Combining Anomaly and Signature based Intrusion Detection Systems - Essay Example

Combining Anomaly and Signature based Intrusion Detection Systems Abstract — The study demonstrates the functionality of Anomaly and Signature based IDS along with its advantages and disadvantages where applicable. The later parts of the body illustrate studies and researches related to these two IDS for improving the detection methodology for intrusions. In order to combine both techniques i.e. Anomaly based intrusion detection system, Signature based intrusion detection system, a Flexible Intrusion Detection, and Response Framework for Active Networks (FIDRAN) is recommended, to provide superior security. Index Terms – Anomaly Based IDS, FIDRAN, Signature based IDS, I. Introduction The Internet continues to modernize the world’s economy. It is apparently changing the way people live, study, work, participate, and devour. At the hub, of this rebellion is technology. Technology has moved from the "back office" to the leading edge. Namely, the interface between customer and the organization has changed spectacularly. Increasingly, technology is shifting the organization’s associations with its customers from a "face-to-face" to a "screen-to-face" communication. The Internet is not an innovation that concerns only one or two sectors of the economy. Because it revolutionizes the way businesses should prudently systematize their activities and go to market, the Internet affects all economic commotions. Organizations maintain data communication networks for paperless business operations along with enhanced communication. On the other hand, threats and vulnerabilities related to data communication networks are significantly increasing. Firewalls are not considered as the only solution because these intelligent viruses and malicious codes tend to pass through it. In order to enable advanced security measures, Intrusion Detections Systems are recommended for corporate networks. As per network dictionary, IDS is defined as “Intrusion detection system (IDS) is a type of security management system for computers and networks. An IDS gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions and misuse”. IDS are of many types and organizations choose the best possible type that suits their prioritized mission critical systems. The types includes network based IDS, host based IDS and software based IDS. These types are further categorized in to signature based IDS which is also referred as misuse detection, and Anomaly detection. The functionality of ‘signature based IDS’ is dependent on known signatures. The word ‘known’ is important because threats that are detecting so far are categorized as known threats and are called signatures. Signature based IDS only detect threats similar to the defined available signatures and do not comply with any new threat. Whereas, Anomaly based IDS detect unknown activities within the network and detect them as threats and vulnerabilities. These two IDS types comply with different types of methods, process, and various profiles that are discussed in the next part of this coursework. II. Signature Based IDS The signature based IDS analyze and identify specific patterns of attacks that are recognized by raw data that is in terms of byte sequences called strings, port number, protocol types etc. Likewise, apart from the normal operational pattern, signature based IDS detects any activity that is unusual from previously defined patterns. Moreover, the patterns are monitored with strict control algorithms. The signatures are stored in a signature repository. The prime object of a ‘signature based IDS’ is to search signatures in order to detect a threat or vulnerability that is similar to antivirus software that also detects viruses. The functionality of IDS is to detect attacks that are initiated directly towards the network. Moreover, IDS tries to identify as many events as possible and therefore generate logs. The location if IDS is behind the firewall so that it may analyze packets that are passed via a firewall. The detection engine of IDS compares predetermined rules in order to deny or accept packets. The rules are categorized in two domains i.e. Chain headers and Chain options. The structure of a signature contains the following attributes: Identification number, Message and Rule. III. Related Work Although signature based intrusion detection system is used extensively, there are some issues that are associated with it. In a corporate network scenario, where the network nodes are more than 500, data traffic is too high as signature based IDS matches each packets with the signature repository. Consequently, some data packets are skipped resulting in injection of a malicious data packet or virus. To overcome this issue (Uddin, Khowaja et al. 2010) conducted a results of the study in which they integrated multi layer signature based intrusion detection system using mobile agents. The study introduced a new model to assure