Introduction On Network Intrusion Detection System

Discuss about the Network intrusion detection system.

An intrusion detection system (IDS) can be considered as a device or software application which is associated with monitoring a network or systems for detecting various kind of malicious activity or policy violations. Various malicious activities or violations are typically reported either to the administrator or are generally collected centrally by making use of a security information and event management (SIEM) system. The SIEM system is associated with combining the outputs from multiple sources, which is followed by the usage of the alarm filtering techniques in order to distinguish the various type of malicious activity from the alarms that are false.

There exists several type of IDS, and this scopes from a single computers to a wide spread networks. The most common Type of IDS includes the “network intrusion detection systems” (NIDS) and “host-based intrusion detection systems” (HIDS). The system which is associated with monitoring the important operating system files can be considered as an example of a HIDS, whereas a system which is associated with the analysing the network traffic  which is incoming can be considered as an example of a NIDS. The IDS can be classified according to the detection approach that is used amongst which the most well-known variants incudes the signature-based detection or recognizing the bad patterns, such as malware and anomaly-based detection or the detecting deviations from a model of “good” traffic, which often relies on machine learning. Some IDS have the ability to respond to detected intrusions. Systems with response capabilities are typically referred to as an intrusion prevention system.

Network intrusion detection systems (NIDS) has been placed at a strategic point or points inside a network for the purpose of monitoring the traffic that is generally towards or from all devices connected with the network. This is generally associated with performing an analysis of the traffic that is passing on the entire subnet, which is followed by matching of the traffic which is generally passed on the subnets to the library of known attacks. After the identification of the attack or abnormal behaviour is done, then an alert is sent to the administrator. (An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network.). Some of the common tools used for simulating network intrusion detection systems mainly includes the OPNET and NetSim. This type of Systems are also capable of comparing signatures for similar packets in order to link and drop the harmful detected packets that are consisting of a signature matching with the records in the NIDS. When the classification of the design of NIDS is done according to the system interactivity property, then it can be concluded that there are two types and this mainly includes the on-line and off-line NIDS, which are often referred to as inline and tap mode, respectively. On-line NIDS is associated with dealing with the network on a real time basis. This is also associated with analysing the Ethernet packets along with the application of some rules in order to decide if it is an attack or not. Off-line NIDS are associated with dealing with the stored data, which is initially associated with the passing of it through some processes in order to decide if it is an attack or not.

Types of Intrusion Detection System – NIDS and HIDS

There exists various kind of techniques in the literature for detecting the behaviours related to intrusion. In recent times, intrusion detection has been associated with receiving a lot of interest amongst the researchers and this has mainly happened due to the wide application of this for preserving the security within a network.  Here, we present some of the techniques used for intrusion detection.

F. Owens and R. R. Levary has been associated with stating the fact that the intruder detection systems have been commonly created by making use of the expert system technology. However, the Intrusion Detection System (IDS) researchers has been associated with biasing which is generally related to the construction of the systems which are generally difficult to handle, along with lacking in insightful user interfaces, besides this they are also very inconvenient for usage with real-life circumstances. The adaptive expert system proposed by them has been associated with the utilizing of fuzzy sets in order to detect the attacks. Besides this the implementation of the expert system can be considered as comparatively easy while using it with computer system networks which have the capability of getting adjusted to the nature or to the degree of the threat. Experiments with Clips have been used have been used for the purpose of proving the adjustment capability of the system. Another researcher named Alok Sharma have been focusing on the usage of text processing techniques on the system call sequences for the purpose of detecting the intrusions. Host-based intrusions have been detected by introducing a kernel based similarity measure. Processes have been classified either as normal or abnormal using the k-nearest neighbour (kNN) classifier. They have assessed the proposed method on the DARPA-1998 database and compared its operation with other existing methods present in the literature.

Shanmugam and Norbik Bashah Idris have been associated with proposing an advanced fuzzy and data mining methods which was based upon the hybrid model in order to find out both misuse along with anomaly attacks. The objective of this researchers mainly included the decreasing of the quantity of data that is generally kept for the purpose of processing and also for the purpose of improving the detection rate of the existing IDS by making use of the attribute selection process and data mining technique respectively. An improved Kuok fuzzy data mining algorithm or a modified version of APRIORI algorithm is generally used for the purpose of utilizing and also for the purpose of implementing fuzzy rules which has been associated with enabling the generation of if-then rules that is associate with showing the common ways of expressing security attacks. They have achieved faster decision making using mamdani inference mechanism with three variable inputs in the fuzzy inference engine which they have employed. The DARPA 1999 data set has also been used in order to test and benchmark the efficiency of the model that has been proposed along with the test results against the “live” networking environment within the campus were also analysed.

