Intrusion Detection and Prevention System: Challenges & Opportunities

Uzair Bashir Department of Computer Sciences

Mewar University Chittorgarh, Rajasthan, India ub.cs@uok.edu.in

Manzoor Chachoo Research Supervisor Mewar University

Chittorgarh, Rajasthan, India. c.manzoor@yahoo.com

Abstract - The idea of making everything available readily and universally has led to a revolution in the field of networks. In spite of the tremendous growth of technologies in the field of networks and information technology, we still lack in preventing our resources from theft/attacks. This may not concern small organizations but it is a serious issue as far as industry/companies or national security is concerned. Organizations are facing an increasing number of threats every day in the form of viruses, intrusions, etc. Since many different mechanisms were opted by organizations in the form of intrusion detection and prevention systems to protect themselves from these kinds of attacks, there are many security breaches which go undetected. In order to understand the security risks and IDPS(intrusion detection and prevention system), we will first survey about the common security breaches and then after discuss what are different opportunities and challenges in this particular field. In this paper we have made a survey on the overall progress of intrusion detection systems. We survey the existing types, techniques and architectures of Intrusion Detection Systems in the literature. Finally we outline the present research challenges and issue.

Keywords—Architecture, Attack, Detection, IDS, Prevention, Security, System, Virus.

I. INTRODUCTION The growth of the Internet has no doubt changed the face of world but it has also pointed out various security areas that need to be addressed in order to provide a trustworthy environment for those who are a part of this system or those who wish to be [16]. Intrusion detection systems (IDS) have come as a savior but every day new attacks or intrusions provide a challenging atmosphere to even the most powerful tools available. This paper does not provide a method to deal with new attacks but tries to explain the current techniques and their potent approaches to deal with attacks. This paper also explains the issues and challenges that current IDS’s face. The paper is organized as follows: Section 2 describes the intrusion-detection system and its general architecture, Section 3 explains the techniques that IDS’s use to deal with the intrusions.

II. OVERVIEW OF IDS An intrusion detection system (IDS) is a software application or a hardware that continuously monitors network traffic and/or system activities for abnormal behavior or policy violations and produces logs to an administration unit. The extensive use of the Internet connects a host/network to every other computer/network on this globe exposing it to every possible intrusion [17]. An IDS is a security system that dynamically monitors and observes the target system (which can be file, folder, a host or a network) for any misuse and tries to handle the abnormal behavior either by itself or by producing alarms to an administrative unit. The use of IDS becomes necessary because building a completely secure system is almost next to impossible. This is because the target system is usually invaded by two kinds of users [18]: Legitimate users: Those users who are a part of the system but go beyond the scope of their confidence. Illegitimate users: Those users who are unknown to the system but try to breach the security of target system. Protecting a system against the outsiders may seem to be easy but then a large number of users also dwell within the boundaries of the target system. An IDS system generated logs which record the activities/events in a target system. A legitimate user of a privilege similar to root/system administrator can possibly work at lever lower than the level where audit trials run and therefore bypass the monitoring scheme. Hence, the security of a target system is more susceptible to an intrusion from a member of the system. Although there are counter measures for such issues also but this gives a general idea of a loophole in a target system even though we may protect it from illegitimate users.

III. GENERAL ARCHITECTURE OF AN IDS A panoramic view of an IDS reveals that it is a security system that monitors a target system continuously and produces audit trials. These audit trials contain processed data generated from the information coming from the target system [1]. The audit trials can then be inspected automatically by some tools either online or offline and/or used by some manual authority (an administrator) who analyzes these logs much closely [19]. The general architecture of an IDS is

806978-93-80544-12-0/14/$31.00 c©2014 IEEE

shown in Figure 1. The location of an IDS is a significant issue and depends on various factors like the security level, budget and the environment. Generally, an IDS is placed either at the network entry/exit points or with hosts itself, or sometimes a combination of both. The job of an IDPs is to simply monitor the data, analyze it and accordingly prevent intrusions. The abnormal behavior detected by an IDPs system can be dealt automatically or by producing alarms to the manual station. An IDPs distinguishes between the normal and an abnormal behavior based on previous knowledge or policies already defined in it database.

Fig. 1: General Architecture of an IDS [1]

IV. TYPES OF IDS As already mentioned there are various types of IDS’s depending on their location and their choice depends mostly on the resources, budget and certain other factors. An IDS monitors a target system which can be network, a host, etc. According to this classification we have two types of IDS’s: network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (NIDS). Due to higher security demands, a hybrid system is used nowadays that combines the features of both NIDS and HIDS.

A. Network-Based Intrusion Systems NIDS works at network level by analyzing the packets travelling to and fro in a network. Their existence is clearly isolated from network firewalls and can be thought of as a second level of security systems. They work in stealth mode and therefore can be more effective. NIDS can sniff on large amounts of data, and if it finds any abnormal activity, it can block all traffic related to that particular service.

