A hybrid intrusion detection system design for computer network security

doi:10.1016/j.compeleceng.2008.12.005

Computers & Electrical Engineering

Volume 35, Issue 3, May 2009, Pages 517-526

https://doi.org/10.1016/j.compeleceng.2008.12.005 Get rights and content

Abstract

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure the network. Intrusion detection systems can be misuse-detection or anomaly detection based. Misuse-detection based IDSs can only detect known attacks whereas anomaly detection based IDSs can also detect new attacks by using heuristic methods. In this paper we propose a hybrid IDS by combining the two approaches in one system. The hybrid IDS is obtained by combining packet header anomaly detection (PHAD) and network traffic anomaly detection (NETAD) which are anomaly-based IDSs with the misuse-based IDS Snort which is an open-source project.

The hybrid IDS obtained is evaluated using the MIT Lincoln Laboratories network traffic data (IDEVAL) as a testbed. Evaluation compares the number of attacks detected by misuse-based IDS on its own, with the hybrid IDS obtained combining anomaly-based and misuse-based IDSs and shows that the hybrid IDS is a more powerful system.

Introduction

Nowadays with the spreading of the Internet and online procedures requesting a secure channel, it has become an inevitable requirement to provide the network security. There are various threat sources including software bugs mostly as the operating systems and software used becomes more functional and larger in size. Intruders who do not have rights to access these data can steal valuable and private information belonging to network users.

Firewalls are hardware or software systems placed in between two or more computer networks to stop the committed attacks, by isolating these networks using the rules and policies determined for them.

It is very clear that firewalls are not enough to secure a network completely because the attacks committed from outside of the network are stopped whereas inside attacks are not. This is the situation where intrusions detection systems (IDSs) are in charge. IDSs are used in order to stop attacks, recover from them with the minimum loss or analyze the security problems so that they are not repeated [1].

IDSs collect information from a computer or a computer network in order to detect attacks and misuses of the system. Many IDSs only analyze the attacks and some of them try stopping the attack at the time of the intrusion. Three types of data are used by IDSs. These are network traffic data, system level test data and system status files [2], [3].

In “2003CSI/FBI Computer Crime and Security Survey” it has been stated that the IDS usage in 1999 had been 42% and this ratio has become 73% in year 2003. This great improvement shows that IDSs are very important as security technologies. This paper is organized as follows: intrusion detection systems are described in Section 2, IDS types are explained in Section 3: Snort is the chosen system as misuse-based IDS; PHAD and NETAD are chosen as anomaly-based IDSs. Section 4 gives a brief description of the hybrid IDS we propose in this paper. The newly obtained hybrid IDS is evaluated in Section 5 and finally Section 6 includes conclusion.

Section snippets

Intrusion detection systems

Intrusion detection systems are hardware and software systems that monitor events occurred on computers and computer networks in order to analyze security problems. The number and severity of these attacks has been increasing continuously. Consequently IDSs have become an integral part of the security infrastructure of organizations.

Intrusions to computer networks are called as “attacks” and these attacks threaten the security of networks by violating privacy, integrity and accessibility

IDS types

There are two approaches to analyzing of events using IDSs. These are misuse-based and anomaly-based approaches. Misuse-based IDSs aim to distinguish events that violate system policy. Anomaly-based IDSs try analyzing abnormal activities and flag these activities as attacks. Both approaches have advantages and disadvantages when compared to each other [1], [2], [5].

