Intrusion Detection Systems, Tools and Techniques – An Overview

Organization’s crucial data are highly endangered due to several security attacks and threats. Intrusion is one among such type of threat. Intrusions are efforts that attempt to elude normal security mechanisms of computer system. Intrusion detection is the process of monitoring and analyzing the events arising in a computer network to identify security breaches. Intrusion Detection System is the most important tool in maintaining network’s security. This paper provides an overview of Intrusion Detection System and helps reader gain some fundamental concepts and methodologies used by IDS. This paper also provides discussion about types of IDS, approaches and types of attacks in the network and intensive literature survey. Finally, comparison of several IDS methods with merits and demerits are also presented in the paper.


Introduction
As network technology is rapidly increasing, internet has become a common means of communication for most of the organizations. Because of this change, there are lot of problems that have been faced by many organizations to secure their valuable resources and vital information in network. A number of attacks have been reportedly observed in many networks. Intrusion is one such attack.
Intrusion is an act of accessing data and using computer resources without privileges, thus causing incidental damage and security breach 1 . Intrusion detection is the process of monitoring and analysing the events occurring in a computer or network and to identify security breaches, i.e. the process of detecting events with intrusive behaviour. Intrusion Detection System (IDS) analyses the network traffic and identifies activities that violates the security policy of computer and network 2 . It also alerts the system or network about the threat it has been detected.
Intrusion Detection System analyses the operations of firewall, routers, servers and crucial files for intrusions. Though the primary objective of IDS is to detect intrusions, it also bound to provide the following services: • Audit the system configuration and vulnerabilities.
• Evaluating the integrity of network, hardware and files. • Tracking anomalies.
• Observing and analysing network and system activities. • Providing user friendly interface for security management.

Types of IDS
Intrusion Detection Systems are broadly classified into two main categories: Host based Intrusion Detection Systems and Network based Intrusion Detection Systems. Host based IDS takes care of single system. Agents are used which monitors the system activities like integrity of the system, applications activities, network traffic, file operation, file modification, operating system activities, etc. and a log file is created to record the above actions 3 . Host based IDS analyses the log file for any unauthorized access, change, activity and if found, it alerts the system by sending pop-up messages, blocks the activity and inform to management server. The decision to alert, block and inform about the intrusion is based on the type of security policy imposed by the local system. These types of Intrusion Detection Systems are installed in a single host 3 . Network based Intrusion Detection System monitors the network and protect from unauthorized access. Here also, the activities of the network are recorded in a log file and IDS analyses this file to detect threats and anomalies. Network based IDS detect attacks like DOS attacks, root attacks, etc. Network based IDS is implemented in such a way that all the network traffic enters and leaves via this system 4 . Network based IDS is fixed on the boundary of network or on a network segment to monitor all the network traffic. It examines traffic and checks packet real time or near real time parameter to detect intrusions. The procedure of Network based IDS are called active components whereas for Host based IDS, it is said to be passive components. Combination of Network based IDS and Host based IDS, called hybrid intrusion detection system, is used currently in many network environments. It provides high flexibility and more security 4 .

Intrusion Detection Approaches
Intrusion Detection System employs variety of techniques to detect intrusions. IDS uses single or combination of techniques to detect intruders. The techniques include anomaly detection, misuse detection, target monitoring and stealth probes.

Anomaly Detection
This technique stores normal behaviour such as network packet information, software running information, system long events, operating system information, kernel information, etc. Whenever there is a difference in the above parameters, anomaly is detected and alarm is generated. Anomaly detection is useful for fraud detection, network based intrusion and other unusual activities on the system 5 . Anomaly detection, also referred to as behaviour based detection, identifies deviations of the system from normal behaviour. This method is having the ability to detect new and unknown attacks by analyzing audit data. But this method is having high false alarm rate. Sometimes legitimate system behaviours may also be categorized as anomalies and flagged as intrusions.

Misuse Detection
This technique stores sequence of patterns, attack signatures, intrusion patterns, etc in the database. The system events are matched with stored information. If a match is found, the system generates the alarm. Since this method compares signatures, it is sometimes referred to as signature-based detection. These techniques automatically update their database on different input data to include new type of attacks 6 . Misuse detection techniques have high degree of accuracy in detection known attacks and its variants. But these techniques cannot detect unknown intrusions as they depend on signatures.

Target Monitoring
This technique searches for modification on specific files and does not detect anomalies. It works like a corrective control that restores file after the file has been modified by the intruder. It uses cryptographic hash computing to restore the modified contents. This technique is easy to implement as constant monitoring of traffic by the administrator is not needed 7 . Sending alarm to the network or to the system is done when there is a data check sum mismatch. Check sum calculation can be computed at different intervals.

