The Intrusion Detection System In Computer Networks Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Intrusion detection system is one of the widely used tools for defense in Computer Networks. In literature, plenty of research is published on Intrusion Detection Systems. In this paper we present a survey of Intrusion Detection Systems. We survey the existing types, techniques and approaches of Intrusion Detection Systems in the literature. Finally we propose a new architecture for Intrusion Detection System and outline the present research challenges and issues in Intrusion Detection System.

The purpose of Intrusion Detection Systems (IDS) is to detect and prevent electronic threat to computer systems. The extensive use of the computers and availability of the Internet increase the impact of problem in size. In today's world everyone is connected over networks, and many services are provided over the Internet. This global reach increases the risk of intrusion threats from unknown sources. According to the Computer Emergency Response Team CERT, 32,956 vulnerabilities were reported from many sources throughout 1995 until the first quarter of 2007[17]. Intruder can use these vulnerabilities to launch an attack against Computer Network or Servers. Two things are certain-intrusion detection is still a long way from being mature, and intrusion prevention technology is in its infancy.

The rest of this paper is organized by its basic approaches for IDS which is described in Section 2. Section 3 of this paper describes the types of IDS and techniques are described in section 4. Proposed architecture and algorithm is covered in section 5 followed by challenges and issues in development of IDS in section 6. Last section covers the future works and conclusion.

Basic approaches for intrusion detection System

Approaches for Intrusion detection systems can be broadly classified as:

Signature based

Classification based

Anomaly based

1.1.1 Signature based (Misuse Detection) approach [3] [19] Most of the commercial IDSs are "misuse detection systems" which are designed to detect only known attacks. This approach uses a database of known attack signatures which is developed by experts and intrusion analyst. The traffic over the network or sequence of processes within the Computer is compared to the entries in this database. If there is a match with database entries, the IDS system generates an alert message. Even though such a system does not generate false positives alerts, these systems cannot identify new and novel attacks.

There are two advantages of Misuse Detection Approach:

It is very effective for detecting the attacks without generating an overwhelming number of false alarms.

It can quickly and reliably diagnose the use of a specific attack tool.

On the other hand, the disadvantages of Misuse Detection Approach are:

It can only detect those attacks that have been described in the database.

The database must be constantly updated with signatures of new attacks.

1.1.2 Classification-based intrusion detection approach [20]

This approach uses normal and abnormal data sets of user behavior, and uses data mining techniques to train the IDS system. This creates more accurate classification models for IDS as compared to signature-based approaches and thus they are more powerful in detecting known attacks and their variants.

Disadvantage of Classification-based Intrusion Detection Approach:

It is still not capable of detecting unknown attacks.

1.1.3 Anomaly intrusion detection approach

The basic assumption of Anomaly detection approach is that attacks are different from normal activity and thus they can be detected by IDS systems that identify these differences. Thus this approach begins with definition of desired form or behavior of the system and then distinguishes between that desired behavior and undesired or anomalous behavior. The main problem is, defining the boundary between acceptable and anomalous behavior. So, the anomaly detector approach must be able to distinguish between the anomaly and normal.

There are two types of anomaly detectors:

1. Static anomaly detectors: It is based on the assumptions that there is a portion of the system being monitored that should remain constant.

2. Dynamic anomaly detectors: To characterize normal and acceptable behavior a base profile is created by a dynamic anomaly intrusion system. Building the sufficiently accurate base profile is the main difficulty with the dynamic anomaly detection system.

The advantage of Anomaly Intrusion Detection approach is:

It is possible to detect unknown attacks.

Disadvantages of Anomaly Intrusion Detection approach are:

Produces a large number of false alarms due to the unpredictable behaviors of users and networks.

Therefore, large and accurate training data set is the major requirement of anomaly detection approaches to define the normal behavior patterns.

2. Types of intrusion detection system

Network-Based IDS: Network-based IDS [3][4] monitors network traffic using techniques like packet sniffing to collect network traffic data and tries to detect malicious activity such as denial of service attacks; port scans or even attempts to crack into computers.

Host-Based IDS: Host-based IDS [17] monitors and analyzes system calls, application logs, file-system modifications and other host activities to identify the intrusion such as unauthorized remote login attempt, attempt to access unprivileged data. It normally works with Network-based IDS.

Protocol-Based IDS: Typically protocol-based IDS [16] are installed on a web server, and they are used for monitoring and analysis of the protocol in use of the computing system. If there is a deviation from intended behavior of protocol then it can be detected as intrusion.

