CiiT International Journal of Networking and Communication Engineering, Vol 6, No 9 (2014)

Abstract Internet and computer networks are presented to a regularly expanding number of security dangers that can harm computer networks and correspondence channels. Firewalls are utilized to guard networks yet at the same time they are insufficient to give full security to the networks. At that point, the worry with Intrusion Identification Systems has been developing for network security over the previous years. Because of the expanding of networks speed and the amount of network traffic, it is vital that Detection Systems need to be lightweight to adapt to it. This paper focuses on the review of intrusion detection systems.

KeywordsAbuse detection, Anomaly detection, Intrusion detection system, Information security.

I. INTRODUCTION As the network technology is expanding quickly, the security

of that innovation is turning into a requirement for survival, for an organization. A large portion of the organization are relying upon the web to correspond with the individuals and frameworks to give them news, web shopping, email, MasterCard subtle elements and individual data. Because of the quick development in the engineering and boundless utilization of the Internet, a considerable measure of issues have been confronted to secure the organization's discriminating data inside or over the systems in light of the fact that there are many individuals endeavoring to attack on systems to extract information. An enormous number of assaults have been seen in the last few years. Intrusion Detection System assumes a monstrous part against those assaults by securing the system's discriminating data [1]. As firewalls and antiviruses are insufficient to give full assurance to the system, organizations need to execute the Intrusion Detection System to ensure their critical data against different sorts of attacks.

Intrusions are activities that endeavor to sidestep security systems of computer systems. So they are any activities that debilitate the trustworthiness, accessibility, or secrecy of a system asset. These properties have the following clarifications:

Confidentiality implies that data is not made accessible or unveiled to unapproved people, substances or procedures;

Integrity implies that information has not been adjusted or obliterated in an unapproved way;

Availability implies that a system or a system resource

that guarantees that it is available and usable upon interest by an approved client.

Intrusion Detection is the methodology of observing the occasions happening in a computer network or system and dissecting them for indications of interruptions, in the same way as unapproved doorway, movement, or record alteration [2, 3].

II. INTRUSION DETECTION SYSTEMS Intrusion Detection System is software that mechanizes the

interruption detection process and distinguishes conceivable interruptions. Interruption Detection Systems serve three vital security capacities: they screen, discover, and react to unapproved activity by organization insiders and outsider intrusion. An Intrusion Detection System is made out of a few segments:

Sensors which produce security events; Console to screen events and produce cautions .They

control the sensors; Central Engine that records events logged by the

sensors in a database and utilizes set of rules to generate cautions from security events received [4].

Intrusion Detection Systems are partitioned into the following categories: host-based (HIDS), network-based (NIDS), and Hybrid Intrusion Detection [5]. A HIDS demands small programs (agents) to be installed on individual systems to be supervised. The programs monitor the operating system and write down results to log files and/or trigger alarms. A NIDS customarily consists of a network application with a Network Interface Card (NIC) working in unchaste mode and a discrete management of the interface. Intrusion Detection Systems are placed on a boundary or network segment and observe all traffic on that segment. The prevailing tendency in intrusion detection is to mix both network based and host based information to develop hybrid systems that have more efficiency.

Host Based Intrusion Detection System (HIDS): Host-based Intrusion Detection System places monitoring agents on network resource nodes to monitor the audit logs which are generated by the application program or Network Operating System. Audit logs accommodate records for activities and events taking place at every Network resources. HIDS can detect attacks that cannot be seen by NIDS such as

A Comprehensive Review on Intrusion Detection Systems

SREENATH.M PPG Institute of Technology, Coimbatore, 641035, India

sreenath.m.91@gmail.com

CiiT International Journal of Networking and Communication Engineering, Vol 6, No 9 (2014)

misuse by trusted insider and Intrusion. The site-specific security policy which determines Signature rule base is utilized by HIDS. HIDS overcomes the problems associated with the N IDS by alarming the security personnel who can identify the source provided by site specific security policy. HIDS can also validate if any attack was foiled, either because of the immediate response to alarm or any other reason. HIDS can also maintain user log off and log in user action and all activities that evolve audit records [6].

Network Based Intrusion Detection System (NIDS): A NIDS is used to analyse and monitor the network traffic to screen a system from the network based threats where the data is traffic through the network. A NIDS tries to find out malicious activities such as port scans, Ping sweeps, denial-of-service (Dos) attacks, and Packet sniffers attacks. NIDS includes one or more than servers for management functions, a number of sensors to oversee packet traffic, and one or more management relieves for the human interface. NIDS explores the traffic packet by packet in near real time or real time, to detect intrusion patterns. The analysis of traffic to detect intrusions is done by the agents on the management servers. These network based procedures are regarded as the active component.

