Professional Documents
Culture Documents
Abstract: Intrusion detection systems (IDS) help detect unauthorized activities or intrusions that may compromise the
confidentiality, integrity or availability of a resource. This paper presents a general overview of IDSs, the way they are
classified, and the different algorithms used to detect anomalous activities. It attempts to compare the various methods of
intrusion techniques. It also describes the various approaches and the importance of IDSs in information security.
2
Understanding Modern Intrusion Detection Systems: A Survey
have managed switches, is not using hubs, or when attacks and malicious activities every hour, a
putting an IDS inline is impractical. signature-based IDS is only as good as the recency of
its signature database and rulesets.
IPSs have preventive mechanisms such as fault approaches have used genetic algorithms for the
tolerance or backup power to minimize disruption to classification of instances, while others like fuzzy
network activities. data mining approach have applied this technique for
If cost is an issue, many routers such as feature selection. To list out an advantage of GA, it
Cisco® routers allow specific modules or firmware to selects the best feature and has better efficiency but
be installed on top of the existing routers to provide its method is complex.
intrusion detection and prevention capabilities.
4.3. Inductive Rule Generation Algorithms
4. DETECTION TECHNIQUES These algorithms are one of the most famous
techniques used. In this technique, we have a
From different sources, systems like rule- predictive model decision tree that maps observations
based expert systems, state transition analysis, and of an item to conclusions about the item’s target
genetic algorithms are direct and efficient ways to value.
implement signature detection. Inductive sequential The decision tree (DT) is very powerful and
patterns, artificial neural networks, statistical analysis popular data mining algorithm for decision-making
and data mining methods have been used in anomaly and classification problems. It is also used in many
detection. There are different kinds of frameworks real-life applications like medical diagnosis, radar
used for anomaly-based detection. signal classification, weather prediction, credit
This section presents an extensive study over approval, and fraud detection. This decision tree can
the various intrusion detection classifier techniques be constructed from large volume of dataset with
and hybrid detection techniques. A few proposed many attributes, because the tree size is independent
methods could be described as follows. of the dataset size. It can process both numerical and
categorical data but trees created from numeric
4.1. Bayesian Networks datasets can be complex. Construction of inductive
Bayesian networks are probabilistic rule generation algorithms may not require any
graphical models that represent sets of variables and domain knowledge. It can handle high dimensional
their probabilistic independencies. Bayesian theory is data and the representation is easy to understand (R.
named after Thomas Bayes. His theory can be Patel, A. Thakkar and A. Ganatra, 2012). However, it
explained as follows: is limited to one output attribute. Decision tree
If the events A1, A2, … and An constitute a algorithms are unstable and most decision tree
partition of the sample space S such that P(Ak) ≠ 0 for construction methods are non-backtracking,
k = 1,2 , … , n, then for any event B such that P(B) ≠
0: 4.4. Outlier Detection
Outlier detection approach is based on the
idea of semi-supervised learning in which the system
would learn a baseline data, and consider any
instances that do not fit in the normal data profile as
Darwiche, et. al (2010) stipulated that an anomaly.
Bayesian networks have been used in many computer Most of the anomaly detection algorithms
science fields, such as email spam filters, speech require a set of baseline data to train the model, and
recognition and pattern recognition, because of their they assume that anomalies can be treated as patterns
ability to build coherent results by using probabilistic never observed before. Since an outlier is defined as a
information about a specific situation. data point which is very different from the rest of the
Bayesian networks are directed acyclic data, so based on some measure, we employ several
graphs where the nodes represent variables and outlier detection schemes to see how efficiently these
whose edges encode conditional dependencies schemes may deal with the problems of anomaly
between those variables (D. Heckerman, 1995). detection. In statistics-based outlier detection
These are applied to anomaly detection in so many techniques, the data points are modeled using a
ways; for example, Valdes et al. has developed an stochastic distribution and these points are
anomaly detection system that employed naive determined to be outliers depending upon their
Bayes, which is a two-layer Bayesian network that relationship with this model.
assumes complete independency between the nodes.