Graph-Based IDS: Graph-based IDS [15] concerned with detecting intrusions that involve connections between many hosts or nodes. A graph consists of nodes representing the domains and edges representing the network traffic between them.

3. Techniques for intrusion detection system

Neural networks (NNs) [11] can be trained to recognize arbitrary patterns in input data, and associate such patterns with an outcome, which can be a binary indication of whether an intrusion has occurred. Such models are only as accurate as the data used to train them.

State transition tables [2] [12] describe a sequence of actions an intruder does in the form of a state transition diagram. When the behavior of the system matches those states, an intrusion is detected.

Hidden Markov Models (HMMs) [12] are a stochastic version of the state transition techniques discussed above, where the states and transition probabilities are modeled as a Markov process with unknown parameters. A learning phase estimates these unknown parameters from the input data.

Artificial Immune Systems [14] are adaptive systems, inspired by theoretical immunology and observed immune functions, principles and models, which are applied to problem solving. The innate system of the human immune system can be compared with the misuse detection of the IDS; both uses pattern recognition respectively on memory cells and signatures database to detect intrusions. The adaptive system can be compared with the anomaly detection where both can detect yet unseen attacks and where their sensors have to go through a training phase.

Genetic Algorithms (GAs) - [1] Genetic algorithms mimic the natural reproduction system in nature where only the fittest individuals in a generation will be reproduced in subsequent generations, after undergoing recombination and random change.

Decision Tree [10] is a model of decisions and also can be used to show possible consequences for particular occurrences where there are conditional probabilities for each occurrence. Those occurrences of attacks form a tree-based structure that contains root node and a number of leaf nodes. Decision tree generally performs very efficiently even if dealing with a large amount of data.

Bayesian Network [13] Bayesian Network is a graphical representation of the joint probability distribution function over a set of variables. The network structure can be represented in Bayesian Network as a Directed Acyclic Graph where each node represent a random variable and each edge between nodes shows the relation between nodes (i.e. relationship between variables). Individual invents which occurs during attack are represented as nodes in the graph and relationship between those events are represented as edges of the graph and this graph is then used to detect the intrusion.

Fuzzy logic [4] is a set of concepts and approaches designed to handle vagueness and imprecision. A set of rules can be created to describe a relationship between the input variables and the output variables, which may indicate whether an intrusion has occurred.

Honeypot [5] is an unreal network system designed to trap crackers and intruders. The honeypot is used as bait in the form of a vulnerable system to trap hackers and keep them away from accessing the critical information in the main system.

In this technique alarming adversaries, initially detected by the IDS, will be rerouted to a honeypot network for a more close investigation. If as a result of this investigation, it is found that the alarm decision made by the IDS of the agent is wrong, the connection will be guided to the original destination in order to continue the previous interaction. This action is hidden to the user. Such a scheme significantly decreases the alarm rate and provides a higher performance of IDS.

Data Mining [3] [4] is an analytic process designed to explore data in search of consistent patterns and/or systematic relationships between variables, and then to validate the findings by applying the detected patterns to new subsets of data.

4. Proposed architecture

Each type of IDS offers fundamentally different information-gathering, logging, detection, and prevention capabilities. Each technology type offers benefits over the others, such as detecting some events that the others cannot and detecting some events with significantly greater accuracy than the earlier technologies. In many environments, a robust IDS solution cannot be achieved without using multiple types of IDS technologies. For most environments, a combination of network-based and host-based IDS technologies is needed for an effective IDS solution. Thus in our architecture we combined Host-based and Network-based IDS. Network-based IDS is used to detect Dos, DDoS and Probing attacks and Host based IDS are used to detect R2L and U2R attacks.

Using IDS based on Data mining [3] [4] is an effective method. IDS based on Date Mining have a behavioral model through widely checking data. So it can accurately capture the actual invasion and normal behavior. This automated technique no longer needs manual analysis and manually coding the invasion mode and no longer needs to choose statistical methods by experience when build the normal behavior using model. The major advantage of the data mining technique is that, it can be applied to multiple data stream.

Many Researches have used fuzzy association rules effectively to design their NIDSs. Incremental Fuzzy-rule Mining can be very useful to meet the real-time requirements of IDS because it can produce the new rules set while detection process is going on [4].

Data warehouse is the most suitable data store for storing the data records gathered online from network. This will increase the speed of incremental fuzzy-rule mining algorithm and is the most suitable data store to analyze multiple data streams [23].

Using the honeypot technique, the system is able to avoid many wrong decisions made by IDS. This will reduce the false alarm rate of the attack detection [5].