B. Host-Based Intrusion Systems HIDS analyze data, file-systems modifications, application logs, etc. on individual hosts, or at least on hosts that fall under the security requirements. Recent developments to HIDS include monitoring system calls to operating system

kernel [2]. They are a part of the system on which they are installed, and if anyhow the security of a particular host is compromised, the respective HIDS is also affected.

C. Hybrid Intrusion Detection Systems The introduction of distributed environment has pointed out various security issues which have remained undermined before. This has asked for a higher degree of defense systems. A hybrid system works as an integration of network-based and host-based systems.

V. INTRUSION DETECTION TECHNIQUES IDS’s are classified on various characteristics like behavior, cognizance, etc. The IDS have mainly two methods of detection - Anomaly based and Signature based. In an anomaly based technique a set of rules/activities is pre-defined for a user or a system. These rules/activities mark the normal behavior for the IDS. This model was originally proposed by Denning [3] and since then extensive work has been done to enhance the technique. Anything that doesn’t fit the list of rules is an abnormal behavior which is considered to be an anomaly and, therefore, needs attention. The IDS continuously monitors the traffic looking for abnormal behaviors marking everything that is abnormal as suspicious [4]. This method is very robust with most intrusions but the problem lies in defining the boundary between the normal and abnormal behavior within a system. The rate of false alarms is high in this technique, and requires redefinition of the rules/activities if a privilege for a user needs to be altered. There are various methods that employ anomaly-based detection, some of them include: Statistical model, Neural networks, Data mining based methods. Signature based technique, on the other hand, has a database of already known attacks and based on this knowledge; it tries to deal with the intrusions. This technique is also called misuse detection and is considered to be a powerful technique for known attacks and those similar in behavior with those already defined. The technique, however, lacks the ability to catch new intrusions. These include: rule based, expert systems, genetic algorithm, pattern matching, state transition and signature analysis.

A. Statistical Models It is the most widely used method for detecting intrusions These techniques try to differentiate between the normal and abnormal behavior based on some parameters that are collected over time. Examples include bandwidth, CPU utilization, user session time, etc. These parameters collected eventually, are used to create profiles for individual users/activities. If the values of these parameters go beyond what has been learnt as normal about the entity, an intrusion is flagged. Methods like NIDES, Haystack are based on statistical models. Statistical model are the earliest of the models though newer techniques like Haystack which are implemented in distributed environments make them a competitor.

2014 International Conference on Computing for Sustainable Global Development (INDIACom) 807

B. Data Mining Based Methods The strength of IDS is improved by periodically updating the rules and data by an expert system. This process is manual and, therefore, time consuming. System builders rely on their intuition and experience to select the statistical measures for anomaly detection [11].These drawbacks have led to a method of feeding the IDS with new set of rules and data that are learnt automatically. Data-mining based methods use the audit data to draw patterns from the activities and user behavior and then use these patterns to identify anomalies in the system. The facts that are collected from the audit data are used to gradually learn about the behavior of events and activities. The learning process is gradual and induced and follows a data-centric approach. It is assumed that legitimate or illegitimate activity will have their footprints in the audit data [10].

C. Signature analysis This method behaves like the basic misuse detection technique and looks for the patterns of data in the audit trials. This method is very similar to knowledge based systems but the complexity regarding the semantics of attacks as in expert systems is very low in this technique. As a result, most of the commercial IDS products use this technique [7, 8, 9]

D. Rule based systems The systems that employ rule based techniques have a set of predefined rules and an expert system that looks for any signs of intrusions. These rules are developed overtime by, for example, monitoring a network connection and its behavior. Rules generated in the likewise manner are then combined to form a knowledge base for such IDS. During the analysis of audit trials any activity that is found to deviate from the normal track is fed to an expert system for dealing with an intrusion [13]. These methods are used as support systems for an IDS with additional services offered by expert systems. IDES, NADIR are some examples of rule based systems.

E. Genetic Algorithms This method is simply based on the concept of human genome systems. Through continuous monitoring it evolves and develops a data structure called chromosomes which represent the problems to be solved [5]. These are machine learning based techniques and are called evolutionary algorithms or evolutionary computations [12]. Eventually, rules are generated which judge the intrusions and their counter measures. If a condition for that rules is met, then a set of predefined actions is performed. Since biological parameters are involves, it involves a higher degree of resource utilization.

F. State transition based This method uses the finite state theory as a basis for detecting intrusions. It denotes various network states as states of a finite state machine. If a sequel state is identified from the network state of finite state machine, an intrusion is detected [2]. The method represents the intermediate steps of a penetration as states that must lead to an intrusion. The graphical representation of intrusions makes it easier to derive the intrusions from the intermediate states that must take place for the successful completion of an intrusion [13]. In addition to these initial and compromised states, there exist some states known as signature states that represent the actions that would prevent an intrusion if they are omitted.

G. Expert based systems In earlier days of development, the data called audits produced by IDS was forwarded to an administrator (a human) who used to analyze those long log files and check for suspicious. The disadvantage of this method was time consuming and exhaustive study of audit trials. Recently computer machines have been developed with human like knowledge and reasoning maintained as a knowledge base [2]. These are in fact used by knowledge based IDS techniques [6]. In addition to this knowledge base there is a set of rules and heuristics that is applied on this knowledge base to trap intrusions, if any.