detection of threats and vulnerabilities, without affecting the performance of the network. Moreover, the study highlighted significant reduction in the packet drop rate, enabling performance augmentation associated with threats detection to the network. Furthermore, the system can also be improved by integrating a more detailed and automated system that can facilitate in distribution, modify signatures across databases of multiple IDS systems that relies of frequency of their appearances along with their level of threats. IV. Anomaly based ids Anomaly based intrusion detection system is based on data driven methodology that complies with data mining techniques. The functionality of an anomaly based IDS involves in the creation of profiles associated with normal behavior and activities within the network. If any unknown activities initializes that is not similar to the normal profiles, is considered as anomalies or attacks. Moreover, the normal routines of normal profiles are also monitored, if they also exceeds from their given boundaries, they are also considered as anomalies also called as false positives. An efficient anomaly based IDS may extract results containing high detection success rate along with low false positive rate. Moreover, these systems are categorized in to various sub categories including data mining, statistical methodologies, artificial neural networks, immune systems and genetic algorithms. Among all of these, statistical methods are more commonly used for detecting intrusions by finding out any anomaly that has initiated within the network (Aydin, Zaim et al. 2009). V. Improved self adaptive bayesian algorithm A vast amount of research is in progress related to Incident detection as various intelligence-learning algorithms are deployed for the construction of massive complex and dynamic datasets in order to improve IDS. However, researches and various studies have improved the process of Intrusion detection, still some challenges needs to be addresses, such as classifying huge datasets of intrusion detection, accuracy for detection intrusions in a high-speed network, inconsistent to minimize false positives. In order to address these issues a study was conducted on an Anomaly Network Intrusion Detection Based on Improved Self Adaptive Bayesian Algorithm. The research was applied on a security domain of anomaly based intrusion detection. KDD99 data sets were implemented with high classification rates in small response time and eliminate false positives by utilizing limited computing resources. The sole purpose of the proposed algorithm is to create a smaller rule of sets for network intrusion detection in order to analyze threats and vulnerabilities on the network based on previous history of activities. For improving the performance of detection accuracy and detection speed, the proposed algorithm will analyze huge volume of data on the network to determine the difficult properties of attacks. The research concluded that the algorithm minimized false positive along with maximized balanced detection (Farid, Rahman 2010). VI. Intrusion Detection Based on Active Networks Apart from the research on Anomaly and signature based intrusion detection systems, individual researches are also conducted on active networks, where transmissions of data packets passing through digital channels are evaluated. Overview of the system architecture of an active network is illustrated in Fig 1.2 below. Fig 1.1 is demonstrating the architecture of active network IDS functionality. Source: Journal of Information Science & Engineering, May2009, Vol. 25 Issue 3, p843-859, 17p, 7 Diagrams, 7 Charts Diagram; found on p845 A study was conducted including an agent and service executed in the intrusion detection system to detect and response intrusions for the active network. Previously, passive networks do not have the functionality of programming nodes for exercising different active network traffic. Whereas, in this study, the active network provides the functionality to become programmable network nodes. The core components of this technology consists of service update, service deployment and intrusion response. The proposed model is called as intrusion detection and response system (IDRS) analyze active network traffic and responses on the initial stage in order to prevent the threat from spreading in the network. The core functionalities include responding, reporting and detecting that are integrated within the proposed system. Moreover, in order to use advanced detection mechanism, the system is constructed by implementing a novel data mining technology. This technology supports the vector machine that adds enhanced functionality to the detection process. The study also demonstrated many results that the intrusions were identified and responded perfectly. Furthermore, the vector machine gains advantages in contrast of competitive neural networks that are used for intrusion identification. The conclusion of the research that