Intrusion Detection Systems

The purpose of an intrusion detection system (IDS) is to protect the confidentiality, integrity, and availability of a system. Intrusion detection systems (IDS) are designed to detect specific issues, and are categorized as signature-based (SIDS) or anomaly-based (AIDS). IDS can be software or hardware. How do SIDS and AIDS detect malicious activity? What is the difference between the two? What are the four IDS evasion techniques discussed, and how do they evade an IDS?

Introduction

Intrusion data sources

The previous two sections categorised IDS on the basis of the methods used to identify intrusions. IDS can also be classified based on the input data sources used to detect abnormal activities. In terms of data sources, there are generally two types of IDS technologies, namely Host-based IDS (HIDS) and Network-based IDS (NIDS). HIDS inspect data that originates from the host system and audit sources, such as operating system, window server logs, firewalls logs, application system audits, or database logs. HIDS can detect insider attacks that do not involve network traffic (Creech & Hu, 2014a).

NIDS monitors the network traffic that is extracted from a network through packet capture, NetFlow, and other network data sources. Network-based IDS can be used to monitor many computers that are joined to a network. NIDS is able to monitor the external malicious activities that could be initiated from an external threat at an earlier phase, before the threats spread to another computer system. On the other hand, NIDSs have limited ability to inspect all data in a high bandwidth network because of the volume of data passing through modern high-speed communication networks (Bhuyan et al., 2014). NIDS deployed at a number of positions within a particular network topology, together with HIDS and firewalls, can provide a concrete, resilient, and multi-tier protection against both external and insider attacks.

Table 4 shows a summary of comparisons between HIDS and NIDS.

Table 4 Comparison of IDS technology types based on their positioning within the computer system

 

Advantages

Disadvantages

Data source

Technology

HIDS

• HIDS can check end-to-end encrypted communications behaviour.
• No extra hardware required.
• Detects intrusions by checking hosts file system, system calls or network events.
• Every packet is reassembled
• Looks at the entire item, not streams only

• Delays in reporting attacks
• Consumes host resources
• Needs to be installed on each host.
• It can monitor attacks only on the machine where it is installed.

• Audits records, log files, Application Program Interface (API), rule patterns, system calls.

NIDS

•Detects attacks by checking network packets.
•Not required to install on each host.
•Can check various hosts at the same period.
•Capable of detecting the broadest ranges of network protocols

•Challenge is to identify attacks from encrypted traffic.
•Dedicated hardware is required.
•It supports only identification of network attacks.
•Difficult to analysis high-speed network.
•The most serious threat is the insider attack.

•Simple Network Management Protocol (SNMP)
•Network packets (TCP/UDP/ICMP),
•Management Information Base (MIB)
•Router NetFlow records

 

Creech et al. proposed a HIDS methodology applying discontinuous system call patterns, with the aim to raise detection rates while decreasing false alarm rates (Creech, 2014). The main idea is to use a semantic structure to kernel level system calls to understand anomalous program behaviour.

As shown in Table 5 a number of AIDS systems have also been applied in Network Intrusion Detection System (NIDS) and Host Intrusion Detection System (HIDS) to increase the detection performance with the use of machine learning, knowledge-based and statistical schemes. Table 5 also provides examples of current intrusion detection approaches, where types of attacks are presented in the detection capability field. Data source comprises system calls, application programme interfaces, log files, data packets obtained from well-known attacks. These data sources can be beneficial to classify intrusion behaviors from abnormal actions.


Table 5 Comparisons of IDS technology types, using examples from the literature. "P" indicates pre-defined attacks and "Z" indicates zero-day attacks

Detection Source

HIDS

NIDS

Capability

Detection methods

SIDS

Wagner and Soto (2002)

Hubballi and Suryanarayanan (2014)

P

AIDS

Statistics based

Ara, Louzada & Diniz (2017)

Tan, et al. (2014); Camacho, et al. (2016)

Z

Knowledge-based

Mitchell and Chen (2015)
Creech and Hu (2014b)

Hendry and Yang (2008)
Shakshuki, et al. (2013)
Zargar, et al. (2013)

Machine learning

Du, et al. (2014)
Wang, et al. (2010)

Elhag, et al. (2015);
Kim, et al. (2014); Hu, et al. (2014)

SIDS+ AIDS

Alazab, et al. (2014); Stavroulakis and Stamp (2010); Liu, et al. (2015)

P + Z