Intrution Detection Systems



The problem of intruder attack to an organization is not new, either the physical attack like stealing files from the companies locker or the network attack such as person sitting on a network other than companies network break the password of a computer with the intention of stealing files. There are other different types of attacks such as buffer overflow attack. In 2010, according to CSA (Cloud Security Alliance), it is estimated that there are top 07 network attacks to clouds, this is massive. (Cloud Security Alliance, 2010) To protect an organization from these types of attacks certain policies and systems are implemented. One such system is IDPS. There are different types of intrusion detection and prevention system such as HIDPS and NIDPS. Both IDPS are entirely different from each other both of them has certain advantages and limitations. An Intrusion Detection and Prevention System not only detect the attack but also perform actions to prevent these attacks it works like a burglar alarm. For example- if it detects any of the attack at any time it stops the current execution and responds it by notifying it to the administrator via e-mail, text messaging etc. An administrator is a concerned person who is responsible for configuring the IDPSs. We have proposed a new approach to IDPS which is more efficient than the traditional NIDPS. An algorithm which is based on signature based IDPS and Anomaly based IDPS has been designed. (CISCO 2004)

Types of IDPS

1. Host-Based IDPS
2. Network-Based IDPS
3. Wireless IDPS
4. Network Behavior Analysis

1. Host-Based IDPS-

In a host based IDPS the host operating system or the application logs in the audit information. These audit information includes events like the use of identification and authentication mechanisms (logins etc.), file opens and program executes, admin activities, etc. This audit report is then analyzed to detect trails of intrusion. Host-based IDPSs can monitor multiple computers simultaneously

Strengths of Host- Based IDPS (HIDPS)

1. They are good to detect inside attack.
2. They are good at attack verification.
3. They are capable of decrypting the encrypted packets in an incoming traffic.
4. It does not require an additional hardware.

Limitations of Host- Based IDPS (HIDPS)-

1. Managing HIDPS is not easy.
2. They are vulnerable to both direct attacks and attacks against host operating system
3. They are vulnerable to denial-of-service attacks
4. They can increase the performance overhead
5. Unselective logging of messages may greatly increase the audit and analysis burdens.

2. Network-Based IDPS

They reside on computer or any other appliance which is connected to an organization’s network and there it looks for signs of attacks. In an organization’s network they are installed at specific place from where it can watch the movement of traffic coming in and going out and whenever a predefined condition occurs it takes an action and notifies the appropriate administrator. It yields many more false-positive readings than host-based IDPSs.

Strengths of Network- Based IDPSs (NIDPS)-

1. With NIDPSs we can easily able to monitor a large network.
2. They are usually passive and can be easily deployed to an existing networks with no disruption to the normal network operations
3. They are not easily detected by an attacker and hence are less susceptible to direct attack

Limitations of Network-Based IDPS (NIDPS)-

1. Sometimes due to large network traffic there may be chances that they fail to recognize attacks.
2. They fail to analyze packets which are encrypted
3. Either the attack is successful or not, they do not reliably ascertain.
4. Some forms of attack, specifically those involving fragmented packets are not easily distinguished by NIDPSs

3. Wireless IDPS

A wireless IDPS are used to monitor the wireless traffic for any type of attacks. WLAN (Wireless Local Area Network) are very common now a days and almost all the organization either small scale or the large scale use WLAN. In a WLAN exchange data from one networking node to other networking node which are located within a limited geographical area through a radio communication. While the transferring of files between these two networking nodes there are possibilities that an attack is performed by an attacker such as man-in-the-middle attack. To mitigate such an attack by an attacker we can implement Wireless IDPSs.

Strengths of Wireless IDPS-

1. These are widely used in organizations which are using wireless networking infrastructure.
2. They are more efficient in detecting malicious activities.

Limitations of Wireless IDPS-

1. It is not capable of identifying any attacks at any higher-layer network protocol.
2. To perform an attack an attacker has simply enter within the range of WLAN infrastructure.

4. Network behavior Analysis

Network behavior Analysis works similar to Network-Based IDPS however the difference between two is that Network-Based IDPS are placed at the boundary between two networks and are responsible for monitoring a particular network segments. However, NBA detects for an attack by monitoring network traffic for any unusual flows or sometimes they detect for any policy or rule violation. They use Anomaly-Based methodology.

