Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Intrusion detection system
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Intrusion detection category == IDS can be classified by where detection takes place (network or [[Host (network)|host]]) or the detection method that is employed (signature or anomaly-based).<ref>{{Cite book|url=https://books.google.com/books?id=TnE85sckwMAC&q=IDS+network+host+signature&pg=PA64|title=Computer and Information Security Handbook|last=Vacca|first=John R.|date=2009-05-04|publisher=Morgan Kaufmann|isbn=9780080921945|language=en}}</ref> === Analyzed activity === ====Network intrusion detection systems==== Network intrusion detection systems (NIDS) are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network.<ref>{{Cite book|last=Gurley.|first=Bace, Rebecca|url=http://worldcat.org/oclc/70689163|title=Intrusion detection systems|date=2001|publisher=[U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology]|oclc=70689163}}</ref> It performs an analysis of passing traffic on the entire [[Subnetwork|subnet]], and matches the traffic that is passed on the subnets to the library of known attacks. Once an attack is identified, or abnormal behavior is sensed, the alert can be sent to the administrator. NIDS function to safeguard every device and the entire network from unauthorized access.<ref>{{Cite journal |last=Ahmad |first=Zeeshan |last2=Shahid Khan |first2=Adnan |last3=Wai Shiang |first3=Cheah |last4=Abdullah |first4=Johari |last5=Ahmad |first5=Farhan |date=2020-10-16 |title=Network intrusion detection system: A systematic study of machine learning and deep learning approaches |url=http://dx.doi.org/10.1002/ett.4150 |journal=Transactions on Emerging Telecommunications Technologies |volume=32 |issue=1 |doi=10.1002/ett.4150 |issn=2161-3915}}</ref> An example of an NIDS would be installing it on the subnet where firewalls are located in order to see if someone is trying to break into the firewall. Ideally one would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. [[OPNET]] and NetSim are commonly used tools for simulating network intrusion detection systems. NID Systems are also capable of comparing signatures for similar packets to link and drop harmful detected packets which have a signature matching the records in the NIDS. When we classify the design of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS, often referred to as inline and tap mode, respectively. On-line NIDS deals with the network in real time. It analyses the [[Ethernet frame|Ethernet packets]] and applies some rules, to decide if it is an attack or not. Off-line NIDS deals with stored data and passes it through some processes to decide if it is an attack or not. NIDS can be also combined with other technologies to increase detection and prediction rates. [[Artificial neural network|Artificial Neural Network]] (ANN) based IDS are capable of analyzing huge volumes of data due to the hidden layers and non-linear modeling, however this process requires time due its complex structure.<ref>{{Cite journal |last=Ahmad |first=Zeeshan |last2=Shahid Khan |first2=Adnan |last3=Wai Shiang |first3=Cheah |last4=Abdullah |first4=Johari |last5=Ahmad |first5=Farhan |date=2021 |title=Network intrusion detection system: A systematic study of machine learning and deep learning approaches |url=https://onlinelibrary.wiley.com/doi/10.1002/ett.4150 |journal=Transactions on Emerging Telecommunications Technologies |language=en |volume=32 |issue=1 |doi=10.1002/ett.4150 |issn=2161-3915}}</ref> This allows IDS to more efficiently recognize intrusion patterns.<ref>{{Cite book|last1=Garzia|first1=Fabio|last2=Lombardi|first2=Mara|last3=Ramalingam|first3=Soodamani|title=2017 International Carnahan Conference on Security Technology (ICCST) |chapter=An integrated internet of everything β Genetic algorithms controller β Artificial neural networks framework for security/Safety systems management and support |date=2017|pages=1β6 |language=en-US|publisher=IEEE|doi=10.1109/ccst.2017.8167863|isbn=9781538615850|s2cid=19805812}}</ref> Neural networks assist IDS in predicting attacks by learning from mistakes; ANN based IDS help develop an early warning system, based on two layers. The first layer accepts single values, while the second layer takes the first's layers output as input; the cycle repeats and allows the system to automatically recognize new unforeseen patterns in the network.<ref>{{Cite book|last1=Vilela|first1=Douglas W. F. L.|last2=Lotufo|first2=Anna Diva P.|last3=Santos|first3=Carlos R.|title=2018 International Joint Conference on Neural Networks (IJCNN) |chapter=Fuzzy ARTMAP Neural Network IDS Evaluation applied for real IEEE 802.11w data base |date=2018|pages=1β7 |language=en-US|publisher=IEEE|doi=10.1109/ijcnn.2018.8489217|isbn=9781509060146|s2cid=52987664}}</ref> This system can average 99.9% detection and classification rate, based on research results of 24 network attacks, divided in four categories: DOS, Probe, Remote-to-Local, and user-to-root.