A Comprehensive Review on Intrusion

Detection Systems
SREENATH.M
PPG Institute of Technology, Coimbatore, 641035, India
[email protected]
Abstract Internet and computer networks are presented to a
regularly expanding number of security dangers that can harm
computer networks and correspondence channels. Firewalls are
utilized to guard networks yet at the same time they are insufficient to
give full security to the networks. At that point, the worry with
Intrusion Identification Systems has been developing for network
security over the previous years. Because of the expanding of
networks speed and the amount of network traffic, it is vital that
Detection Systems need to be lightweight to adapt to it. This paper
focuses on the review of intrusion detection systems.

Availability implies that a system or a system resource

that guarantees that it is available and usable upon
interest by an approved client.
Intrusion Detection is the methodology of observing the
occasions happening in a computer network or system and
dissecting them for indications of interruptions, in the same
way as unapproved doorway, movement, or record alteration
[2, 3].
II. INTRUSION DETECTION SYSTEMS

KeywordsAbuse detection, Anomaly detection, Intrusion

detection system, Information security.

I. INTRODUCTION
As the network technology is expanding quickly, the security
of that innovation is turning into a requirement for survival, for
an organization. A large portion of the organization are relying
upon the web to correspond with the individuals and
frameworks to give them news, web shopping, email,
MasterCard subtle elements and individual data. Because of
the quick development in the engineering and boundless
utilization of the Internet, a considerable measure of issues
have been confronted to secure the organization's
discriminating data inside or over the systems in light of the
fact that there are many individuals endeavoring to attack on
systems to extract information. An enormous number of
assaults have been seen in the last few years. Intrusion
Detection System assumes a monstrous part against those
assaults by securing the system's discriminating data [1]. As
firewalls and antiviruses are insufficient to give full assurance
to the system, organizations need to execute the Intrusion
Detection System to ensure their critical data against different
sorts of attacks.
Intrusions are activities that endeavor to sidestep security
systems of computer systems. So they are any activities that
debilitate the trustworthiness, accessibility, or secrecy of a
system asset. These properties have the following
clarifications:
Confidentiality implies that data is not made
accessible or unveiled to unapproved people,
substances or procedures;
Integrity implies that information has not been
adjusted or obliterated in an unapproved way;

Intrusion Detection System is software that mechanizes the

interruption detection process and distinguishes conceivable
interruptions. Interruption Detection Systems serve three vital
security capacities: they screen, discover, and react to
unapproved activity by organization insiders and outsider
intrusion. An Intrusion Detection System is made out of a few
segments:
Sensors which produce security events;
Console to screen events and produce cautions .They
control the sensors;
Central Engine that records events logged by the
sensors in a database and utilizes set of rules to
generate cautions from security events received [4].
Intrusion Detection Systems are partitioned into the following
categories: host-based (HIDS), network-based (NIDS), and
Hybrid Intrusion Detection [5]. A HIDS demands small
programs (agents) to be installed on individual systems to be
supervised. The programs monitor the operating system and
write down results to log files and/or trigger alarms. A NIDS
customarily consists of a network application with a Network
Interface Card (NIC) working in unchaste mode and a discrete
management of the interface. Intrusion Detection Systems are
placed on a boundary or network segment and observe all
traffic on that segment. The prevailing tendency in intrusion
detection is to mix both network based and host based
information to develop hybrid systems that have more
efficiency.
Host Based Intrusion Detection System (HIDS):
Host-based Intrusion Detection System places
monitoring agents on network resource nodes to
monitor the audit logs which are generated by the
application program or Network Operating System.
Audit logs accommodate records for activities and
events taking place at every Network resources. HIDS
can detect attacks that cannot be seen by NIDS such as

CiiT International Journal of Networking and Communication Engineering, Vol 6, No 9 (2014)