Snort is the most commonly used signature-based intrusion detection system. Snort is a network intrusion detection system that runs

Combining PHAD and NETAD to signature-based IDS Snort

Snort’s preprocessor architecture has been used to combine PHAD and NETAD with Snort. Preprocessors are engines which have the ability to give alerts, ignore or edit packages before they reach at the Snort’s main detection engine. PHAD was built into Snort as a preprocessor implementing the following steps:

•
Preprocessor’s source code file “spp_phad.cpp” was copied to the directory where “snort.c” lies in.
•
The header file “spp_phad.h” defining PHAD was inserted into “plugbase.h” which is used for

Evaluation of the hybrid IDS

Scientific advances rely on reproducibility of results so that they can be independently validated and compared. Much of the evaluation in intrusion detection has been based on proprietary data and results are generally not reproducible. One of the main problems of releasing data stems from privacy concerns. To reduce this problem, Lincoln Laboratory (LL), under sponsorship of DARPA, created the IDEVAL datasets that serves as an evaluation benchmark [28].

The goal of the 1998 DARPA intrusion

Conclusion

Signature-based systems can only detect attacks that are known before whereas anomaly-based systems are able to detect unknown attacks. Anomaly-based IDSs make it possible to detect attacks whose signatures are not included in rule files. PHAD and NETAD are added one by one to signature-based IDS namely Snort as a preprocessor in this study. IDEVAL testbed which was created in MIT Lincoln Laboratories is used to evaluate the performance of new constructed hybrid IDS.

Firstly, Snort is tested on

Acknowledgement

This work is supported by the Research Fund of Istanbul University, Turkey. Project Number: 407/13092005.

References (33)

R. Bace
Intrusion detection
(2000)
Scarfone K, Mell P. Guide to intrusion detection and prevention systems (IDPS). NIST Special Publication 800-94;...
Bace R. An introduction to intrusion detection and assessment for system and network security management. ICSA...
Bace R, Mell P. Intrusion detection systems. NIST Special Publication on Intrusion Detection Systems; 2001, SP...
Dayioğlu B. Use of passive network mapping to enhance network intrusion detection. Thesis (Master), The Graduate School...
Roesch M. Snort – lightweight intrusion detection for networks. In Proceedings of the 13th LISA conference of USENIX...
D.E. Denning
An intrusion-detection model
IEEE Trans Software Eng
(1997)
Javitz HS, Valdes A. The SRI IDES statistical anomaly detector. In Proceedings IEEE symposium on security and privacy,...
Neumann PG, Porras PA. Experience with EMERALD to date. In First USENIX workshop on intrusion detection and network...
Lankewicz L, Benard M. Real time anomaly detection using a nonparametric pattern recognition approach. In proceedings...

S. Noel et al.

Modern intrusion detection, data mining, and degrees of attack guilt, in applications of data mining in computer security

(2002)

Lee W, Stolfo S. Data mining approaches for intrusion detection. In Proceedings of the seventh USENIX security...

Debar H, Becker M, Siboni, D. A neural network component for an intrusion detection systems. In Proceedings of the 1992...

Ludovic M. GASSATA: a genetic algorithm as an alternative tool for security audit trails analysis. In First...

Kim J, Bentley P. The artificial immune model for network intrusion detection. In Seventh European congress on...

Warrender C, Forrest S, Pearlmutter B. Detecting intrusions using systems call: alternative data models. In Proceedings...

Cited by (223)