<ref>{{Cite book|last1=Dias|first1=L. P.|last2=Cerqueira|first2=J. J. F.|last3=Assis|first3=K. D. R.|last4=Almeida|first4=R. C.|title=2017 9th Computer Science and Electronic Engineering (CEEC) |chapter=Using artificial neural network in intrusion detection systems to computer networks |date=2017|pages=145β150 |language=en-US|publisher=IEEE|doi=10.1109/ceec.2017.8101615|isbn=9781538630075|s2cid=24107983}}</ref> ====Host intrusion detection systems==== {{Main|Host-based intrusion detection system}} Host intrusion detection systems (HIDS) run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, an alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.<ref>{{Cite book|url=https://books.google.com/books?id=6BgEAAAAMBAJ&q=host+IDS+%22mission+critical%22&pg=PT30|title=Network World|date=2003-09-15|publisher=IDG Network World Inc|language=en}}</ref><ref>{{Cite book|url=https://books.google.com/books?id=3iiLDQAAQBAJ&q=hids+%22mission+critical%22&pg=PT118|title=Network and Data Security for Non-Engineers|last1=Groom|first1=Frank M.|last2=Groom|first2=Kevin|last3=Jones|first3=Stephan S.|date=2016-08-19|publisher=CRC Press|isbn=9781315350219|language=en}}</ref> === Detection method === ====Signature-based==== Signature-based IDS is the detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware.<ref>{{cite web |url=http://www.iup.edu/WorkArea/DownloadAsset.aspx?id=81109 |website=www.iup.edu |format=[[Microsoft PowerPoint|PPT]] |author=Brandon Lokesak |date=December 4, 2008 |title=A Comparison Between Signature Based and Anomaly Based Intrusion Detection Systems}}</ref> This terminology originates from [[anti-virus software]], which refers to these detected patterns as signatures. Although signature-based IDS can easily detect known attacks, it is difficult to detect new attacks, for which no pattern is available.<ref>{{Cite book|url=https://books.google.com/books?id=dHys9OXMFMIC&q=signature+IDS+disadvantage&pg=PA86|title=Network Security: Current Status and Future Directions|last1=Douligeris|first1=Christos|last2=Serpanos|first2=Dimitrios N.|date=2007-02-09|publisher=John Wiley & Sons|isbn=9780470099735|language=en}}</ref> {{expand section|date=March 2019}} In signature-based IDS, the signatures are released by a vendor for all its products. On-time updating of the IDS with the signature is a key aspect. ====Anomaly-based==== [[Anomaly-based intrusion detection system]]s were primarily introduced to detect unknown attacks, in part due to the rapid development of malware. The basic approach is to use machine learning to create a model of trustworthy activity, and then compare new behavior against this model. Since these models can be trained according to the applications and hardware configurations, machine learning based method has a better generalized property in comparison to traditional signature-based IDS. Although this approach enables the detection of previously unknown attacks, it may suffer from [[false positives]]: previously unknown legitimate activity may also be classified as malicious. Most of the existing IDSs suffer from the time-consuming during detection process that degrades the performance of IDSs. Efficient [[feature selection]] algorithm makes the classification process used in detection more reliable.<ref>{{cite journal|last=Rowayda|first=A. Sadek|author2=M Sami, Soliman|author3=Hagar, S Elsayed|title=Effective anomaly intrusion detection system based on neural network with indicator variable and rough set reduction|journal= International Journal of Computer Science Issues |date=November 2013|volume=10|issue=6}}</ref> New types of what could be called anomaly-based intrusion detection systems are being viewed by [[Gartner]] as User and Entity Behavior Analytics (UEBA)<ref>{{Cite web|url=https://www.gartner.com/doc/3134524?ref=SiteSearch&sthkw=avivah%20litan&fnl=search&srcId=1-3478922254|title=Gartner report: Market Guide for User and Entity Behavior Analytics|date=September 2015}}</ref> (an evolution of the [[user behavior analytics]] category) and network [[traffic analysis]] (NTA).<ref>{{Cite web|url=https://www.gartner.com/doc/3367417?ref=SiteSearch&sthkw=hype%20cycle%20for%20infrastructure&fnl=search&srcId=1-3478922254|title=Gartner: Hype Cycle for Infrastructure Protection, 2016}}</ref> In particular, NTA deals with malicious insiders as well as targeted external attacks that have compromised a user machine or account. Gartner has noted that some organizations have opted for NTA over more traditional IDS.<ref>{{Cite web|url=https://www.gartner.com/doc/3449317?ref=SiteSearch&sthkw=intrusion%20detection&fnl=search&srcId=1-3478922254|title=Gartner: Defining Intrusion Detection and Prevention Systems|access-date=2016-09-20}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)