Strengths of NBA-

1. Their detecting efficiency varies with network behavior.
2. Since they use Anomaly-Based methodology they are capable of detecting unknown attacks.

Limitations of NBA-

1. It takes time to detect an attack due to network traffic due to such a delay attacks such as Denial of Service remain undetected by NBA.
2. Since they use Anomaly-Based methodology they are capable of detecting those attacks which have some effects to the network.

Detection Methodologies

Most of the Intrusion Detection & Prevention Systems use these following detection Methodologies-

1. Signature based Detection
2. Anomaly based Detection
3. Stateful Protocol Analysis

1. Signature-Based Detection

In a signature based Detection a predetermined attack patterns in the form of signatures and these signatures are further used to determine the network attacks .They usually examine the network traffic with predefined signatures and each time, the database is updated. An example of Signature-based Intrusion Detection System is SNORT. SNORT is an open source network intrusion detection system developed in late 1998 as a sniffer with consistent output, unlike the protocol-dependent output of TCPDump. It is flexible, small-footprint licensed under GPL. It is portable to Linux, Solaris, *BSD, IRIX, HP-UX etc.

Packet life and snort detection engine is discussed which is divided into following stages-

1. Packet acquisition- One by one packet is collected by the snort detection engine and handed to the decoder.
2. Packets decode- All the packets collected are decoded into their actual form before being handed to the preprocessor.
3. Preprocessor-Packets are properly analyzed and manipulated before being handed to the detection engine
4. Detection- It performs simple test to determine the authenticity of the packets.
5. Output- It then check the packets for log or alert if it finds no then finished packet processing else packets are handed to output for plug-in.

Snort is a powerful tool and it requires a trained operator for its maximal utilization. To become a proficient with network intrusion detection takes at least 12 months. Snort is considered to be superior than any other NIDPS when compared to most commercial systems.

Strengths of Signature-Based Detection

1. They are used where the attacks have clear definition hence, are effectively used.
2. Signature-Based Detection is easy to use.

Limitations of Signature-Based Detection

1. Sometimes attacker attacks slowly and organized, and the attacks may go undetected through the IDS, because signatures include factors which are based on duration of the events and the actions of attacker do not match.
2. They are not able to detect the novel attacks.
3. They suffer from false-positive readings.
4. For every new pattern of attack, it is required to update the signatures to maintain its effectiveness and efficiency.

2. Anomaly-Based Detection

Anomaly-Based Detection is based on behavior-based mechanism. It establishes a baseline between the data collected from the normal traffic and periodical samples of network activity. It compares the samples to the baseline and if an activity falls outside the baseline parameters. It assumed to be an intrusion activity and notifies it to the administrator. For example- Flooding a host with lots of packet.

Strengths of Anomaly-Based Detection-

1. The primary strength is its ability to recognize novel attacks.
2. Since it always looks for an abnormal activity in the network, it can detect new types of attacks.

Limitations of Anomaly-Based Detection-

1. To detect many new types of attacks in the network it has to do a lot of processing and overhead.
2. It may generate many false alarms than a signature based and hence compromise the effectiveness of the IDS.

3. Stateful Protocol Analysis

Stateful Protocol Analysis works similar to anomaly-Based Detection. It predetermined the definitions of unusual activities and the use of all other protocols and their definitions during the network flow. It is capable of discernment and trailing the state of network, transport and application protocols. At the time of attack it matches the predetermined definitions with the current definitions and if it violates any of the definition it takes an appropriate step to mitigate the risk.

Strengths of Stateful Protocol Analysis-

1. It is widely used where the network behavior is examined.
2. It is capable of identifying unusual sequence of commands for example- repeated commands or the command which has to be send before any command is send after that command

Limitations of Stateful Protocol Analysis-

1. Due to the complexity involved in the analysis and state tracking these are full of resource intensive.
2. Since all the definitions are predetermined hence, it is not able to detect those activities which do not match to the predetermined definitions.

Proposed Work -Improved IDS

We had gone through Strengths and Limitations of both Signature-Based Detection and Anomaly-Based Detection. If we combine both of these algorithms and design a new algorithm and implement it then it will be the more effective than any other IDSs.

