
logs, and monitors system calls and the
local network interface gives the agent
insight to the present state of the local
host. If there is any unauthorized change or
activity is detected; it alerts the user by a
pop-up, it alerts the central management
server, blocks the activity, or a
combination of the above three. The
decision should be based on the policy that
is installed on the local system. These
host-based procedures are considered the
passive component.
2. NETWORK BASED INTRUSION
DETECTION (NIDS):
A network-based intrusion detection
system (NIDS) is used to monitor and
analyse network traffic to protect a system
From network-based threats where the data
is traffic across the network. A NIDS tries
to detect malicious activities such as
denial-of-service (Dos) attacks, port scans
and monitoring the network traffic attacks.
NIDS includes a number of sensors to
monitors packet traffic, one or more than
servers for NIDS management functions,
and one or more management relieves for
the human interface. NIDS examines the
traffic packet by packet in real time, or
near to real time, for attempting to detect
intrusion patterns. The analysis of traffic
patterns to detect intrusions may be done
at the sensors, at the management servers,
or combination of the both. These
network-based procedures are considered
the active component.
3.HYBRID INTRUSION DETECTION
The current trend in intrusion detection is
to combine both types host-based and
network-based IDS to design hybrid
systems. Hybrid intrusion detection system
has flexibility
And it increases the security level. It
combines IDS sensor locations and reports
attacks are aimed at particular segments or
entire network.
 based on audit data gathered over a period
of normal operation. Anomaly detection is
an important tool for fraud detection,
network based intrusion, and other unusual
events that have great significance but they
are hard to find. The importance of
anomaly is due to the fact that anomalies
in data translate to important actionable
information in a huge variety of
application domains. Anomaly detection is
also sometimes referred to as behaviour-
based detection because it associates with
variations from user behaviour. The
advantage of anomaly detection approach
is the ability to detect novel attacks or
unknown attacks based on audit data.

The main drawback of the anomaly

detection approach is those well-known
attacks may not be detected.

MISUSE DETECTION:
Fig: types of intrusion detection system
Misuse IDS trying to detect abnormal
behaviour by analysing the given traffic
and go with several rules based on
Analysis and comparison with the Rules
III. INTRUSION DETECTION
the system can notice any attacks, such as
APPROACHES
matching signature pattern. Misuse
detection is also sometimes referred to as
Signature-based detection because alarms
There are currently a variety of approaches
are generated based on particular attack
utilized to accomplish the desirable
signatures this kind of attack signatures
elements of intrusion detection system.
encompass particular traffic or activity that
There are two general approaches to
is based on known intrusive activity.
intrusion
Detection:
The advantage of misuse detection is the
 Anomaly detection ability to generate accurate result and
 Misuse detection having fewer false alarms. The
These approaches develop the core of disadvantage of misuse detection
several currently present intrusion approaches is that they will detect only the
detection techniques. known attacks.

ANOMALY DETECTION: IV. COMMON ATTACKS &

VULNERABILITY
Anomaly IDS trying to detect anomalies
when any difference occurs from the Most attack on threat is cyber security
normal system . Anomaly detection is attacks being perform today; it may
include silently sending all sort of
confidential data from your computer or
network to the attackers home base.

Current NIDS substantial amount of

human intervention and administrators for
an effective operation . Therefore for
network administrators to understand the
architecture of NIDS, and the well known
attacks and threats is very much essential.
In this section we will discuss well known
attacks, threats and vulnerabilities in the
end host operating system and protocols.

ATTACK TYPES

1 Confidentially
2 Integrity
3 Availability
4 Control
Fig- Architecture of Scanning Attack
V. ATTACKS DETECTED BY
NIDS 2 DOS ATTACKS

Till current research a number of attacks
can be detected by current generation of
NIDS. Some are described as follows:
1 SCANNING ATTACKS
In such attacks, an attacker sends different
kinds of packets or information to probe a
system or network that they want to
exploit. Now the response for these probe
packets are analysed to determine the
characteristics of the target system.
There are number of denial of services
attack, such kind of attacks can cause
significant economic damage or
completely shut downs the targets to
disrupt the services especially ecommerce
business slow down by denying authorized
users access.
3 PENETRATION ATTACKS
Generally penetration attacks exploit
certain flaws in the software which allows
the attacker to install viruses and malware
in the system as he gains an unauthorized
control of the system.