4.5. Clustering
4.2. Genetic Algorithm (GA) This technique is based on two important
GA is a search technique that is used to find assumptions (L. Portnoy, E. Eskin, & S.J. Stolfo.,
an appropriate solution to search problems. Genetic 2001). First, majority of the network connections
algorithms have been applied in anomaly detection in represent normal traffic and only a very small
many ways, as they are flexible and a powerful search percentage of that traffic is malicious. And second,
method. Some network intrusion detection malicious traffic is statistically different from normal
5
Understanding Modern Intrusion Detection Systems: A Survey
traffic. Anomalies will be detected based on their alternative in the computer security field to analyze
cluster size, i.e., large clusters are meant to be continuous sources of data and even unknown or
baseline data, and the rest correspond to malicious imprecise processes (Hosmer, 1993).
attacks. Fuzzy logic has the potential in the intrusion
Clustering is unsupervised learning. detection field when compared to those systems using
Labeling the data is not necessary and natural patterns strict signature based matching or classic pattern
in the data are extracted. It does not require the use of deviation detection. Bridges and Vaughn (2000) state
a labeled data set for training. that the concept of security itself is fuzzy. And in
other words, the concept of fuzziness helps to smooth
4.6. Neural Networks out the abrupt separation of normal behavior from
Neural networks are networks of abnormal behavior. This means a given data point
computational units that jointly implement complex falling outside a defined baseline interval, will be
mapping functions. First, the networks are trained considered anomalous to the same degree regardless
with a labeled data set. Testing instances are then fed of its distance from the interval. Fuzzy logic has a
into the network to be classified as either normal or capability to represent imprecise forms of reasoning
anomalous. An example of the neural network in areas where firm decisions must be made in
technique which is widely used in anomaly detection indefinite environments like intrusion detection.
is the Support Vector Machines (SVM) (S. Dokas et al. (2002) suggested a model that
Mukkamala, G. Janoski, and A. Sung, 2002). works by building rare class prediction models for
This method would be effective if the exact identifying known intrusions and their variations and
characteristics of the attack are already known. anomaly/outlier detection schemes for detecting
However, these intrusions are constantly changing novel attacks whose nature is unknown.
because of the individual approaches taken by the Researchers propose techniques to generate
attackers and regular changes done in the software fuzzy classifiers using genetic algorithms that can
and hardware of the targeted systems. Because of the detect anomalies and some specific intrusions. The
wide variety of attacks and attackers despite their main idea was to evolve two rules; one for the normal
dedicated effort to constantly update the rule base of class and other for the abnormal class using a
an expert system can never hope to accurately baseline profile data set.
identify the variety of intrusions.
For these constantly changing natures of 5. COMPARISON OF TECHNIQUES
these network attacks, we require a flexible defensive
system that can analyze these enormous amounts of In this section, we look at how the various
network traffic in a manner, which is less structured intrusion detection techniques compare, and in what
than rule-based systems. For example, a neural situations are they best suited for. Each technique or
network-based signature detection system could approach to programming the system to recognize
potentially address many of the problems that are intrusion or outright threats have different variables
found in rule-based systems. The inherent speed of involved for defining the exclusionary or inclusionary
neural networks is another benefit of this approach, as criteria for defining what constitutes a threat. Our
it requires a timely identification of attacks, and the review of each technique poses a challenge in
processing speed of the neural networks could enable determining suitable techniques based on the
intrusion responses to be conducted before system’s specific needs and awareness of threats in
irreversible damage could be done to the system. It relationship to risk assessment. In the business world,
has a high signal-to-noise ratio and requires more how the technique will be applied to the system
time and more sample-training phase. directly relates to the purpose and function of the
system to meet business needs. While this is
4.7. Fuzzy Logic simplistic, there is also thematic attachment to
Fuzzy logic starts and builds on a set of deriving application of the technique within specific
user-supplied human language rules. The fuzzy and definable parameters of the system.
systems convert these rules into their mathematical However, and because of global business
equivalents. This simplifies the job of the system implication to managing the firm’s technology as an
designer and the computer, and results in a much asset and understanding how the firm needs
more accurate representation in the way systems interactions with unknown clients, there is a need for
behave in the real world. Fuzzy logic is also simple basing technique upon flexible patterns of
and flexible. It can handle problems arising from information sharing. Biermann, Cloete, and Venter
imprecise and incomplete data, and model nonlinear (2001) regard a means of devising clear intent in
functions of arbitrary complexities. Fuzzy logic terms of each techniques drawbacks and advantages
techniques have been employed in the computer of use. The system must define the technique and
security field since the early 90’s (Hosmer, 1993). Its compare them based upon availability, utility,
ability to model complex systems makes it a valid
6
Understanding Modern Intrusion Detection Systems: A Survey
integrity, authenticity, confidentially, and possession further to analyze the definition allows for greater
(Biermann, Cloete, & Venter, 2001). functionality and less false alarms.