misuse by trusted insider and Intrusion. The

site-specific security policy which determines
Signature rule base is utilized by HIDS. HIDS
overcomes the problems associated with the N IDS by
alarming the security personnel who can identify the
source provided by site specific security policy. HIDS
can also validate if any attack was foiled, either
because of the immediate response to alarm or any
other reason. HIDS can also maintain user log off and
log in user action and all activities that evolve audit
records [6].
Network Based Intrusion Detection System (NIDS): A
NIDS is used to analyse and monitor the network
traffic to screen a system from the network based
threats where the data is traffic through the network. A
NIDS tries to find out malicious activities such as port
scans, Ping sweeps, denial-of-service (Dos) attacks,
and Packet sniffers attacks. NIDS includes one or
more than servers for management functions, a
number of sensors to oversee packet traffic, and one or
more management relieves for the human interface.
NIDS explores the traffic packet by packet in near real
time or real time, to detect intrusion patterns. The
analysis of traffic to detect intrusions is done by the
agents on the management servers. These network
based procedures are regarded as the active
component.
Hybrid Intrusion Detection: The network and
host-based Intrusion Detection System solutions have
their own unique benefits and strengths over one
another and that is why the next generation Intrusion
Detection System evolves to embrace a tightly fused
network and host components. Hybrid intrusion
detection system increases the security level and
promises better flexibility. It reports attacks that are
aimed at entire network or particular segments and
combines Intrusion Detection System agent locations.
Each technique has a unique methodology for checking and
securing information and every classification has qualities and
shortcomings that ought to be measured against the
prerequisites for each different target environment. The two
sorts of Intrusion Detection Systems vary fundamentally from
one another, however supplement each other well. But in the
case of a proper Intrusion Detection System implementation, it
would be better to completely integrate the network intrusion
detection system, such that it would channel alarms and
warnings in an indistinguishable way to the host-based part of
the system, controlled from the same central area. In doing so,
this gives a helpful means of overseeing and responding to
attack utilizing both sorts of intrusion detection.
There are some prevalent steps that Intrusion Detection
System pursue and are listed below, shown in figure 1:
Initially Intrusion Detection System captures data
which is generally in the form of IP packets.
Subsequently, decode that grabbed data and transform
it into a unique format. For this purpose extraction
technique can be used.

Now analyze and classify (whether it is valid or not)

that data in a way such that it is specific to the
individual Intrusion Detection System.
Further, create alerts if an unauthorized activity is
detected.

Fig: 1 intrusion detection system activities [7]

III. IDEAL INTRUSION DETECTION SYSTEM
Regardless of the mechanism used an ideal intrusion
detection system [8] should have the following features:
It must be difficult to fool.
The internal working of Intrusion Detection System
should be examinable from outside. That is it should
not be a black box.
It must be easily deployed in the system. The defence
mechanism in the system should adapt easily to the
usage patterns.
It must be able to run in the background of the system
that is being observed. The system must run
continually without human arbitration.
It must be fault tolerant in a sense that it must outlive a
system failure and knowledge-base should not be
rebuilt at restart.
It must observe deviations from normal behaviour.
It must force minimal overhead on the system.
It must deal with changing system conduct over time as
new applications are being added. The system profile
will also change over the time.

IV. INTRUSION DETECTION APPROACHES

The desirable elements of an Intrusion Detection System can
be achieved through variety of approaches. There are two
popular approaches to intrusion detection, Abuse detection and
Anomaly detection [9, 10].

CiiT International Journal of Networking and Communication Engineering, Vol 6, No 9 (2014)

 Abuse detection: tries to discover deviant behaviour by

analysing the given traffic. Intrusion Detection System
utilizes several rules based on comparison and
Analysis with the Rules that the system can notice any
attacks, such as matching signature pattern [11]. The
alarms are generated based on particular attack
signature and hence they are also termed as a signature
based detection. This kind of attack signatures enclose
particular activity or traffic that is based on known
intrusive activity. The advantage of abuse detection is
the talent to create accurate result and generate fewer
false alarms. The disadvantage of abuse detection
approach is that they will discover only known attacks
[12, 13].
Anomaly detection: In this approach, the system is
developed in such a way that it discovers unusual
patterns of behavior. Here, the system fixes a line of
the usual patterns of conduct. The behavior of the user
which differs broadly from that fixed line is notified as
a possible intrusion. Anomaly detection is a prominent
tool for network based intrusion, fraud detection, and
other unusual events that have great importance but
they are hard to find. The significance of anomaly
detection is due to the fact that inconsistency in data
can be translated into important actionable
information in a vast variety of application domains.
Since it is associated with variations from user
behavior, it can also be termed as behaviour based
detection [14, 15]. The advantage of the anomaly
detection approach is the capability to detect unknown
attacks based on audit data. The prime drawback of
the anomaly detection approach is that prominent
attacks may not be detected.

V. PARAMETERS OF INTRUSION DETECTION SYSTEM

The various factors listed beneath are used to estimate the
performance of the system [16, 5].
Accuracy: Intrusion Detection System must not identify
a valid action in a system environment as a misuse or
an anomaly.
Performance: This is the capability of the system to
process the events. The high performance of Intrusion
Detection System leads to real-time intrusion
detection.
Completeness: The ability of the system to discover all
attacks. Incompleteness arises when the system fails to
detect an attack. This is very hard to compute because
it is not feasible to have information about all the
possible attacks.
Fault tolerance. Intrusion Detection System must be
resistant to attacks and should be able to handle the
consequences.
Timeliness: The internal processing speed of Intrusion
Detection System must be achieved with high speed so
that countermeasures against an attack must be
fulfilled before the attack would do any damage to

Intrusion Detection System or system resource.

VI. CONCLUSION
Since the study of intrusion detection started to gain
momentum in the security community roughly a decade ago, a
number of divergent ideas have emerged for confronting this
problem. Intrusion Detection System vary in the sources they
used to attain data and the specific methods they make used to
analyse this data. Most systems today classify data either by
anomaly detection or abuse detection: each approach has its
own merits and have their own limitations too. It cannot be
expected that an id can correctly classifying every event that
occurs on a given system. In a rapidly evolving modern system
with complex components it will not be easy to attain the goal
of perfect security with perfect detection. An Intrusion
Detection System can, however, try to raise the bar for
attackers by reducing the efficacy of large classes of attacks and
increasing the work factor required to achieve a system
compromise. Speedy and plaint detection techniques are
necessary to identify the boundless variety of agile and
extraordinary attacks. The joint operation with other Intrusion
Detection System and also with other network security
components is a requisite for achieving a holistic network
security position for organizations of the future. Therefore, this
paper includes brief description about Intrusion Detection
System, its architecture, types of alerts provided by it, its
performance parameters.
REFERENCES
[1]

William, Stallings, and William Stallings. Cryptography and Network

Security, 4/E. Pearson Education India, 2006.
[2] Northcutt, Stephen, and Judy Novak. Network intrusion detection. Sams
Publishing, 2002.
[3] Bace, Rebecca, and Peter Mell. NIST special publication on intrusion
detection systems. BOOZ-ALLEN AND HAMILTON INC MCLEAN
VA, 2001.
[4] Puketza, Nicholas, Mandy Chung, Ronald A. Olsson, and Biswanath
Mukherjee. "A software platform for testing intrusion detection systems."
Software, IEEE 14, no. 5, 1997.
[5] Debar, Herv, Marc Dacier, and Andreas Wespi. "Towards taxonomy of
intrusion-detection systems." Computer Networks 31, no. 8, 1999.
[6] Asmaa Shaker Ashoor and Prof. Sharad Gore, Importance of Intrusion
Detection System (IDS),International journal of scientific and
Engineering Research, ISSN 2229-5518, Volume 2, Issue
1,January-2011.
[7] Kazienko, Przemyslaw, and Piotr Dorosz. "Intrusion Detection Systems
(IDS) Part I-(network intrusions; attack symptoms; IDS tasks; and IDS
architecture)." Retrieved April 20,2003 .
[8] http://www.cerias.purdue.edu/about/history/coast_resources/idcontent/de
tection.html
[9] J Anderson, An Introduction to Neural Networks MIT, Cambridge, 1995.
[10] B Rhodes, J Mahaffey, J Cannady, Multiple self-organizing maps for
intrusion detection, Paper presented at the Proceedings of the 23rd
National Information Systems Security Conference, Baltimore, 1619,
2000.
[11] Byun, Hyeran, and Seong-Whan Lee. "Applications of support vector
machines for pattern recognition: A survey." In Pattern recognition with
support vector machines, pp. 213-236. Springer Berlin Heidelberg, 2002.
[12] R. Jagannathan, Teresa Lunt, Debra Anderson, Chris Dodd, Fred Gilham,
Caveh Jalali, Hal Javitz,Peter Neumann, Ann Tamaru, and Alfonso
Valdes. System design document..Next-generation intrusion detection
expert
system
(NIDES).
Technical
Report
A007/A008/A009/A011/A012/A014,
SRI
International,
333
Ravenswood Avenue, Menlo Park, CA 94025, March 1993.

CiiT International Journal of Networking and Communication Engineering, Vol 6, No 9 (2014)

[13] Sandeep Kumar and Eugene Spa_ord. A pattern matching model for
misuse intrusion detection. In Proceedings of the 17th National
Computer Security Conference, pages 11{21, October 1994.
[14] Huang, Guang-Bin, Dian Hui Wang, and Yuan Lan. "Extreme learning
machines: a survey." International Journal of Machine Learning and
Cybernetics 2, no. 2 ,2011.
[15] Paul Spirakis, Sokratis Katsikas, Dimitris Gritzalis, Francois Allegre,
John Darzentas, Claude Gigante, Dimitris Karagiannis, P. Kess, Heiki
Putkonen, and Thomas Spyrou. SECURENET: A network-oriented
intelligent intrusion prevention and detection syste. Network Security
Journal, 1(1), November 1994.
[16] P. Porras and A. Valdes, Live Traffic Analysis of TCP/IP Gateways,
Proceedings of the 1998 ISOC Symposium on Network and Distributed
System Security (NDSS98), San Diego, CA, March 1998.

Authors Profile
Sreenath.M had completed his B.Tech Computer
Science and Engineering from College of
Engineering Munnar. Currently he is pursuing his
M.E in Computer Science and Engineering from
PPG Institute of Technology, Coimbatore. His
research interest includes information security,
internet of things, and data mining

CiiT International Journal of Networking and Communication Engineering, Vol 6, No 9 (2014)