Scenario Example:

The chairperson of an organization (say- ABC) has implements NIDS (say- XYZ) to protect its organization’s network and the intruder sitting at some other network is trying to get an access to the organization’s network.

If ABC implements XYZ is only Signature based Detection-

A Signature based IDS works more and less similar to the antivirus. It maintains a database of all the previously known attacks and makes signatures according to different attacks. It then examines the network and if it finds any of the network activity similar to any of the signature in its database, it raises an alarm and stops the execution. This process has a limitation that for unknown attacks there are no signatures updated or an attacker attack in the mean time when the database is updating. Hence, signature-based IDS will fail to detect unknown attacks.

If ABC implements XYZ is only Anomaly-based IDS-

To overcome such a situation an anomaly based IDS is developed which is capable of detecting unknown attacks and all types of new attacks. It establishes patterns of data collected from normal network behavior. It takes periodical samples of the network activity and compares the samples with the pattern and if it finds any significant difference, it marked it as anomaly. Thus we find that anomaly based IDSs are more capable of detecting abnormal but then only they are not widely accepted by the peoples this is because they do not meet usability requirements and also signature based IDSs are much easier and simpler to implement and configure. It is easier and less expensive to maintain signature based IDS.

If ABC implements XYZ which is both Signature based IDS and Anomaly based IDS then the process can be improved-

If we combined both the signature based and the anomaly based then it will give the better results as signature based IDS can do much better for the well known attacks and anomaly based IDS can do much better for any unknown attack or anomaly or any new types of attack. Thus comprising both the system will harden the IDS.

Solution of the problem

To implement such a system a flowchart is presented through which we can clearly understand the working of entire system in an organization. Through the flowchart we can understand the types of events and their timings that take place during the entire processing of network intrusion detection and prevention system. With this flowchart we can derive an algorithm for this system.

We can see in figure 2 that an algorithm starts with network scanning for any attack. If the system detects an attack then it will check for known attacks or unknown attacks. If the system finds a known attack then it will run a signature based IDS and if it finds an unknown attack then it will run an anomaly based IDS. Whenever an anomaly based IDS are called it will search for the difference in between the normal network behavior and the regular samples of the network. If it finds the major difference in between them, it will raise an alarm and stops the execution. In the given flowchart we can find that an anomaly based IDS is called two times one at the time when no attack is found during the network scan and another at the time when an abnormal or unknown attack is found. Whenever an anomaly based IDS is called and executed, signatures are made and database is updated with these new signature for these unknown attacks so, that next time whenever this type of attack occurs it can be easily detected and we can protect the confidentiality of an organization in a much simpler and easier way. At the end database is updated and it will again check for attacks if it will find an attack it will go for network scan else the algorithm will stop.

Fig. 2 Flow Chart


IDS (Combination of Signature based and anomaly based IDS)

1. if(attack)
2. if (known attack)
3. run (Signature- Based NIDS);
4. else (unknown attack)
5. run (Anomaly-Based NIDS);
make signature;
6. update database;
7. else
8. goto 5
9. if (check for attacks)
10. goto 1
11. else
12. stop execution

The above algorithm is defined as:

Step 1: Scan the network for any attack
Step 2: If there is an attack then search for the type of attack. There may be two types of attacks either known attacks or unknown attacks
Step 3: If it is a known attack then run signature-Based IDS and update the database else run anomaly based IDS
Make signatures and update database.
Step 4: The entire process will run again and again until you terminate the process.


Intruders are using more advanced technologies and they are attacking more frequently and disastrous hence organizations network and information security is of increasing concern nowadays. It became a national threat. There are ranges of synchronous and asynchronous tools to detect and mitigate intrusion attacks both for internal and external network. We have introduced four types of Intrusion detection and prevention system- Host-Based IDSs, Network-Based IDSs, Wireless IDPS and Network Behavior Analysis. We also introduced Signature-Based Detection, Anomaly-Based detection and Stateful Protocol Analysis methodologies All these algorithms have their own strengths and limitation. Based on two algorithms Signature-Based Detection and Anomaly-Based detection we have proposed a new algorithm which is more efficient than any other IDSs.


Leave A Reply