Stealth Probes
This technique detects intruders who stay in the network for a long period of time. Generally attackers check for system vulnerabilities and open ports for a long period and wait for another long period to attack 8 . Stealth probe technique checks for any such methodological attacks by collecting wide variety of data about the entire system. Stealth probe technique requires large amount of samples -samples collected from different machines and networks to discovery attacks. For this, it combines both anomaly detection and misuse detection.

Types of Attacks
Though the common objective of an attacker is to intrude into the system or network and gain access, these intrusions are classified based on the way they are performed. Moreover, intruders can be within the network called inside attackers or from outside the network called outside attackers. These attackers generally use internet as the common means to intrude. Several types of attacks are:

Denial of Service (DoS) Attack
Making resources like computing, memory, too busy so that legitimate users can be denied for their request is the main objective of DoS attack 9 . DoS attack artificially makes server or network too busy thus making these resources unavailable to users. There are two types of DoS attacks viz. flooding and flaw exploitations. Flooding targets resources using external communication requests. For example, sending PING command many number of times to the network thus overwhelming the network. Another example of flooding attack is sending SYN requests to a server for handshaking process but never sends the ACK. Flaw exploitation attack causes the system or network to crash. Here the attacker sends an input message that takes advantage of bugs in the target machine and crash or destabilizes the system so that it cannot be accessed 9 . Variant of DoS attack is Distributed Denial of Service (DDoS) attack that causes multiple systems to collapse simultaneously.

User to Root (U2R) Attack
Attacker gets username and password maliciously and gets access to the system as a normal user. After gaining access, the attacker exploits some vulnerability to get root access of the system thereby becoming the administrator 10 . Different types of U2R attacks are available and buffer overflow attack is the most common among them. When a program copies too much of data to predefined buffer, buffer overflow occurs.

Scan Attack
Ports are little doors through which traffic enters and

Eavesdropping Attack
Here the attacker monitors other people's communication in an unauthorized manner. It can be listening telephone calls, viewing emails and messages and other internet services 12 . Eavesdropping attack is hard to detect since it does not affect the normal operation of network. Since it is hard to detect, eavesdropping is generally the biggest problem most of the administrators face in an enterprise. By using strong encryption schemes, the data can be protected from eavesdropper.