Hubballi and Suryanarayanan (2014) find that Differences in approach bordering on hybrid
part of the issue with defining the parameters of the design also focuses upon fuzzy logic and clustering
IDS and therefore strategically determining the techniques. However, clustering and fuzzy logic can
specific technique and purpose, also rides upon how only be used in situations where there is a broad basis
well each technique can recognize events without for data analysis and there is the expected element of
error. They contend that a signature-based design learning from the data. These forms of IDS
may be ineffective in the constant need to rewrite techniques would not work well in situations where
parameters to re-identify the threat, such that the needs of the administrator are simply to block
“discovery of new flaws and vulnerabilities occur rules based packets of information. Systems defined
continuously, to write good signatures one needs to by a set of prerequisites as a single layer of function
have complete understanding of the behavior and also would not need the depth or level of precision
sufficient data to analyze. Due to this dependency, implied from the use of the clustering or fuzzy logic.
this method is always error prone.” Indeed, such systems would not need the hybrid
Such a technique may not allow for gray areas approach either but may function best with Bayesian
and therefore should be replaced by fuzzy logic or signature based techniques as the points of
where parameters are protected by filtering for what identifiers are clear.
may be depicted as an error. The signature may not fit Fuzzy logic and clustering allow for further
with the rule based logic applied or within the dissemination and critical review of data as the
signature, or the rules are too stringent and therefore, application is in real time which works better for soft
information packets are seen as threats when instead computing or cloud systems (Ashfaq et al., 2017). Lin
they are not (false positivity). Rewriting the rule et al. (2015) determine that the use of clustering
causes a continuous action and need for the system to proves desirable because it can integrate similar
learn from itself rather than specific directions/rules themes or traits with the timing of receiving the data
set in place. with the needs of the system and its activities.
Another relationship between techniques to Integration serves to provide the system with clear
consider is how similar these structures function messages of what information is partitioned, where,
within the design of the system to point to specific and why. Due to the level of detail, situations that call
correlative formats for alarms where they are seen in for a simpler solution will not justify investing in
normative and rules-based functionality. Bayesian such intricate design features unless the activity level
algorithms capture the same essence as the signature or purpose of the administrator’s actions warrant such
approach where rules-based definitions of threats also protections (Mitrokotsa & Dimitrakakis, 2013).
apply. Xiao et al. (2014, p. 128) comment that the Kabir, Onik, and Samad (2017) remark that the
reason for choosing the Bayesian derived techniques weakness of the Bayesian approach is due to its
coincides with robust modeling and “joint distribution popularity and widespread usage as the preferred
of random variables and reasoning under method. This points to the need for a flexible hybrid
uncertainty.” or dual platform where learning contributes to the
Even with this logic, Xiao et al. (2014) find evolution of the system. Therefore, Kabir et al.
weakness in the node function of the technique and (2017) find that Bayesian programming is a strong
how these nodes present opportunities for false foundation but that ultimately technique design
alarms just as found in the signature based technique. should move towards featuring clusters for
Continued application of knowledge and loading the anomalous behaviors, where one part determines the
patterns to seek in defining the level of safe with “true” user while the other determines normal
uncertain requires continued revision of the system. patterns of behavior of that user.
Xiao et al. (2014) determine that utilizing Bayesian With the migration toward soft computing and
algorithms at the core of the IDS also means adopting cloud data storage systems, IDS and techniques need
further tools within the design toward a hybrid model. to be focused on providing classifiers for cross
Hybrid augmentation seeks a dual platform for validation of data sources where there is little time
filtering the information based upon extensions where discrepancy. The technique must have parameters for
dynamic coding for applying human behavior all time temporalities (Mitrokotsa & Dimitrakakis,
modelling opens up functionality for greater leverage 2013). The concept of robustness remains central to
between identifying factors of certainty and the design of a technique that meets the needs of
uncertainty. Such further design based upon the business functionality and multi-dimensions of time.
Bayesian approach continues the robustness of the This calls for a technique based in robustness, sturdy
framework but allows for analytics to be applied in a and strict in rules-based procedures but also learning
way that considers profoundly shifting the variables from uncertain information, such as possible false
for non-threat and threat definers. Taking a step positives.