HDA-IDS: A Hybrid DoS Attacks Intrusion Detection System for IoT by using semi-supervised CL-GAN
2024, Expert Systems with Applications
In recent years, the application of the internet of things (IoT) in areas such as intelligent transportation, smart cities, and the industrial internet has become increasingly widespread. As a crucial supporting infrastructure, IoT devices are utilized in various fields to construct IoT networks. However, due to the inherent limitations of IoT devices, such as limited computing resources and low memory capacity, security concerns have become increasingly prominent. Among these concerns are Denial-of-Service (DoS) and botnet attacks, which are difficult to prevent due to their large-scale and covert nature. To address these challenges, this paper proposes a Hybrid DoS Attack Intrusion Detection System (HDA-IDS) that combines signature-based detection with anomaly-based detection to effectively identify both known and unknown DoS/botnet attacks. Additionally, this paper introduces a novel anomaly-based detection model called CL-GAN. It integrates CNN-LSTM with GAN to establish a baseline for normal behavior and detect malicious traffic. In contrast to other semi-supervised models, the CL-GAN exhibits superior accuracy, as well as shorter training and testing times, in detecting DoS and botnet attacks. In addition, experimental results demonstrate that the HDA-IDS outperforms other IDSs in detecting DoS and botnet attacks. When tested on datasets such as NSL-KDD, CICIDS2018, and Bot-IoT, the HDA-IDS achieved an average of 5% overall improvement superior performance in terms of accuracy, precision, recall, and F1-Score compared to other works. These results highlight the effectiveness of the proposed system in addressing security issues in IoT networks, and presents a general framework that addresses the challenge of large-scale attacks constructed through the dissemination of false information.
An implementation of bi-phase network intrusion detection system by using real-time traffic analysis
2023, Expert Systems with Applications
Secure communications for sensitive information over the internet is a very crucial issue. Various malicious information is integrated with the real-time traffic that not only reduces the credibility of the transmission quality but also degrades the system performance. A network intrusion detection system is a tool that minutely inspects all the incoming and outgoing packets passing through a network and identifies malicious events. Although a moderate number of research work has been carried out for the development of network intrusion detection systems, few of them have concentrated on identifying attacks in real-time. Also, there is scope to enhance the performance of the system. Real-time attack identification not only needs a significant number of optimal features but also requires a set of high-performance predictive models. To address the aforementioned challenges, this paper proposes a bi-phase network intrusion detection system by judiciously inspecting the performance of various machine learning and ensemble learning frameworks. The real-time model has been constructed with the help of the CICIDS2017 dataset, which contains many modern-day attacks. A proposed Threshold-Correlation algorithm combined with Particle Swarm Optimization and Genetic algorithms has been used for relevant feature selection, and based on the selected features; the bi-phase model has been developed. The experimental results reveal that the chosen model achieves 99.82% and 99.41% detection accuracy in phase-1 and phase-2 respectively. Finally, the proposed framework has been evaluated using a custom-built real-time test-bed model. In this implementation, instantaneous network traffic (malicious and normal) has been generated by a separate system connected through a network, and on the detector side, the same has been captured and classified by the proposed model. Exhaustive performance evaluation in a real-time environment confirms both the effectiveness and superiority of the present work.
Advanced digital forensics and anti-digital forensics for IoT systems: Techniques, limitations and recommendations
2022, Internet of Things (Netherlands)
Recently, the number of cyber attacks against IoT domains has increased tremendously. This resulted into both human and financial losses at all IoT levels especially individual and organization levels. Recently, cyber-criminals have kept on leveraging new skills and capabilities by conducting anti-forensics activities and employing techniques and tools to cover their tracks to evade any possible detection of the attack’s events, which has targeted either the IoT system or/and its component(s). Consequently, IoT cyber-attacks are becoming more efficient and more sophisticated with higher risks and threat levels based on their more frequent likelihood to occur and their impact. However, traditional security and forensics solutions are no longer enough to prevent nor investigate such cyber attacks, especially in terms of acquiring evidence for attack investigation. Hence, the need for well-defined, sophisticated, and advanced forensics investigation techniques is highly required to prevent anti-forensics techniques and track down cyber criminals. This paper reviews the different forensics and anti-forensics methods that can be applied in the IoT domain including tools, techniques, types, and challenges, while also discussing the rise of the anti-anti-forensics as a new forensics protection mechanism against anti-forensics activities. This would help forensics investigators to better understand the different anti-forensics tools, methods and techniques that cyber criminals employ while launching their attacks. Moreover, the limitations of the current forensics techniques are discussed, especially in terms of issues and challenges. Finally, this paper presents a holistic view from a literature point of view over the forensics domain in general and for IoT in particular.