H. Petri nets They are knowledge based systems that use mathematical models to represent the states of a system graphically. A knowledge based Petri net model, IDIOT [9] that uses Colored Petri nets has been developed at PURDUE University. The vertices of the graph represent the system states and the transition from one state to another is marked by events. Three parameters must be satisfied – pre-condition which identifies the actions that must occur before the pattern matching, post actions which define the actions after the pattern matching and invariants which are the conditions looked for during the process of pattern matching.

VI. FUTURE DEVELOPMENTS IN IDS TECHNIQUES The successful growth of artificial intelligence has put a great challenge of incorporating this new field in Intrusion Detection Systems. Presently, restrained by its novel implementation [14], it is going to be a major contribution to IDS methodology. The four areas have been discussed in [15] which describe the application of AI in IDS. Use of neural networks can also be effective in IDS. Their capability to process huge data and derive meaning and patterns [15] from it can be applied to find attacks. Gradually, it keeps on learning keeping track of previous penetrations and analyzing data for newer ones.

808 2014 International Conference on Computing for Sustainable Global Development (INDIACom)

VII. CONCLUSION This survey paper gives a description of some intrusion detection approaches based on two basic techniques. Some approaches work better in one environment but then prove to be weak in other environments. A generic technique needs to be developed that can help us to secure our networks in any environment. This requires a detailed knowledge of already existing techniques and their loopholes so that researchers can propose ideas to overcome the weaknesses and develop a much stronger approach to deal with intrusions.

REFERENCES [1] Debar, Hervé, Marc Dacier, and Andreas Wespi. "Towards a taxonomy

of intrusion-detection systems." Computer Networks 31.8 (1999): 805-822.

[2] Sonawane, Sandip, Ganesh Prasad, and Shailendra Pardeshi. "A survey on intrusion detection techniques." World Journal of Science and Technology 2.3 (2012).

[3] Denning, Dorothy E. "An intrusion-detection model." Software Engineering, IEEE Transactions on 2 (1987): 222-232.

[4] Axelsson, Stefan. Intrusion detection systems: A survey and taxonomy. Vol. 99. Technical report, 2000.

[5] Li, Wei. "Using genetic algorithm for network intrusion detection." Proceedings of the United States Department of Energy Cyber Security Group (2004): 1-8.

[6] Lunt, Teresa F., and R. Jagannathan. "A prototype real-time intrusion-detection expert system." Security and Privacy, 1988. Proceedings., 1988 IEEE Symposium on. IEEE, 1988.

[7] Haystack Labs, Inc.Stalker, available from the company’s website at http://www.haystack.com/stalk.htm, 1997.

[8] Internet Security Systems, Inc.RealSecure, Internet http://www.iss.net/prod/rsds.html, 1997.

[9] Kumar, Sandeep, and Eugene H. Spafford. "A pattern matching model for misuse intrusion detection." (1994).

[10] Lee, Wenke, Salvatore J. Stolfo, and Kui W. Mok. "Mining Audit Data to Build Intrusion Detection Models." KDD. 1998.

[11] Lunt, Teresa. "Detecting intruders in computer systems." In Proceedings of the 1993 Conference on Auditing and Computer Technology. 1993.

[12] Helman, Paul, and Gunar Liepins. "Statistical foundations of audit trail analysis for the detection of computer misuse." Software Engineering, IEEE Transactions on 19.9 (1993): 886-901.

[13] Ilgun, Koral, Richard A. Kemmerer, and Phillip A. Porras. "State transition analysis: A rule-based intrusion detection approach." Software Engineering, IEEE Transactions on 21.3 (1995): 181-199.

[14] Frank, Jeremy. "Artificial intelligence and intrusion detection: Current and future directions." Proceedings of the 17th National Computer Security Conference. Vol. 10. 1994.

[15] Cannady, James, and Jay Harrell. "A comparative analysis of current intrusion detection technologies." Proceedings of the Fourth Technology for Information Security Conference. Vol. 96. 1996.

[16] Beigh, Bilal Maqbool, and M. A. Peer. "Intrusion Detection and Prevention System: Classification and Quick." (2011).

[17] Mir, Suhail Qadir, S. M. K. Mehraj-ud-din Dar, and Bilal Maqbool Beig. "INFORMATION AVAILABILITY: COMPONENTS, THREATS AND PROTECTION MECHANISMS." Journal of Global Research in Computer Science Journal of Global Research in Computer Science 2.3 (2011).

[18] Williamson, Matthew M. "Resilient infrastructure for network security." Complexity 9.2 (2003): 34-40.

[19] Karlzén, Henrik. "An Analysis of Security Information and Event Management Systems-The Use or SIEMs for Log Collection, Management and Analysis." (2009).

2014 International Conference on Computing for Sustainable Global Development (INDIACom) 809