A hybrid intrusion detection system design for computer network security
Introduction
Nowadays with the spreading of the Internet and online procedures requesting a secure channel, it has become an inevitable requirement to provide the network security. There are various threat sources including software bugs mostly as the operating systems and software used becomes more functional and larger in size. Intruders who do not have rights to access these data can steal valuable and private information belonging to network users.
Firewalls are hardware or software systems placed in between two or more computer networks to stop the committed attacks, by isolating these networks using the rules and policies determined for them.
It is very clear that firewalls are not enough to secure a network completely because the attacks committed from outside of the network are stopped whereas inside attacks are not. This is the situation where intrusions detection systems (IDSs) are in charge. IDSs are used in order to stop attacks, recover from them with the minimum loss or analyze the security problems so that they are not repeated [1].
IDSs collect information from a computer or a computer network in order to detect attacks and misuses of the system. Many IDSs only analyze the attacks and some of them try stopping the attack at the time of the intrusion. Three types of data are used by IDSs. These are network traffic data, system level test data and system status files [2], [3].
In “2003CSI/FBI Computer Crime and Security Survey” it has been stated that the IDS usage in 1999 had been 42% and this ratio has become 73% in year 2003. This great improvement shows that IDSs are very important as security technologies. This paper is organized as follows: intrusion detection systems are described in Section 2, IDS types are explained in Section 3: Snort is the chosen system as misuse-based IDS; PHAD and NETAD are chosen as anomaly-based IDSs. Section 4 gives a brief description of the hybrid IDS we propose in this paper. The newly obtained hybrid IDS is evaluated in Section 5 and finally Section 6 includes conclusion.
Section snippets
Intrusion detection systems
Intrusion detection systems are hardware and software systems that monitor events occurred on computers and computer networks in order to analyze security problems. The number and severity of these attacks has been increasing continuously. Consequently IDSs have become an integral part of the security infrastructure of organizations.
Intrusions to computer networks are called as “attacks” and these attacks threaten the security of networks by violating privacy, integrity and accessibility
IDS types
There are two approaches to analyzing of events using IDSs. These are misuse-based and anomaly-based approaches. Misuse-based IDSs aim to distinguish events that violate system policy. Anomaly-based IDSs try analyzing abnormal activities and flag these activities as attacks. Both approaches have advantages and disadvantages when compared to each other [1], [2], [5].
Snort is the most commonly used signature-based intrusion detection system. Snort is a network intrusion detection system that runs
Combining PHAD and NETAD to signature-based IDS Snort
Snort’s preprocessor architecture has been used to combine PHAD and NETAD with Snort. Preprocessors are engines which have the ability to give alerts, ignore or edit packages before they reach at the Snort’s main detection engine. PHAD was built into Snort as a preprocessor implementing the following steps:
- •
Preprocessor’s source code file “spp_phad.cpp” was copied to the directory where “snort.c” lies in.
- •
The header file “spp_phad.h” defining PHAD was inserted into “plugbase.h” which is used for
Evaluation of the hybrid IDS
Scientific advances rely on reproducibility of results so that they can be independently validated and compared. Much of the evaluation in intrusion detection has been based on proprietary data and results are generally not reproducible. One of the main problems of releasing data stems from privacy concerns. To reduce this problem, Lincoln Laboratory (LL), under sponsorship of DARPA, created the IDEVAL datasets that serves as an evaluation benchmark [28].
The goal of the 1998 DARPA intrusion
Conclusion
Signature-based systems can only detect attacks that are known before whereas anomaly-based systems are able to detect unknown attacks. Anomaly-based IDSs make it possible to detect attacks whose signatures are not included in rule files. PHAD and NETAD are added one by one to signature-based IDS namely Snort as a preprocessor in this study. IDEVAL testbed which was created in MIT Lincoln Laboratories is used to evaluate the performance of new constructed hybrid IDS.
Firstly, Snort is tested on
Acknowledgement
This work is supported by the Research Fund of Istanbul University, Turkey. Project Number: 407/13092005.
References (33)
Intrusion detection
(2000)- Scarfone K, Mell P. Guide to intrusion detection and prevention systems (IDPS). NIST Special Publication 800-94;...
- Bace R. An introduction to intrusion detection and assessment for system and network security management. ICSA...
- Bace R, Mell P. Intrusion detection systems. NIST Special Publication on Intrusion Detection Systems; 2001, SP...
- Dayioğlu B. Use of passive network mapping to enhance network intrusion detection. Thesis (Master), The Graduate School...
- Roesch M. Snort – lightweight intrusion detection for networks. In Proceedings of the 13th LISA conference of USENIX...
An intrusion-detection model
IEEE Trans Software Eng
(1997)- Javitz HS, Valdes A. The SRI IDES statistical anomaly detector. In Proceedings IEEE symposium on security and privacy,...
- Neumann PG, Porras PA. Experience with EMERALD to date. In First USENIX workshop on intrusion detection and network...
- Lankewicz L, Benard M. Real time anomaly detection using a nonparametric pattern recognition approach. In proceedings...
Modern intrusion detection, data mining, and degrees of attack guilt, in applications of data mining in computer security
Cited by (223)
HDA-IDS: A Hybrid DoS Attacks Intrusion Detection System for IoT by using semi-supervised CL-GAN
2024, Expert Systems with ApplicationsAn implementation of bi-phase network intrusion detection system by using real-time traffic analysis
2023, Expert Systems with ApplicationsAdvanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations
2022, Internet of Things (Netherlands)Host-based IDS: A review and open issues of an anomaly detection system in IoT
2022, Future Generation Computer SystemsDeep learning-based risk management of financial market in smart grid
2022, Computers and Electrical EngineeringCitation Excerpt :Due to only being trained on certain kinds of attacks, these techniques cannot diagnose unknown or unfamiliar attacks [7–9]. Additionally, existing IDSs have been customized for certain systems/protocols and are not sufficiently generalized [10]. There is also inadequate consideration given to the asymmetric properties of SGCS datasets, leading to low diagnostic rates or significant false-positive in actual situations [11].