International Journal of Security, Privacy and Trust Management

ABSTRACT

Intrusion Detection System (IDS) is meant to be a software application which monitors the network or system activities and finds if any malicious operations occur. Tremendous growth and usage of internet raises concerns about how to protect and communicate the digital information in a safe manner. Nowadays, hackers use different types of attacks for getting the valuable information. Many intrusion detection techniques, methods and algorithms help to detect these attacks. This main objective of this paper is to provide a complete study about the definition of intrusion detection, history, life cycle, types of intrusion detection methods, types of attacks, different tools and techniques, research needs, challenges and applications.

INTRODUCTION

An Intrusion Detection System is an application used for monitoring the network and protecting it from the intruder. With the rapid progress in the internet based technology new application areas for computer network have emerged [7]. In instances, the fields like business, financial, industry, security and healthcare sectors the LAN and WAN applications have progressed. All of these application areas made the network an attractive target for the abuse and a big vulnerability for the community [7]. Malicious users or hackers use the organization’s internal systems to collect information’s and cause vulnerabilities like Software bugs, Lapse in administration, leaving systems to default configuration [8]. As the internet emerging into the society, new stuffs like viruses and worms are imported.

The malignant so, the users use different techniques like cracking of password, detecting unencrypted text are used to cause vulnerabilities to the system. Hence, security is needed for the users to secure their system from the intruders. Firewall technique is one of the popular protection techniques and it is used to protect the private network from the public network. IDS are used in network related activities, medical applications, credit card frauds, Insurance agency [8]. The remaining portion of the paper is organized as follows. Section 2 tells about the history and the basic concepts of IDS. Section 3 illustrates the IDS functionality. Section 4 gives the brief International Journal of Security, Privacy and Trust Management (IJSPTM) Vol 4, No 1, February 2015 32 description about the life cycle of IDS. Techniques are explained in Section 5. Section 6 describes about IDS tools. Section 7 discusses the needs and challenges. Conclusion is given in Section8.

HISTORY

The goal of intrusion detection is to monitor the network assets to detect anomalous behavior and misuse in network [16]. Intrusion detection concept was introduced in early 1980’s after the evolution of internet with surveillance end monitoring the threat [17]. There was a sudden rise in reputation and incorporation in security infrastructure. Since then, several events in IDS technology have advanced intrusion detection to its current state [16]. James Anderson’s wrote a paper for a government organization and imported an approach that audit trails contained important information that could be valuable in tracking misuse and understanding of user behavior [16].

Then the detection appeared and audit data and its importance led to terrific improvements in the subsystems of every operating system [16]. IDS and Host Based Intrusion Detection System (HIDS) were first defined. In 1983, SRI International and Dorothy Denning began working on a government project that launched a new effort into intrusion detection system development [17]. Around 1990s the revenues are generated and intrusion detection market has been raised. Real secure is an intrusion detection network developed by ISS. After a year, Cisco recognized the priority for network intrusion detection and purchased the Wheel Group for attaining the security solutions [17]. The government actions like Federal Intrusion Detection Networks (FID Net) were designed under Presidential Decision Directive 63 is also adding impulse to the IDS [17].

INTRUSION DETECTION SYSTEM

An IDS is referred as burglar alarm. For example the lock system in the house protects the house from theft. But if somebody breaks the lock system and tries to enter into the house, it is the burglar alarm that detects that the lock has been broken and alerts the owner by raising an alarm. Moreover, Firewalls do a very good job of filtering the incoming traffic from the Internet to circumvent the firewall [8]. For example, external users can connect to the Intranet by dialing through a modem installed in the private network of the organization; this kind of access cannot be detected by the firewall [8].

An Intrusion Prevention System (IPS) is a network security/threat prevention technology that audits network traffic flows to detect and prevent vulnerability exploits. There are two types of prevention system they are Network (NIPS) and Host (HIPS). These systems watch the network traffic and automatically take actions to protect networks and systems. IPS issue is false positives and negatives. False positive is defined to be an event which produces an alarm in IDS where there is no attack. False negative is defined to be an event which does not produces an alarm when there is an attacks takes place. Inline operation can create bottlenecks such as single point of failure, signature updates and encrypted traffic. The actions occurring in a system or network is measured by IDS [8].

Types of IDS

Figure 1 shows the different types of Intrusion detection systems.

International Journal of Security, Privacy and Trust Management (IJSPTM) Vol 4, No 1, February 2015

• Host based IDS
• Network based IDS
• Application based IDS

Host based IDS views the sign of intrusion in the local system. For analysis they use host system’s logging and other information. Host based handler is referred as sensor. Other sources, from which a host-based sensor can obtain data, include system logs and other logs generated by operating system processes and contents of objects not reflected in standard operating system audit and logging mechanisms [9]. Host based system trust strongly on audit trail. The information allows the intrusion detection system to spot subtle patterns of misuse that would not be visible at a higher level of abstraction [10]. The elementary principle in IDS including Network Based Intrusion Detection System (NIDS) originated from anomaly HIDS research based on Denning’s pioneering work [11]. A host-based IDS provides much more relevant information than Network-based IDS. HIDS are used efficiently for analyzing the network attacks, for example, it can sometimes tell exactly what the attacker did, which commands he used, what files he opened, rather than just a vague accusation and there is an attempt to execute a dangerous command [12]. It is less risky to configure.