Network Intrusion Detection System (NIDS)

A. Adebayo has presented a method that uses Fuzzy-Bayesian to detect real-time network anomaly attack for discovering malicious activity against computer network. They have established the effectiveness of the method by describing the framework. The overall performance of the intrusion detection system (IDS) based on Bayes has been improved by a combination of fuzzy with Bayesian classifier. In addition, by the experiment carried out on KDD 1999 IDS data set, the practicability of the method has been verified. Abadeh, M.S. and Habibi, J. have proposed a method to develop fuzzy classification rules for intrusion detection use in computer networks. The method of fuzzy rule base system design has been based on the iterative rule learning approach (IRL). Using the evolutionary algorithm to optimize one fuzzy classifier rule at a time, the fuzzy rule base has been created in an incremental fashion. Intrusion detection problem has been used as a high-dimensional classification problem to analyse the functioning of the final fuzzy classification system. Results have demonstrated that the fuzzy rules generated by the proposed algorithm can be utilized to build a reliable intrusion detection system.

Arman Tajbakhsh have presented a data mining technique based framework for constructing an IDS. In the framework, Association Based Classification (ABC) has been used by the classification engine which is in fact the central part of the IDS. Fuzzy association rules have been used by the proposed classification to construct classifiers. Some matching measures have been used to evaluate the consistency of any new sample (which is to be categorized) with various class rule sets and the label of the sample has been declared as the class that is analogous to the best matched rule set. A method which decreases the items that may be included in extracted rules has also been proposed to reduce the time taken by the rule induction algorithm. The framework has been assessed using KDD-99 dataset. The results have shown that the achieved total detection rate and detection rate of known attacks are large and false positive rate is small, though the results are not bright for unknown attacks.

Network Intrusion Detection Systems (NIDS) generally consists of a network appliance (or sensor) along with a Network Interface Card (NIC) which is generally responsible for operating in the promiscuous mode along with working in a separate management interface. Placing of the IDS is done in association with the network segment or boundary along with the monitoring of all traffic present in that segment. Network intrusion detection system (NIDS) can be considered as an independent platform which is associated with identifying the various intrusions by examining the traffic in the network along with monitoring of multiple hosts. Network intrusion detection systems is associated with gaining access to the network traffic by creating a connection with the network hub. Additionally the network switches are also configured for mirroring the ports, or for the network tap. Along with this in a NIDS, the sensors are generally present at the choke points of the network which are to be monitored, often in the demilitarized zone (DMZ) or at network borders. The Sensors are associated with capturing all the network traffic along with analysing the content of individual packets for the traffics which are malicious in nature.

References:

Hodo, E., Bellekens, X., Hamilton, A., Dubouilh, P.L., Iorkyase, E., Tachtatzis, C. and Atkinson, R.Threat analysis of IoT networks using artificial neural network intrusion detection system. In Networks, Computers and Communications (ISNCC), 2016 International Symposium on (pp. 1-6). IEEE., 2016, May.

Hu, W., Gao, J., Wang, Y., Wu, O. and Maybank, S. Online adaboost-based parameterized methods for dynamic distributed network intrusion detection. IEEE Transactions on Cybernetics, 44(1), pp.66-82., 2014.

Javaid, A., Niyaz, Q., Sun, W. and Alam, M. A deep learning approach for network intrusion detection system. In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS) (pp. 21-26). ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering)., 2016, May.

Kevric, J., Jukic, S. and Subasi, A. An effective combining classifier approach using tree algorithms for network intrusion detection. Neural Computing and Applications, 28(1), pp.1051-1058., 2017.

Moustafa, N. and Slay, J. UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In Military Communications and Information Systems Conference (MilCIS), 2015 (pp. 1-6). IEEE., 2015, November.

Toulouse, M., Minh, B.Q. and Curtis, P., A consensus based network intrusion detection system. In IT Convergence and Security (ICITCS), 2015 5th International Conference on (pp. 1-6). IEEE., 2015, August.