7
Understanding Modern Intrusion Detection Systems: A Survey
Wang et al. (2010) support the use of fuzzy coordinated attacks (Zhou, Leckie & Karunaseckera,
clustering to maneuver uncertainty for classifying 2010).
attacks to the system as the business needs grows
more toward application of risky interactions. Being
fuzzy means the data is uncertain or falling into an 7. CONCLUSION
undefinable realm per the rules based system and
even anomaly definition. The gray area of data will We have introduced an overview of the
find similar traits, common threads, and reasoning for different types of intrusion detection systems,
being grouped together. The fuzzy cluster hybrid as a approaches, methodologies and techniques for IDSs.
technique finds strength in weaving between levels Each technique and class of IDS has its superiority
and sharing, and learning from the information of the and limitations, so we should be mindful when
system rather than falsely believing that the selecting the best approach. We compared and
information is a threat. Issues with this approach contrasted each technique and approach to determine
pertain to installing hybrid forms of security which works best in a particular situation. We
measures where the data must unlock rules to move focused our study on the most common intrusion
within the system. Wang et al. (2010) demonstrate detection models such as NIDS and HIDS, and both
how this may create limitation where there are walls the anomaly- and signature-based approach to
to block information exchange but without further detection. Finally we also presented current trends in
clustering to the result, the threat will be blocked or the world of information and network security in the
partitioned off to serve the needs of one group last several years and the direction that information
defined by the cluster. Wang et al. (2010) find how technology is heading to.
this can provide further design features and
usefulness for the user in terms of who has access to REFERENCES
the data and who does not. If data is found to be a
threat, then because of the clustering effect, the 1. Pathan (ed), Al-Sakib. (2014). The state of the art in intrusion
system is protected but the data is still analyzed on prevention and detection.
some level of value to the firm. What proves to be
2. Bace, R. & Mell, P., Intrusion detection systems, National
beneficial is the ability to learn from the data while Institute of Standards and Technology (NIST), Technical
keeping it separated from other sensitive and Report 800-31, 2001.
proprietary data as intellectual property (Ashfaq et
3. Pappas, N. SANS Institute InfoSec Reading Room. (April,
al., 2017).
2008). Network IDS & IPS deployment strategy [White
paper].
8
Understanding Modern Intrusion Detection Systems: A Survey
1992-1993 Workshop on New Security Paradigms, 175-184, 26. Richardson, R. (2011). 2010 / 2011 CSI Computer Crime and
Little Compton.
Security Survey.
11. Bridges, S. M. and R. B. Vaughn (2000). Fuzzy data mining
27. Schneider, D. (2012). The state of network security. Network
and genetic algorithms applied to intrusion detection.
Security, 2012(2), 14-20. doi:10.1016/S1353-4858(12)70016-
Proceedings of National Information Systems Security
8
Conference Baltimore.
28. Hunt, R., & Zeadally, S. (2012). Network Forensics: An
12. Dokas, P., L. Ertoz, et al. (2002). Data Mining for Network
Analysis of Techniques, Tools, and Trends. Computer,
Intrusion Detection. Proceedings of National Science
45(12), 36-43.
Foundation Workshop on Next Generation Data Mining, 21-
31.
29. C. Zhou, C. Leckie, and S. Karunasekera, (2010). “A Survey
13. W. Li. Using genetic algorithm for network intrusion of Coordinated Attacks and Collaborative Intrusion
detection. In Proceedings of the United States Department of Detection,” Computers & Security, vol. 29, no. 1, 2010, pp.
Energy Cyber Security Group Training Conference, pages 1– 124-140.
9, 2004.
30. Darwiche, A, et. al. (2010). Bayesian networks.
14. Sahilpreet Singh, Meenakshi Bansal; “A Survey on Intrusion Communications of the ACM, 53 (12), 2010, pp. 80-90.
Detection System in Data Mining”. International Journal of
Advanced Research in Computer Engineering & Technology 31. Biermann E, Cloete E, Venter LM (2001). A comparison of
(IJARCET), ISSN: 2278 – 1323, Volume No. 2, Issue No. 6, intrusion detection systems. Computers & Security.
June 2013. 1;20(8):676-83.
25. Burns, D., Adesina, O., & Barker, K. (2012). CCNP Security
IPS 642-627 official cert guide. S.l.: Cisco Press.