Hybrid Intrusion Detection: The network and host-based Intrusion Detection System solutions have their own unique benefits and strengths over one another and that is why the next generation Intrusion Detection System evolves to embrace a tightly fused network and host components. Hybrid intrusion detection system increases the security level and promises better flexibility. It reports attacks that are aimed at entire network or particular segments and combines Intrusion Detection System agent locations.

Each technique has a unique methodology for checking and securing information and every classification has qualities and shortcomings that ought to be measured against the prerequisites for each different target environment. The two sorts of Intrusion Detection Systems vary fundamentally from one another, however supplement each other well. But in the case of a proper Intrusion Detection System implementation, it would be better to completely integrate the network intrusion detection system, such that it would channel alarms and warnings in an indistinguishable way to the host-based part of the system, controlled from the same central area. In doing so, this gives a helpful means of overseeing and responding to attack utilizing both sorts of intrusion detection.

There are some prevalent steps that Intrusion Detection System pursue and are listed below, shown in figure 1:

Initially Intrusion Detection System captures data which is generally in the form of IP packets.

Subsequently, decode that grabbed data and transform it into a unique format. For this purpose extraction technique can be used.

Now analyze and classify (whether it is valid or not) that data in a way such that it is specific to the individual Intrusion Detection System.

Further, create alerts if an unauthorized activity is detected.

Fig: 1 intrusion detection system activities [7]

III. IDEAL INTRUSION DETECTION SYSTEM Regardless of the mechanism used an ideal intrusion

detection system [8] should have the following features:

It must be difficult to fool. The internal working of Intrusion Detection System

should be examinable from outside. That is it should not be a black box.

It must be easily deployed in the system. The defence mechanism in the system should adapt easily to the usage patterns.

It must be able to run in the background of the system that is being observed. The system must run continually without human arbitration.

It must be fault tolerant in a sense that it must outlive a system failure and knowledge-base should not be rebuilt at restart.

It must observe deviations from normal behaviour. It must force minimal overhead on the system. It must deal with changing system conduct over time as

new applications are being added. The system profile will also change over the time.

IV. INTRUSION DETECTION APPROACHES The desirable elements of an Intrusion Detection System can

be achieved through variety of approaches. There are two popular approaches to intrusion detection, Abuse detection and Anomaly detection [9, 10].

CiiT International Journal of Networking and Communication Engineering, Vol 6, No 9 (2014)

Abuse detection: tries to discover deviant behaviour by analysing the given traffic. Intrusion Detection System utilizes several rules based on comparison and Analysis with the Rules that the system can notice any attacks, such as matching signature pattern [11]. The alarms are generated based on particular attack signature and hence they are also termed as a signature based detection. This kind of attack signatures enclose particular activity or traffic that is based on known intrusive activity. The advantage of abuse detection is the talent to create accurate result and generate fewer false alarms. The disadvantage of abuse detection approach is that they will discover only known attacks [12, 13].

Anomaly detection: In this approach, the system is developed in such a way that it discovers unusual patterns of behavior. Here, the system fixes a line of the usual patterns of conduct. The behavior of the user which differs broadly from that fixed line is notified as a possible intrusion. Anomaly detection is a prominent tool for network based intrusion, fraud detection, and other unusual events that have great importance but they are hard to find. The significance of anomaly detection is due to the fact that inconsistency in data can be translated into important actionable information in a vast variety of application domains. Since it is associated with variations from user behavior, it can also be termed as behaviour based detection [14, 15]. The advantage of the anomaly detection approach is the capability to detect unknown attacks based on audit data. The prime drawback of the anomaly detection approach is that prominent attacks may not be detected.

V. PARAMETERS OF INTRUSION DETECTION SYSTEM The various factors listed beneath are used to estimate the

performance of the system [16, 5]. Accuracy: Intrusion Detection System must not identify

a valid action in a system environment as a misuse or an anomaly.

Performance: This is the capability of the system to process the events. The high performance of Intrusion Detection System leads to real-time intrusion detection.

Completeness: The ability of the system to discover all attacks. Incompleteness arises when the system fails to detect an attack. This is very hard to compute because it is not feasible to have information about all the possible attacks.

Fault tolerance. Intrusion Detection System must be resistant to attacks and should be able to handle the consequences.

Timeliness: The internal processing speed of Intrusion Detection System must be achieved with high speed so that countermeasures against an attack must be fulfilled before the attack would do any damage to

Intrusion Detection System or system resource.

