Intrusion Detection System: A Review

DOI : 10.17577/IJERTV2IS110067

Download Full-Text PDF Cite this Publication

Text Only Version

Intrusion Detection System: A Review

Vikrant H. Modi Ami A. Patel

Department of Electronics Department of Electronics

And Communication And Communication

L.J Institute of Engineering L.J Institute of Engineering

And Technology, And Engineering,

Abstract-In 21st century, because of easily available internet, virtually anybody can access it and access any network. To avoid any unauthorized access network security is one of the most important requirements in a system. Over the last years, many software solutions have been developed to enhance Network Security and this paper provides one such solution which has become prominent in the last decade: Intrusion Detection System (IDS). In this paper we have provide an overview of different types of Intrusion Detection Systems, the advantages and disadvantages of the same. Finally, the details of examples of Intrusion Detection System proposed by other authors have been elaborated. The examples are as follows. (1) Usefulness of DARPA Dataset for Intrusion Detection System Evaluation. (2) Performance Enhancement of Intrusion Detection System using Advance Sensor Fusion.

  1. Analysis And Evaluation of Network Intrusion Detection Methods to Uncover Data Theft.

    Index Terms- Anomaly IDS, DARPA Dataset, Misuse IDS, False Positive, False Negative, SNORT


    INTERNET is a global public network [1]. Internet has changed the face of communication and computation. The connectivity it provides allows corporations to extend their activity and increase productivity [2]. Because of ease of accessibility of internet introduced a new kind of criminality: cyber-crime [4]. This type of crime developed exponentially during the past decade, mainly due to the democratization of the Internet [5]. It is reported in [6] that, during the period of 1991- 1996, information theft rose by 250 % and 99 % of all major companies reported one incident of major security breach and 10 billion dollars were lost in the US due to telecom and computer related frauds. Data is the most important asset in an organization [7]. This highlights the crucial need for network security in order to keep data secure. Hackers and intruders have made many successful attempts to bring down high-profile company networks and web services. Computer network security is often deployed in two ways. The first security application tries to establish a strong outside barrier in order to prevent unauthorized users gaining access to a network. Since internal users still need to access resources outside the local network, this barrier has to let some communications go through. Intruders usually take advantage of these characteristics to carry out exploits. In order to address this security issue, the second type of exploits. Many methods have been developed to

    secure the network infrastructure and communication over the Internet, among them the use of firewalls, encryption, and virtual private networks. Firewall can be found in most of all corporate networks and form the first barrier against intrusion. Without good configuration, firewalls are useless. Unfortunately, as well as being very popular they are also often miss- configured, allowing any traffic by default rather than denying all of it [3]. That is the main disadvantages of firewall. In compare to firewall Intrusion Detection System (IDS0 is renowned and widely-deployed security tool to detect attacks and malicious activities in information system. It is generally deployed as a second line of defense along vulnerability monitor, access control and authentication that protects information system [8]. It searches for security violation incidents, recognizes unauthorized accesses, identifies information leakages and intervention of malicious programs Intrusion Detection provides a way to identify, and thus allow responses to, attacks against these systems. As a result, certain preventive mechanisms (e.g., firewalls, access control, and authentication) may not be as effective as expected. IDS play a role as a reactive agent rather than a proactive agent [6] in the security landscape of the system, whose primary job is to inform the system administrator in the event of an intrusion.


    Figure1. Taxonomy of IDS

    Intrusion detection system can be broadly classified based on two parameters as shown in figure1:

    1. Analysis method used to identify intrusion, which is classified into Misuse IDS and Anomaly IDS.

    2. Source of data that is used in the analysis method, which is classified into Host based IDS Network based IDS.


    The misuse (signature-based) detection is normally used for detecting known attacks. It requires that all known threats will be defined first, and the information regarding these threats to be submitted to the IDS. Thus, the IDS is able to then compare all incoming or outgoing activity against all known threats in its knowledge base and raise an alarm if any activity matches information in the knowledge base. The information stored in this knowledge base is usually known as

    signatures [9].The process for actually comparing a signature with an attack include simple string matching which involves looking for unique key words in network traffic to identify attacks to more complex approaches such as rule- based matching which defines the behavior of an attack as a signature [9]. Following are the advantages- disadvantages of misuse detection technique [10, 11]:

    Advantages: (1) Misuse detectors are very efficient in detecting attacks without signaling false alarms (FA). (2) Misuse detectors can quickly detect specially designed intrusion tools and techniques.

    (3) Misuse detectors provide system administrators an easy to use tool to monitor their systems even if they are not security experts.

    Disadvantages: (1) Misuse detectors can only detect attacks known beforehand. For this reason the systems must be updated with newly discovered attack signatures.

    (2) Misuse detectors are designed to detect attacks that have signatures introduced to the system only. When a well known attack is changed slightly and a variant of that attack is obtained, the detector is unable to detect this variant of the same attack.


    Anomaly detectors detect behaviors on a computer or computer network that are not normal. According to this approach, behaviors deviating from behaviors assumed as normal are thought to be attacks and anomaly detectors compute the deviation in order to detect these

    attacks. Anomaly detectors construct profiles of users, servers and network connections using their normal behaviors. These profiles are produced using the data that is accepted as normal. After the profile construction, detectors monitor new event data, compare the new data with obtained profile and try to detect deviations [10, 11].

    Anomaly detection technique learning what is considered normal behavior by the two main approaches: self-learning or programmed anomaly detection. In the self-learning approach, the anomaly detection system will begin to automatically monitor events, such as live network traffic, on the environment it has been implemented on and attempt to build information on what is considered normal behavior [9]. This is otherwise known as offline learning, and may involve feeding the system a network traffic data set which contains normal network traffic [12]. Following are the advantages- disadvantages of anomaly detection technique:

    Advantages: (1) Anomaly-based IDSs, uperior to signature-based ones, are able to detect attacks even when detailed information of the attack does not exist.

