Scribd
Upload
54 views

An Effective Intrusion Detection System

The document discusses an effective intrusion detection system. It begins by introducing intrusion detection and its importance in network security. It then describes the two main types of intrusion detection systems - signature based systems and statistical/anomaly based systems. The document focuses on the advantages of statistical/anomaly based intrusion detection systems for detecting new attacks compared to signature based systems. It also discusses the characteristics and challenges of network based intrusion detection systems versus host based intrusion detection systems.

Uploaded by

madhukedar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
54 views

An Effective Intrusion Detection System

The document discusses an effective intrusion detection system. It begins by introducing intrusion detection and its importance in network security. It then describes the two main types of intrusion detection systems - signature based systems and statistical/anomaly based systems. The document focuses on the advantages of statistical/anomaly based intrusion detection systems for detecting new attacks compared to signature based systems. It also discusses the characteristics and challenges of network based intrusion detection systems versus host based intrusion detection systems.

Uploaded by

madhukedar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

AN EFFECTIVE INTRUSION DETECTION SYSTEM

Neha Agrawal
neha11195@gmail.com
Prof. Priyanka Vijayvargiya
Computer Science and Engineering
Shri Vaishnav Institute of Technology and Science, Indore

ABSTRACT

It is unrealistic to prevent security breaches completely using the existing security technologies.
The intrusion detection plays an important role in network security. Most of the current intrusion
detection systems (IDSs) are signature based systems. Signature based IDS also known as misuse
detection looks for a specific signature to match, signaling an intrusion. Provided with the
signatures or patterns they can detect many or all known attack patterns but they are of little use
for as yet unknown attacks. Rate of false positives is close to nil but these types of systems are
poor at detecting new attacks or variation of known attacks or attacks that can be masked as
normal behavior.

The other type of IDS i.e. Statistical Based Intrusion detection System (SBIDS) can overcome
many of the aforementioned limitations of signature based intrusion detection systems. The
statistical based intrusion detection systems performs better than signature based intrusion
detection system for novelty detection i.e. detection of new attack is very important for intrusion
detection system. Researchers have implemented various classification algorithms for intrusion
detection.

1.INTRODUCTION

1.1 Background

The field of intrusion detection has received increasing attention in present years. First reason is
the explosive growth of the internet and the large number of networked systems that exist in all
types of organizations. The intrusion detection techniques using data mining have attracted more
and more interests in recent years. As an important application of data mining these techniques
aim to meliorate the great burden of analyzing huge volumes of audit data and realizing
performance optimization of detection rules. The objective of proposed work is to try out the
intrusion detection on large dataset by classification algorithms and improved its learning time
and detection rate in the field of Network based IDS.

1.2 Basic Concepts

Following are some basic concepts on which this dissertation is based.

1.2.2 Types of Intrusion Detection System

Current IDSs fall into two categories:

a) Network-based Intrusion Detection System(NIDSs)

b) Host-based Intrusion Detection System(HIDSs)

These system can be classified based on which events they monitor how they collect information
and how they reduce from the information that an intrusion has occurred. All the IDSs that
scrutinize data circulating on the network are called Network IDSs (NIDSs) while IDSs that
reside on the host and collect logs of operating system- related events are called Host IDSs
(HIDSs). IDSs may also vary according to the technique by which they detect intrusions.

Network Based IDS

Because they only scrutinize network traffic , the NIDS do not benefit from running on the host.
They are often run on dedicated machines that observe the network flows sometimes in
conjunction with a firewall. In this case they are not affected by security vulnerabilities on the
machines they are monitoring. Only a limited number of information can be inferred from data
gathered on the network link. The widespread adoption of end-to-end encryption further limits
the amount of information that can be gathered at the network interface.

One major shortcoming of NIDS is that they are oblivious to local root attacks. The authorized
user of the system that attempts to gain additional privileges will not be deleted if attack is
performed locally. The authorized user of the system may be able to set up an encrypted channel
when accessing the machine remotely.

Host Based IDS

The HIDS have an ideal vantage point . An HIDS runs on the machine it monitors, HIDS can
theoretically observe and log any event occurring on the machine. The complexity of current
operating system often makes it difficult if not impossible to accurately monitor certain events.
There are many difficulties faced by security tools that rely on system calls interposition to
monitor a host.

In addition to cons resulting from an incorrect or incomplete understanding of the operating


system, the race conditions in the operating system make the implementation of such tools
delicate. The HIDSs are also confirmed with difficulties arrived from arising from potential
tampering by the attacker. Also a secure logging mechanism is necessary to prevent logs from
being erased if the attacker compromises with the machine. Even if such a secure mechanism is
available, the attacker obtaining super user privilege on the host can disable the HIDS. If HIDS is
a user process, then an attacker can simply terminate the process. If HIDS is embedded in the
kernel, then the attacker can modify the kernel by loading a kernel module or by writing directly
in the kernel memory. It means that an HIDS can only be trusted up to the point where the
system was compromised.

1.2.3 Intrusion Detection Techniques

All intrusion detection system use one of the two detection techniques statistical anomaly based
and signature based.

a) Signature/Misuse based IDS


b) Statistical/ Anomaly based IDS

Signature/Misuse Based IDS

The SIDS or signature based IDS are also known as misuse detection looks for a specific
signature to match or signaling an instruction. They are provided with the signatures or patterns,
but SIDS are of little use for as yet unknown attack methods. It means that an IDS using misuse
detection will only detect known attacks .

Statistical/ Anomaly Based IDS

One more approach to intrusion detection is called anomaly detection. The anomaly detection
applied to intrusion detection and computer security has been an active area of research since it
was originally proposed by Denning 1987. The anomaly detection algorithm have the advantage
that they can detect new types of intrusion as deviations from normal usage. In this problem, a
set of normal data to train from is given, and a new piece of test data is also given. The objective
of the intrusion detection system is to determine whether the test data belong to normal or to an
anomalous behavior. However this anomaly detection scheme suffers from a high rate of false
alarms. It happens primarily because previously unseen system behavior are also recognized as
anomaly and hence flagged as potential instructions.

1.2.4 Required Characteristics of an Intrusion Detection System:

The following characteristics are ideally desirable for an intrusion detection system (based on the
list provided by Crosby and Safford[2]).

1. IDS must run continually with minimal human supervision.


2. IDS must be fault tolerant:
a) IDS must be able to recover from system crashes either accidental or caused by
malicious activity.
b) After a crash, the IDS must be able to recover from its previous state and resume its
operations unaffected.
3. IDS must resist supervision:
a) There should be a significant difficulty for an attacker to desirable or modify the IDS.
b) The IDS must be able to monitor itself and detect if it has been modified by an
attacker.
4. IDS must impose a minimal overhead on the systems where it runs to avoid interfering
with their normal operation.
5. IDS must be configurable to accurately implement the security policies of the systems
that are being monitored.
6. IDS must be easy to deploy. It can be achieved through portability to different
architectures and operating system, through simple installation schemes and by being
easy to use and understand by the operator.
7. IDS must be adaptable to changes in system and user behavior over time.
8. IDS must be able to detect attacks:
a) The IDS must not flag any legitimate activity as an attack(false positive)
b) The IDS must not fail to flag any real attacks as such(false negatives).
c) The IDS must report intrusions as soon as possible after they occur.
d) The IDS must be general enough to detect different types of attacks.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy