Intrusion Detection Systems
The purpose of an intrusion detection system (IDS) is to protect the confidentiality, integrity, and availability of a system. Intrusion detection systems (IDS) are designed to detect specific issues, and are categorized as signature-based (SIDS) or anomaly-based (AIDS). IDS can be software or hardware. How do SIDS and AIDS detect malicious activity? What is the difference between the two? What are the four IDS evasion techniques discussed, and how do they evade an IDS?
Introduction
The evolution of malicious software (malware) poses a critical challenge to the design of intrusion detection systems (IDS). Malicious attacks have become more sophisticated and the foremost challenge is to identify unknown and obfuscated malware, as
the malware authors use different evasion techniques for information concealing to prevent detection by an IDS. In addition, there has been an increase in security threats such as zero-day attacks designed to target internet users. Therefore, computer
security has become essential as the use of information technology has become part of our daily lives. As a result, various countries such as Australia and the US have been significantly impacted by the zero-day attacks. According to the 2017 Symantec
Internet Security Threat Report, more than three billion zero-day attacks were reported in 2016, and the volume and intensity of the zero-day attacks were substantially greater than previously (Symantec, 2017). As highlighted in the Data Breach
Statistics in 2017, approximately nine billion data records were lost or stolen by hackers since 2013 (Breach_LeveL_Index, 2017). A Symantec report found that the number of security breach incidents is on the rise. In the past, cybercriminals
primarily focused on bank customers, robbing bank accounts, or stealing credit cards (Symantec, 2017). However, the new generation of malware has become more ambitious and is targeting the banks themselves, sometimes trying to take millions of
dollars in one attack (Symantec, 2017). For that reason, the detection of zero-day attacks has become the highest priority.
High profile incidents of cybercrime have demonstrated the ease with which cyber threats can spread internationally, as a simple compromise can disrupt a business' essential services or facilities. There are a large number of cybercriminals around the world motivated to steal information, illegitimately receive revenues, and find new targets. Malware is intentionally created to compromise computer systems and take advantage of any weakness in intrusion detection systems. In 2017, the Australian Cyber Security Centre (ACSC) critically examined the different levels of sophistication employed by the attackers (Australian, 2017). So there is a need to develop an efficient IDS to detect novel, sophisticated malware. The aim of an IDS is to identify different kinds of malware as early as possible, which cannot be achieved by a traditional firewall. With the increasing volume of computer malware, the development of improved IDSs has become extremely important.
In the last few decades, machine learning has been used to improve intrusion detection, and currently, there is a need for an up-to-date, thorough taxonomy and survey of this recent work. There are a large number of related studies using either the KDD-Cup 99 or DARPA 1999 dataset to validate the development of IDSs; however, there is no clear answer to the question of which data mining techniques are more effective. Secondly, the time taken for building IDS is not considered in the evaluation of some IDSs techniques, despite being a critical factor for the effectiveness of ‘on-line' IDSs.
This paper provides an up to date taxonomy, together with a review of the significant research works on IDSs up to the present time; and a classification of the proposed systems according to the taxonomy. It provides a structured and comprehensive overview of the existing IDSs so that a researcher can become quickly familiar with the key aspects of anomaly detection. This paper also provides a survey of data-mining techniques applied to design intrusion detection systems. The signature-based and anomaly-based methods (i.e., SIDS and AIDS) are described, along with several techniques used in each method. The complexity of different AIDS methods and their evaluation techniques are discussed, followed by a set of suggestions identifying the best methods, depending on the nature of the intrusion. Challenges for the current IDSs are also discussed. Compared to previous survey publications (Patel et al., 2013; Liao et al., 2013a), this paper presents a discussion on IDS dataset problems which are of main concern to the research community in the area of network intrusion detection systems (NIDS). Prior studies such as (Sadotra & Sharma, 2016; Buczak & Guven, 2016) have not completely reviewed IDSs in terms of the datasets, challenges, and techniques. In this paper, we provide a structured and contemporary, wide-ranging study on intrusion detection systems in terms of techniques and datasets; and also highlight challenges of the techniques, and then make recommendations.
During the last few years, a number of surveys on intrusion detection have been published. Table 1 shows the IDS techniques and datasets covered by this survey and previous survey papers. The survey on intrusion detection systems and taxonomy by Axelsson (Axelsson, 2000) classified intrusion detection systems based on the detection methods. The highly cited survey by Debar et al. (Debar et al., 2000) surveyed detection methods based on the behaviour and knowledge profiles of the attacks. A taxonomy of intrusion systems by Liao et al. (Liao et al., 2013a), has presented a classification of five subclasses with an in-depth perspective on their characteristics: Statistics-based, Pattern-based, Rule-based, State-based, and Heuristic-based. On the other hand, our work focuses on the signature detection principle, anomaly detection, taxonomy, and datasets.
Table 1 Comparison of this survey and similar surveys:
(✔: Topic is covered, ✖ the topic is not covered)
|
Survey |
# of citation (as of 6/1/2019) |
Intrusion Detection System Techniques |
Dataset issue |
|||||
|
SIDS |
AIDS |
Hybrid IDS |
||||||
|
Supervised learning |
Unsupervised |
Semi-supervised learning |
Ensemble methods |
|||||
|
Lunt (1988) |
219 |
✔ |
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
|
Axelsson (2000) |
1039 |
✔ |
✔ |
✖ |
✖ |
✖ |
✖ |
✖ |
|
Liao, et al. (2013b) |
505 |
✔ |
✔ |
✔ |
✖ |
✖ |
✔ |
✖ |
|
Agrawal and Agrawal (2015) |
108 |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✖ |
|
Buczak and Guven (2016) |
338 |
✔ |
✔ |
✔ |
✖ |
✔ |
✔ |
✔ |
|
Ahmed, et al. (2016) |
181 |
✖ |
✔ |
✔ |
✖ |
✖ |
✖ |
✔ |
|
This survey |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Existing review articles (e.g., such as (Buczak & Guven, 2016; Axelsson, 2000; Ahmed et al., 2016; Lunt, 1988; Agrawal & Agrawal, 2015)) focus on intrusion detection techniques or dataset issue or type of computer attack and IDS evasion. No articles comprehensively reviewed intrusion detection, dataset problems, evasion techniques, and different kinds of attack altogether. In addition, the development of intrusion-detection systems has been such that several different systems have been proposed in the meantime, and so there is a need for an up-to-date. The updated survey of the taxonomy of intrusion-detection discipline is presented in this paper further enhances taxonomies given in (Liao et al., 2013a; Ahmed et al., 2016).
In view of the discussion on prior surveys, this article focuses on the following:
-
Classifying various kinds of IDS with the major types of attacks based on intrusion methods.
-
Presenting a classification of network anomaly IDS evaluation metrics and discussion on the importance of the feature selection.
-
Evaluation of available IDS datasets discussing the challenges of evasion techniques.