Figure 1 shows the block schematic of the proposed Network Intrusion Detection System.

Figure 1: System Diagram

Feature Data Warehouse: It is used to store packet information extracted by Feature Extractor, which is used to detect Intrusion.

Known Attack Signature Database: It is used to store Known Attack Signatures.

Possible Attack Signature Database: It is used to store possible attack signatures which are predicted by using Known Attack.

Data Mining: [2][21] [22] It uses Attack signature database and feature Data Warehouse along with Apriori algorithm to predict possible attack signatures using existing attack signatures.

HIDPS Attack Signature Database: Attack signatures for Host based IDS are centrally stored at machine running NIDS.

Packet Sniffer: It uses raw socket programming to fetch packets from network.

Feature extractor: It extracts information present within the packet such as, Source IP Address, Destination IP Address, values of flags present in Packet Header, etc... .

Known Attack Detector: Known Attack Detector module is used to detect network connections that correspond to attacks for which signatures are available.

Possible Attack Detector: It uses Possible Attack Signature database to detect whether traffic matches with possible attack signature generated by Data Mining unit. If there is a match, it forwards that connection to honeypot to detect whether there is an intrusion or not.

Honeypot: It is used to detect whether the connection is trying to do intrusion in the network or not.



Input: Attack Signature Database (ASDb)

Output: Possible Attack Signature Database (PASDb)


[2][21][22]Apply Apriori algorithm on Feature Data Warehouse to generate Patterns Set

For each Pattern in Patterns set

For each Signature in Known Attack Signature set

Calculate Similarity between pattern and signature

If(Similarity > 0.9)

Add pattern to Possible Attack Signature



Input: Network Traffic Feature, Attack Signature Database

Output: Traffic Classification (Norma/Attack)


For each Signature in Known Signature Set

If(Traffic Feature matches with Signature)

Forward corresponding Connection to Intrusion Prevention module.

Mark corresponding entry in Feature Data Warehouse for attack.


Forward Network Traffic Feature to Possible Attack Signature detector.


Input: Network Traffic Feature, Possible Attack Signature Database

Output: Traffic Classification (Norma/Attack)


For each Signature in Possible Signature Set

If(Traffic Feature matches with Signature)

Forward corresponding Connection to Honey pot module to detect Intrusion.

If (Result from Honeypot is Positive)

Remove Corresponding Signature entry from Possible Attack Signature Database.

Add removed Signature to Known Attack Signature Database.


Remove Corresponding Signature entry from Possible Attack Signature Database.

Mark corresponding Network Traffic Feature entry in Feature Data Warehouse for attack.

Advantages of Proposed Architecture

False positive rate of Data Mining-based IDS is higher than false positive rate of hand written Signature-based IDS and always there is a tradeoff between detection rate and false positive rate of IDS [24]. If detection rate of IDS is increased to detect maximum number of intrusions then it will increase false alarms generated by IDS. Most of the Data Mining-based IDS [4][26] comment on their Detection Rate but did not comment on their False Positive Rate. Proposed IDS architecture results in lower false alarms due to use of Honeypot [5][ 28].

Incremental Data Mining-based IDS can detect intrusion in Real time [4] but [4] stored the incremental data and rules in main memory which has many limitations such as different components of IDS can't modify data asynchronously, integration of data from different sensors is difficult and during that time no component of IDS can access the data, it is not possible to retrieve the data using SQL like queries [24]. Such problems are not present in proposed architecture due to the use of Data Warehouse to store the extracted data.

If the data present in the packets being transferred is encrypted then NIDS [3][4] [9] cannot perform stateful application layer inspection on the contents of the encrypted data [25]. This is a major problem due to encrypted communications because the NIDS cannot interpret encrypted contents of application layer. Thus, attackers can easily hide their exploits from the NIDS by using encrypted tunnels. This problem is not present in the proposed IDS architecture because it is a combination of NIDS as well as HIDS and HIDS can detect the attacks done using encrypted traffic.

5. Challenges & Issues

With best of our knowledge many researchers have proposed new architecture for Intrusion Detection System but did not comment on how their architecture will be accepted in real time environment.

Further many of them did not marked that how much load their architecture will create on executing platform.

6. Conclusion & Future Scope

This paper reviews and tried to summarize different types, methods and approaches for Intrusion Detection System. Further this paper has proposed a new architecture for Intrusion Detection System which generates and test new signatures for Intrusion Detection without the interference of third party.

The proposed model is in its initial stage where an initial algorithm is proposed. The future step for this proposal is under development where the real time analysis is going on.