Advantages of Host based Intrusion Detection Systems:

• Verifies success or failure of an attack
• Monitors System Activities
• Detects attacks that a network based IDS fail to detect
• Near real time detection and response
• Does not require additional hardware
• Lower entry cost

Network based IDS systems collect information from the network itself rather than from each separate host [13]. The NIDS audits the network attacks while packets moving across the network. The network sensors come equipped with attack signatures that are rules on what will constitute an attack and most network-based systems allow advanced users to define their own signatures [13]. Attack on the sensor is based on signature and they are from the previous attacks and the operation of the monitors will be transparent to the users and this is also significant [14]. International Journal of Security, Privacy and Trust Management (IJSPTM) Vol 4, No 1, February 2015 34 The transparency of the monitors decreases the likelihood that an adversary will be able to locate it and nullify its capabilities without the efforts [10]. Network Node IDS (NNIDS) agents are deployed on every host within the network being protected [2]. Advantages of Network based Intrusion Detection Systems:

• Lower Cost of Ownership
• Easier to deploy
• Detect network based attacks
• Retaining evidence
• Real Time detection and quick response.
• Detection of failed attacks

Application based IDS (APIDS) will check the effective behavior and event of the protocol [2]. The system or agent is placed between a process and group of servers that monitors and analyzes the application protocol between devices [2]. Intentional attacks are the malignant attacks carried out by disgruntled employees to cause harm to the organization and Unintentional attacks causes financial damage to the organization by deleting the important data file [2]. There are numerous attacks have taken place in OSI layer.

Denial-of-Service (DOS) Attacks

It tries to deny the authorized users from promoting the requested service. An advanced Distributed Denial of Service occurs in a distributed environment that the attacker sends or floods the server with numerous connection that request to knock the target system [2].Types of DOS attacks are:

SYN Attack

SYN attack is also defined as Synchronization attack. Here, the attacker sends the flood of SYN request to the destination to use the resources of the server and to make the system unresponsive. International Journal of Security, Privacy and Trust Management (IJSPTM) Vol 4, No 1, February 2015

Ping of Death

In this the intruder sends a ping request to the targeted system which is larger than 65,536 bytes which causes the system to crash [2]. The formal size must be 56 bytes or 84 bytes incase of considering Internet protocol header.

Eavesdropping Attacks

It is the scheme of interference in communication by the attacker. This attack can be done over by telephone lines or through email. [2].

Spoofing Attacks

This attacker portrays as another user to forge the data and take advantages on illegal events in the network. IP spoofing is a common example where the system communicates with a truste user and provides access to the attacker [2].

Intrusion attacks or User to Root Attack (U2R)

An intruder tries to access the system or route through the network. Buffer overflow attack is a typical intrusion attack which occurs when a web service receives more data than it has been programmed to handle which leads to loss of data [2].

 Logon Abuse Attacks

A logon abuse attack would neglect the authentication and access control mechanisms and grant a user with more advantages [2].

Application-Level Attacks

The attacker targets the disabilities of application layer. For example, security weakness in the web server or in faulty controls on the server side [2].

FUNCTIONS OF IDS

The IDS consist of four key functions namely, data collection, feature selection, analysis and action, which is given in Figure 3. International Journal of Security, Privacy and Trust Management (IJSPTM) Vol 4, No 1, February 2015

 Data collection

This module passes the data as input to the IDS. The data is recorded into a file and then it is analyzed. Network based IDS collects and alters the data packets and in host based IDS collects details like usage of the disk and processes of the system.

Feature Selection

To select the particular feature large data is available in the network and they are usually valuated for intrusion. For example, the Internet Protocol (IP) address of the source and target system, protocol type, header length and size could be taken as a key for intrusion [15].

Analysis

The data is analyzed to find the correctness. Rule based IDS analyze the data where the incoming traffic is checked against predefined signature or pattern [15]. Another method is anomaly based IDS where the system behavior is studied and mathematical models are employed to it [15].

Action

It defines about the attack and reaction of the system. It can either inform the system administrator with all the required data through email/alarm icons or it can play an active part in the system by dropping packets so that it does not enter the system or close the ports [15].

IDS LIFE CYCLE

Vendors frequently release new IDS products aggressively and compete for market shares [19]. Estimating the new systems is not a relevant task and product calculation information is imperfect. Hiring and retaining the workers to administer security and intrusion detection are the challenging tasks [19]. Faster changes in IT make it problematic for the firm to implement long- term security strategy. International Journal of Security, Privacy and Trust Management (IJSPTM) Vol 4, No 1, February 2015

CONCLUSION

The main objective of this paper is to provide an overview of the necessity and utility of intrusion detection system. This paper gives complete study about types of IDS, life cycle, various domains, types of attacks and tools. IDS are becoming essential for day today security in corporate world and for network users. IPS defines about the preventing measures for the security. In the lifecycle the phases developed and the stages are illustrated. Still, there are more challenges to overcome. The techniques of anomaly detection and misuse detection are specifically illustrated and more techniques can be used. Further Work will be done on comparative analysis of some popular data mining algorithms applied to IDS and enhancing a classification based IDS using selective feedback methods.