was based on detecting and responding to intrusions on active networks was efficient as the system was integrated with mobile agent techniques. As Fig 1.1 demonstrates the active network architecture of an agent based intrusion detection and response system, in three tiers highlighting the node, management center and intrusion detection center. Fig 1.2 is demonstrating the components for mobile agent techniques. Source: Journal of Information Science & Engineering, May2009, Vol. 25 Issue 3, p843-859, 17p, 7 Diagrams, 7 Charts Diagram; found on p845 The techniques facilitated the system expandable and flexible. Moreover, dynamic services were implemented on the IDS by active service update architecture. Consequently, it was proved that the software components are exceedingly updatable and do not impose any extra processing power for the IDS. Moreover, the automated response architecture can significantly improve the detection mechanism for eliminating evolving network attacks by integrating efficient service updates (HAN-PANG HUANG, FENG-CHENG YANG et al. 2009). VII. Flexible Intrusion Detection and Response Framework based on Active Networking (FIDRAN) Lot of approaches has been already highlighted, as organizations tend to implement only one type of IDS, whether signature based IDS or Anomaly based IDS. The previous study was based on Active networks. This study is a more advanced form of the previous study that was based on mobile agents. The research will illustrate the integration of both these technologies for superior protection against threats and vulnerabilities in an active network. The core component of this research is a Flexible Intrusion Detection and Response Framework for Active Networks (FIDRAN) (, Scientific Commons: Combining multiple intrusion detection and response technologies in an active networking based architecture (2003), 2003 [A. Hess, M. Jung, G. Schäfer]). FIDRAN is a flexible intrusion detection and response system that is based on active networking and enables security specialist to combine emerging security technologies to provide superior protection for the network (, FIDRAN: A Flexible Intrusion Detection and Response Framework for Active Networks). The research demonstrates the features and capability of FIDRAN to combine strengths for eliminating weaknesses in order to provide superior protection. The architecture of FIDRAN allows adding dynamic functionalities and the ability to configure the IDS on runtime. The security operation distribution among FIDRAN hosts facilitates FIDRAN to resist against intrusions and to balance the load on per host basis. Anomaly and Signature based IDS can be integrated with FIDRAN architecture to provide superior protection from the network as the active networking mechanism aids to locate the op modules dynamically for keeping the balance of load on individual FIDRAN host in a definite upper limit. VIII. Conclusion However, many studies and researches have been conducted to overcome issues related to the detection techniques, still there were loopholes for threats and vulnerabilities to sneak in. Bayesian Algorithm with KDD99 were implemented for anomaly based IDS and integrated multi layer signature based intrusion detection system using mobile agents were implemented. The results illustrated improvements in results but no accuracy to provide superior security for the networks. Whereas, FIDRAN being flexible and has a capability to add multiple emerging technologies to combine strengths and to overcome weaknesses is the best option. As it has, the capability to combine both Signature based IDS and Anomaly based IDS for superior protection, it also manages the active network traffic efficiently. References Intrusion Detection System. 2007. Network Dictionary, , pp. 258-258. UDDIN, M., KHOWAJA, K. and REHMAN, A.A., 2010. Dynamic Multi-Layer Signature Based Intrusion Detection System Using Mobile Agents. International Journal of Network Security & Its Applications, 2(4), pp. 129-141. AYDIN, M.A., ZAIM, A.H. and CEYLAN, K.G., 2009. A hybrid intrusion detection system design for computer network security Computers & Electrical Engineering, 35(3), pp. 517 526. FARID, D.M. and RAHMAN, M.Z., 2010. Anomaly Network Intrusion Detection Based on Improved Self Adaptive Bayesian Algorithm. Journal of Computers, 5(1), pp. 23-31. HAN-PANG HUANG, FENG-CHENG YANG, MING-TZONG WANG and CHIA-MING CHANG, 2009. Intrusion Detection Based on Active Networks. Journal of Information Science & Engineering, 25(3), pp. 843-859. , FIDRAN: A Flexible Intrusion Detection and Response Framework for Active Networks . Available: http://www.computer.org/portal/web/csdl/abs/proceedings/iscc/2003/1961/00/19611219abs.htm [4/25/2011, 2011]. , Scientific Commons: Combining multiple intrusion detection and response technologies in an active networking based architecture (2003), 2003 [A. Hess, M. Jung, G. Schäfer] . Available: http://en.scientificcommons.org/43307876 [4/25/2011, 2011]. Read More