Man-in-the-Middle Attack
Here the attacker maliciously intercepts in a conversation between two parties and impersonates them thereby gaining access to the vital information. The two parties feel that they are directly communicating with each other even though attacker has intercepted in the middle 13 . Man-in-the-middle attack is a greatest threat to online security because it gives the attacker capability to capture and modify sensitive information in real-time transactions. The attacker can also exploit vulnerabilities to the network security configurations. Man-in-the-middle attack takes the form of session hijacking, side jacking, evil twin and sniffing 13 . Oludele Awodele et al. 14 proposed a multi-layered approach to the design of intelligent intrusion detection and prevention system. The proposed method consists of three different layers viz. the file analyzer layer, system resources layer and connection layer. File analyzer layer monitors important files and folders of interest from any type of intrusion. Important files and folders are selected by the administrator and supplied to file analyzer so that it can monitor for only these files. System resources layer periodically scans the system log files for new entries. Values of entries are compared with threshold value set by the administrator. By this way, the proposed method safeguards the system resources from intrusions. Connection layer allows physical and logical connection between two entities. This layer monitors for any intrusion in connections to the local machine and network. All the three layers are capable of detecting anomalies and misuses. The multi-layered approach prevents and detects intrusions and avoids activities like tampering of important files, unauthorized connection, unauthorized permissions, etc.
Yu Lasheng and Mutimukwe Chantal 15 presented an Agent Based Distributed Intrusion Detection System (ABDIDS). Autonomous and cooperative agents are assigned the duty of detecting intrusions. Three types of agents such as monitory registry agents, monitoring agents and managing agents are used which cooperates with each other in detecting intrusions. Monitory registry agents initialize and identify monitoring agents. It also provides details about current status of each monitoring agent. Monitoring agents collects data pertaining security of nodes and transmit to managing agents. Managing agents process data and detect intrusions.
Jaisankar and Kannan 16 presented hybrid intelligent based Intrusion Detection System. Three different types of agents such as feature selection agent, validation agent and decision making agent are used. Feature selection agent selects required features of IDS using rough sets. Selected features are validated and passed to hybrid model by validation agents. In order to distinguish between normal and abnormal behaviour, decision making agents are used. The final decision is taken by decision manager which identifies the intruders. Three classifiers viz. EC4.5, SVM and hybrid model are used which provides better detection rate.
M. Laureno et al. 17 presented host-based intrusion detection through virtual machines. Virtual machines are more preferable than computing systems because of cost and portability. This method monitors guest actions through Intrusion Detection System which is external to virtual machine. Virtual Machine Monitor sends data to IDS. The detection system is secure and cannot be accessed by intruders. This method also tracks the activities of isolated processes. Response module restricts the execution of isolated process without disturbing genuine users. The system needs additional work to improve the performance of current IDS and response mechanism. Improper interface to interact with kernel to allow, kill and suspend a process is also a drawback of this method. Garth Crosby et al. 18 presented location-aware, trustbased detection and isolation of compromised nodes in wireless sensor networks. The method first develops reputation and trust so that each device in wireless sensor network can determine whether other devices have been compromised or not. If it is compromised, necessary corrective action is initiated using negative information sharing and independent trust-based decision making. The paper also provides simple location verification algorithm that utilizes received signal strength information. Compromised node detection rate is good when 15 or less number of nodes are available. When there is an increase in number of nodes, compromised node detection rate decreases.
Khan et al. 19 proposed new Intrusion Detection System using Support Vector Machines and hierarchical clustering. The proposed method gives more importance to detect anomalies than misuse detection. Support Vector Machine (SVM), one of the most accurate classifier, is used with less training time. If the data is large, Dynamically Growing Self-Organizing Tree (DGSOT) algorithm is used for clustering since DGSOT provides several advantages over traditional clustering algorithm. The method is highly accurate, having less false positive and false negative rates.
Yihua Liao and V. Rao Vemuri 20 presented Intrusion Detection System using k-nearest neighbour classifier. System calls are analyzed to detect intrusion in this method. Separate database for short system calls are built for different programs. The frequency of occurrence of a system call is used to describe program's behaviour. All the system calls are considered as tuples of a database. For an unknown tuple, k-nearest neighbour searches for patterns closest to unknown tuple. Here the tuples are classified by majority votes of its neighbours. With the combination of statistical schemes, intrusions are detected. To perform above tasks, huge computations and storage are required. Efficiency can be achieved by implementing the algorithm in parallel hardware.
Dewan M. Farid et al. 21 presented a paper on adaptive intrusion detection by combining Naïve Bayesian Classifier and decision tree. The problem with traditional learning algorithms in IDS is poor false positive rate. Combination of Naïve Bayesian Classifier and decision tree based learning performs better balance detection and false positive rates. This method also detects various types of attacks and removes duplicate attributes in training set. The method is having higher detection rate with great accuracy. This method is tested on KDD99 data set and it has detected intrusions with 99% accuracy with minimized false positives. R. Shanmugavadivu and N. Nagarajan 22 presented paper on Intrusion Detection System using fuzzy logic. Most of the Intrusion Detection Systems rely on broad knowledge of various attacks so that the machine is capable of handling any environment. This dependency is minimized in this paper by using fuzzy-logic which effectively identifies abnormal activities in a network. The accuracy is achieved since the rule base contains set of better and updated rules. Rule base is constructed by mining single length frequent items from attacks and normal data. Then, indistinct rules are selected and supplied to fuzzy system for test data classification.
Emma Ireland et al. 23 presented a paper on intrusion detection using combination of genetic algorithm and fuzzy logic. First the method randomly generates rules and quality of the rules are improved by using fuzzy genetic algorithm during training phase. Each feature in a record is matched with block of rules. Parameters of each block are used to compute attack's degree of certainty by applying trapezoidal fuzzy rule. Sum of certainty of each block are compared with administrator fixed threshold value to categorize an event as attack or normal behaviour. This fuzzy genetic algorithm detects unknown attacks than traditional genetic algorithms. This method is highly effective in detecting denial of service attacks.

Conclusion
Undoubtedly intrusion has become a dangerous threat to many organizations in safeguarding their vital information and resources. Various Intrusion Detection Schemes are surveyed in this paper. All the methods discussed try to detect intrusion in one way or another. But attackers are capable of discovering new techniques and ways to break security policies. From the literature, it is evident that many IDS techniques depend on high time, memory and cost requirements apart from advantages. For example, Network Intrusion Detection System using fuzzy logic 22 detects intrusion using rule base with high accuracy. But designing fuzzy model and fine tuning is a tedious job. Few methods also have higher false alarm rate. Hence any Intrusion Detection System must have high accuracy, low false positive and false negative rates with low computational, time and cost overheads.