VI. ROLE OF NIDS IN

COMBATING ATTACKS

AS we know an NIDS can detect attacks,

additionally they provide numbers of keys
to find the nature of the attack, origin and
propagation characteristics. Also most
NIDS often reports the location of
attackers or hacker i.e. from where the
attack has been triggered, however it is not
enough information as a smart attacker
often changes the IP address in the attack
packets, called IP address spoofing. The IP
address reported by the NIDS had a key
concept that concept that determines if the
attack requires the reply messages to be
sent or not.
In modern NIDS the route that an attack
packet have taken gets also reported, this
route information contains key information
that can be used to trace the attacker or
hacker.
Also with enhancement modern NIDS
have started to include the capability to
aggregate the attacks reports into a smaller
number of subsets that is much easy to
examine.
VII. FUTURE OF NIDS
Performance is one of the key challenges
of NIDS. Inspection of deep packets in
most NIDS, limits the NIDS performance.
In future present system can easily scale to
multigigabits throughputs which enhance
the system performance. Analysis and
correlation is one more challenge of NIDS
in future. The main issue is to advanced
the system and replace all human operation
work with full automation.
Use of encryption increasing and
necessitates on the host system where the
data can be encrypted. At the centre of the
model lie a familiar concept – the
management station, that is similar to the
NIDS console. Mounting security also
concerned, host machine need to aid the
central NIDS component in looking for the
behaviour (network or system) that is
malicious or abnormal.
There is one more aspect that requires
attention in future – standard concerning
the NIDS reporting. Some update will be
in future like NIDS protocol will be
established and standardised reporting
format will become requirement.
VIII. HONEYPOT (HP)
HP is mainly a heuristic approach and is
based on concept of bait and trap; basically
it is just a deception. In computer
terminology, a honey pot is a computer
security mechanism set to detect, deflect,
or, in some manner, counteract attempts at
unauthorised use of information systems.
Generally, a honey pot consists of data that
appears to be a legitimate part of the site,
but is actually isolated and monitored, and
that seems to contain information or a
resource of value to attackers, who are
then blocked.
Generally speaking HP is deception based
approach to detect action of a deceitful
enemy (the intruder or attacker). HP
concept has attracted much attention over
the internet and there are numerous sites
dedicated to this concept.
Nevertheless, industry sector is very
attracted by this concept. The overall idea
behind the HP technology is to lay a trap
and bait and wait for the hunt to fall into it.
Here HP is used as a supplement to the
IDS to detect the intrusion where IDS was
unable to do so. In this way, the
probability of the undetected attacks is
reduced.
Nowadays, attackers or intruders aware of
the HP technology try to avoid the HP’s or
even take advance of them. For this they
have implemented different tools, once
detected, they disengage the HP. But due
to smart intruders as the HP technology
improves, the anti-HP also does.
Therefore a never ending battle is already
started, so there is need to improve the HP
approach otherwise it will become a weak
point in the system. Also according to
latest researches the authors propose a
design for a dynamic honey pot, capable of
changing configuration to match the
dynamic and even changing environment
of a network.
IX. STRENGTH & LIMITATION
OF NIDS
As we till studied NIDS have become
extremely valuable in enhancing the
security of the network and end host,
however they have number of key
overcomes, therefore it is very much
essential for a network administrators to be
aware of both strength and weakness.
NIDS today have become extremely valuable
in enhancing the security of the networks and
end hosts; they however have a number of key
drawbacks. In the deployment of NIDS, it
therefore is important for the network
administrator to be aware of its strengths and
limitations. In the section we discuss these
properties:
1 STRENGTHS OF NIDS
NIDS can perform the following functions to
enhance the security.
(1)Measurements and analysis of typical and
atypical user behaviour. For example an
anomaly based NIDS is capable of detecting
high volume traffic flows, flash crowds, load
imbalance in the network, sudden changes in
demand of a port usage, sudden surge of traffic
from/to a specific host, etc .
(2) Detection of known worms, viruses, and
exploitation of a known security hole.
Signature based NIDS can detect these events
with fairly high degree of accuracy. An
appropriate signature will also ensure a low
false positive probability.
(3) Some advanced NIDS systems also enable
recognitions of patterns of system events that
correspond to a known security threat.
(4) Enforcement of the security policies in a
given network. For example a NIDS can be
configured to block all communication
between certain sets of IP addresses and or
ports. A NIDS can also be used to enforce
network wide access controls.
(5) Anomaly based NIDS can also recognize,
with a certain false positive probability, new
attacks and abnormal patterns in the network
traffic, whose signatures are not yet generated.
This will alert the network administrator
early, and potentially reduce the damage
caused by the new attack.
2 Limitations of NIDS
(1) A MERE WORKAROUND:
A number of researchers have argued that a
NIDS is more or a less a workaround for the
flaws and weak or missing security
mechanisms in an operating system, an
application, and/or a protocol.
(2) FALSE POSITIVES:
NIDS comes with a bane, i.e. false positives. A
false positive is an event when a NIDS falsely
raises a security threat alarm for harmless
traffic. Signatures can be tuned precisely to
reduce such false positives, however fine
signatures create a significant performance
bottleneck, which is the next limitation of
NIDS. Current Anomaly
based algorithms lead to even higher false
positives.
(3) PERFORMANCE ISSUES:
Current signature based NIDS systems use
regular expressions signatures which creates a
significant performance bottleneck. In order to
reduce false positives long signatures are
required which further reduces the
performance.
The data throughput of current NIDS systems
is limited to a few gigabits per second.
(4) ENCRYPTION:
The ultimate threat to the very existence of the
signature based NIDS systems is the
increasing use of data encryption. Everybody
dreams to encrypt their data before
transmission. Once the packet payloads are
encrypted, the existing signatures will become
completely useless in identifying the
anomalous and harmful traffic.
(5) NEW AND SOPHISTICATED
ATTACKS:
Commercial NIDS which are signature based
are unable to detect new attacks whose
signatures are not yet devised. Anomaly based
NIDS can detect such attacks but due to the
limitations of the current anomaly detection.
Algorithms, an intelligent attacker can always
develop attacks that remain undetected.
(6) HUMAN INTERVENTION:
Almost all NIDS systems require a constant
human supervision, which slows down the
detection and the associated actions. Some
recent systems such as Network Intrusion
Prevention Systems (NIPS) can automatically
take
pre-programmed actions but these are limited
only to the well known attacks.
Additionally there has been an increase in
polymorphic worms which can automatically
change their propagation characteristics
thereby effectively changing their signatures.
Such worms also pose a critical threat to the
current NIDS.
X. CONCLUSION
We have studied the intrusion detection
system, and also analysed Network based
intrusion detection system. We also have
surveyed about limitations, strengths,
future
Scope of network based intrusion detection
system, and honey pot (HP) is mainly a
heuristic approach and is based on concept
of bait and trap.