Host-based IDS: A review and open issues of an anomaly detection system in IoT
2022, Future Generation Computer Systems
The Internet of Things (IoT) envisions a smart environment powered by connectivity and heterogeneity where ensuring reliable services and communications across multiple industries, from financial fields to healthcare and fault detection systems, is a top priority. In such fields, data is being collected and broadcast at high speed on a continuous and real-time scale, including IoT in the streaming processing paradigm. Intrusion Detection Systems (IDS) rely on manually defined security policies and signatures that fail to design a real-time solution or prevent zero-day attacks. Therefore, anomaly detection appears as a prominent solution capable of recognizing patterns, learning from experience, and detecting abnormal behavior. However, most approaches do not fit the urged requirements, often evaluated on deprecated datasets not representative of the working environment. As a result, our contributions address an overview of cybersecurity threats in IoT, important recommendations for a real-time IDS, and a real-time dataset setting to evaluate a security system covering multiple cyber threats. The dataset used to evaluate current host-based IDS approaches is publicly available and can be used as a benchmark by the community.
MGA-IDS: Optimal feature subset selection for anomaly detection framework on in-vehicle networks-CAN bus based on genetic algorithm and intrusion detection approach
2022, Computers and Security
Controller area network (CAN) bus which provides efficient, reliable and robust communication between electronic control units (ECUs) is the most frequently used protocol for in-vehicle networks. However, the lack of security mechanisms in the CAN protocol makes it vulnerable to inside and outside cyber-attacks. Therefore, an intrusion detection system (IDS), which is a widely used method to detect malicious activities, is preferred to improve the security of the CAN buses. In spite of the fact that various supervised and unsupervised machine learning algorithms are employed to increase the performance of IDSs, obtaining high classification performance is still a challenge for them. First, a lot of irrelevant and redundant features in the datasets result in long computational times with low detection performances. Second, different classification performances are acquired based on classifiers and a combination of the features. Third, many of the models suffer from unknown and different types of attacks. For these reasons, a new intrusion detection framework is proposed in this paper based on feature selection and classifier. Initially, we propose a meta-heuristic algorithm called modified genetic algorithm (MGA) m-feature selection for dimension reduction by selecting optimal feature subset based on k-fold cross validation. Then, we utilize five different linear and nonlinear classifiers: support vector classifier (SVC), logistic regression classifier (LRC), decision tree classifier (DTC), k-nearest neighbors classifier (KNC), and linear discriminant analysis classifier (LDAC) as candidate classifiers to develop an efficient IDS. Finally, we select the best classifier from the candidates and build an IDS. The experimental results reveal that the proposed MGA-DTC presents a better performance in terms of several metrics based on not only the HCRL-car hacking dataset but also UNSW-NB15, and CIC-IDS2017 datasets.
Deep learning-based risk management of financial market in smart grid
2022, Computers and Electrical Engineering
Citation Excerpt :
Due to only being trained on certain kinds of attacks, these techniques cannot diagnose unknown or unfamiliar attacks [7–9]. Additionally, existing IDSs have been customized for certain systems/protocols and are not sufficiently generalized [10]. There is also inadequate consideration given to the asymmetric properties of SGCS datasets, leading to low diagnostic rates or significant false-positive in actual situations [11].
Smart grid control systems (SGCSs) become more vulnerable to cyber-attacks because of the combination of the Internet of Things and communication systems. Conventional intrusion detection systems (IDSs) that have been essentially improved in order to secure information technology systems. Since SGCS datasets are asymmetric, the majority of IDSs suffer from poor precision and significant false-positive rates. A deep learning (DL) layout for constructing novel symmetric presentations of the asymmetric datasets is proposed in the present study. It is incorporated into a model created particularly for detecting attacks using DL in a SGCS environment. Deep Neural Networks and Decision Tree classifiers are utilized in the suggested attack detection model. By performing 10-fold cross-validation using 2 actual SGCS datasets, this suggested model has been assessed for its efficiency. According to the outcomes, the suggested approach is more effective than traditional schemes such as Random Forest, Support Vector Machine.

View all citing articles on Scopus

View full text