VI. CONCLUSION Since the study of intrusion detection started to gain

momentum in the security community roughly a decade ago, a number of divergent ideas have emerged for confronting this problem. Intrusion Detection System vary in the sources they used to attain data and the specific methods they make used to analyse this data. Most systems today classify data either by anomaly detection or abuse detection: each approach has its own merits and have their own limitations too. It cannot be expected that an id can correctly classifying every event that occurs on a given system. In a rapidly evolving modern system with complex components it will not be easy to attain the goal of perfect security with perfect detection. An Intrusion Detection System can, however, try to raise the bar for attackers by reducing the efficacy of large classes of attacks and increasing the work factor required to achieve a system compromise. Speedy and plaint detection techniques are necessary to identify the boundless variety of agile and extraordinary attacks. The joint operation with other Intrusion Detection System and also with other network security components is a requisite for achieving a holistic network security position for organizations of the future. Therefore, this paper includes brief description about Intrusion Detection System, its architecture, types of alerts provided by it, its performance parameters.

REFERENCES [1] William, Stallings, and William Stallings. Cryptography and Network

Security, 4/E. Pearson Education India, 2006. [2] Northcutt, Stephen, and Judy Novak. Network intrusion detection. Sams

Publishing, 2002. [3] Bace, Rebecca, and Peter Mell. NIST special publication on intrusion

detection systems. BOOZ-ALLEN AND HAMILTON INC MCLEAN VA, 2001.

[4] Puketza, Nicholas, Mandy Chung, Ronald A. Olsson, and Biswanath Mukherjee. "A software platform for testing intrusion detection systems." Software, IEEE 14, no. 5, 1997.

[5] Debar, Herv, Marc Dacier, and Andreas Wespi. "Towards taxonomy of intrusion-detection systems." Computer Networks 31, no. 8, 1999.

[6] Asmaa Shaker Ashoor and Prof. Sharad Gore, Importance of Intrusion Detection System (IDS),International journal of scientific and Engineering Research, ISSN 2229-5518, Volume 2, Issue 1,January-2011.

[7] Kazienko, Przemyslaw, and Piotr Dorosz. "Intrusion Detection Systems (IDS) Part I-(network intrusions; attack symptoms; IDS tasks; and IDS architecture)." Retrieved April 20,2003 .

[8] http://www.cerias.purdue.edu/about/history/coast_resources/idcontent/detection.html

[9] J Anderson, An Introduction to Neural Networks MIT, Cambridge, 1995. [10] B Rhodes, J Mahaffey, J Cannady, Multiple self-organizing maps for

intrusion detection, Paper presented at the Proceedings of the 23rd National Information Systems Security Conference, Baltimore, 1619, 2000.

[11] Byun, Hyeran, and Seong-Whan Lee. "Applications of support vector machines for pattern recognition: A survey." In Pattern recognition with support vector machines, pp. 213-236. Springer Berlin Heidelberg, 2002.

[12] R. Jagannathan, Teresa Lunt, Debra Anderson, Chris Dodd, Fred Gilham, Caveh Jalali, Hal Javitz,Peter Neumann, Ann Tamaru, and Alfonso Valdes. System design document..Next-generation intrusion detection expert system (NIDES). Technical Report A007/A008/A009/A011/A012/A014, SRI International, 333 Ravenswood Avenue, Menlo Park, CA 94025, March 1993.

CiiT International Journal of Networking and Communication Engineering, Vol 6, No 9 (2014)

[13] Sandeep Kumar and Eugene Spa_ord. A pattern matching model for misuse intrusion detection. In Proceedings of the 17th National Computer Security Conference, pages 11{21, October 1994.

[14] Huang, Guang-Bin, Dian Hui Wang, and Yuan Lan. "Extreme learning machines: a survey." International Journal of Machine Learning and Cybernetics 2, no. 2 ,2011.

[15] Paul Spirakis, Sokratis Katsikas, Dimitris Gritzalis, Francois Allegre, John Darzentas, Claude Gigante, Dimitris Karagiannis, P. Kess, Heiki Putkonen, and Thomas Spyrou. SECURENET: A network-oriented intelligent intrusion prevention and detection syste. Network Security Journal, 1(1), November 1994.

[16] P. Porras and A. Valdes, Live Traffic Analysis of TCP/IP Gateways, Proceedings of the 1998 ISOC Symposium on Network and Distributed System Security (NDSS98), San Diego, CA, March 1998.

Authors Profile Sreenath.M had completed his B.Tech Computer Science and Engineering from College of Engineering Munnar. Currently he is pursuing his M.E in Computer Science and Engineering from PPG Institute of Technology, Coimbatore. His research interest includes information security, internet of things, and data mining

I. INTRODUCTIONII. Intrusion Detection SystemsIII. Ideal Intrusion Detection SystemIV. Intrusion Detection ApproachesV. Parameters Of intrusion detection SystemVI. Conclusion