(7) EVASION OF SINATURES:

A number of researchers have argued that it is

not difficult for an attacker to evade a
signature.
REFERENCE
[1] International Journal of Advanced
Research in Computer and
Communication Engineering Vol. 2, Issue 4,
April 2013
[2] R. Sommer, V. Paxson, , "Enhancing
Byte-Level Network Intrusion Detection
Signatures with
Context," ACM conf. on Computer and
Communication Security, 2003, pp. 262--271.
citeseer.ist.psu.edu/sommer03enhancing.html
[3] A. Lakhina, et al., "Mining Anomalies
Using Traffic Feature Distributions," Proc.
ACMSIGCOMM 2005.
www.sigcomm.org/sigcomm2005/paper-
LakCro.pdf
Coimbatore Doctoral Research Scholar,
Manonmaniam Sundaranar University,
Tirunelveli, India1M.Phil. Scholar,
Department of Computer Science, Dr. N.G.P.
Arts and Science College, Coimbatore,
India2Doctoral Research Supervisor, Assistant
Professor, PG & Research Department of
Computer Science,Government Arts College,
Coimbatore, India3
[6] Research on Intrusion Detection and
Response:A Survey
Peyman Kabiri and Ali A. Ghorbani
(Corresponding author: Ali A. Ghorbani)

[4] Survey of Current Network Intrusion

Detection Techniques
Sailesh Kumar, sailesh@arl.wustl.edu//
[5] Intrusion Detection Systems: A Survey
and Analysis of Classification Techniques
V. Jaiganesh 1, S. Mangayarkarasi 2, Dr. P.
Sumathi 3
Assistant Professor, Department of Computer
Science, Dr. N.G.P Arts and Science College,