    (2) Anomaly-based detectors can be used to obtain signature information used by misuse-based IDS.

    Disadvantages: (1) There is a higher rate of false alarms, which means a lower precision [13]. (2) It also needs periodic online retraining behavior profile. (3) Anomaly-base approach requires a large set of learning data that consist of system

    event log in order to construct normal behavior profile.


    Intrusion Detection can be implemented either on the hosts that need to be protected or on a network device that can sniff the traffic for all the hosts on the network. Based on the implementation locations, there are two common types of IDS, viz., I) host-based IDS, and II) network-based IDS.

    Host-based IDS (HIDS) examines information at the local host or operating system on which it is installed. It examines actual system calls and system log files.

    Network-based IDS (NIDS) examines the actual network packets that are traveling across the network. It examines this traffic for known signs of instructive activity. Because NIDS is watching network traffic, any attack signatures detected may succeed or fail, It is usually difficult if not impossible for NIDS to access the success or failure or the actual attacks. It only indicates the presence of intrusive activity.

  4. CLASSIFICATION OF ATTACKS The classification of the various attacks found in the network traffic is explained in detail in the thesis work of Kendall [27] respect to DARPA intrusion detection evaluation dataset and is explained here in brief.

    The attacks fall into five main classes namely, Probe, Denial of Service (DOS), Remote to Local (R2L), User to Remote (U2R) and the Data Attacks.

    The Probe or san attacks automatically san a network of computers or a DNS server

    to find valid IP address (ipsweep, Isdomain, mscan), active ports (portsweep, mscan), host operating system types (queso, mscan) and known vulnerabilities (Satan).

    The DoS attacks are designed to disrupt a host or network service. These include the Solaris operating system crash (Selfping), active termination of all TCP connections to a specific host (Tcpreset), corruption of ARP cache entries for a victim not in others caches (Arppoison), crash the Microsoft Windows NT web server (Crashiis) and crash Windows NT (Dosnuke).

    In R2l attacks, an attacker who does not have an account on a victim machine gains local access to the machine (guestdict), extracts files from the machine (ppmacro), modifies data in transit to the machine (framespoof).

    In U2R attacks, a local user on machine is able to obtain privileges normally reserved for the UNIX super or Windows NT administrator. The data attack is to extra filter special files which the security policy specifies should remind on the victim hosts. These include secret attacks, where a user who is allowed to access the files extra filters the data (ntfsdos, sqlattack).

  5. LATEST INTRUSION DETECTION SOFTWARES Anomaly detection based intrusion detection systems are separated into many sub-categories in the literature including statistical methodologies [14-17], data mining [18, 19], artificial neural networks

    [20], genetic algorithms [21] and immune systems [22]. Among these sub- categories, statistical methods are the most commonly used ones in order to detect intrusions by analyzing abnormal activities occurring in the network. Various Anomaly based ids softwares are PHAD [23], NETAD [24], ALAD [25]

    etc. Various Misuse based IDS softwares are BRO, Suricata, Cisco IDS, Snort [26] etc.


      The main challenge in IDSs deployment is assessing and comparing performances of their systems with other IDSs [30]. These evaluations are needed and driven by the fact that security systems have to prove what they are capable of detecting, and how well they operate compared to the each other, [3] mention detection rate and false alarm rate as the best suited Evaluation matrices of IDSs. The detection rate is total intrusions injected in the traffic. The false alarm rate is equivalent to the false-positive rate of the IDS. There are mainly four Alarm types.


      Performance evaluation of IDS done by using either offline evaluation or online evaluation.

      Offline evaluation consists of recreating datasets of network traffic including attacks without recreating the whole network topology.

      The use of tcpdumps and replay tools allow such type of evaluation [31]. The most commonly used datasets were created by Defense Advanced Research Projects Agency (DARPA) / Massachusetts Institute of Technology (MIT) Lincoln Labs in 1998 and 1999, called 1998 DARPA set and 1999 DARPA set, and also sometimes called Intrusion Detection Evaluation (IDEVAL) datasets [28, 32].The DARPA sets are simulations of network traffic based on observation of real network traffic including common attacks, which aim at providing blind evaluation material for researchers [32]. These datasets were captured at the edge of a network, at the border routers.

      Alarm Type



      IDS rightfully flags an attack as such



      IDS triggers an alarm although no


      attack is actually happening


      Real attack that the IDS does not flag


      as intrusion


      IDS does not flag legitimate events


      as attacks(most common situation)

      Alarm Type



      IDS rightfully flags an attack as such



      IDS triggers an alarm although no


      attack is actually happening


      Real attack that the IDS does not flag


      as intrusion


      IDS does not flag legitimate events


      as attacks(most common situation)

      The 1998 DARPA set includes 7 weeks of training data with labeled test data and 2 weeks of unlabelled test data [32]. During the first test competition, 8 IDSs were tested. The data set includes also over 300 instances of 38 attacks. The 1999 DARPA set presents over 5 billion connections over 5 weeks: 2 were attack-free and 3 weeks included attacks. Another data set was created in 1999, based on the 1998 DARPA set: the 1999 Knowledge Discovery and Data (KDD) Cup, created for a machine learning evaluation competition. The DARPA 1999 test data consisted of 190 instances of 57 attacks which included 37

      Probes, 63 DoS attacks, 53 R2L attacks, 37 U2R/Data attacks.

      The main advantages of the DARPA sets are that they allow fast identical trial runs for IDSs evaluation. The fact that the sets are free to use allows many researchers to carry out the same

      experiments and thus compare and thus compare IDSs between each other [31]. Many critical papers showed that these sets are flawed [3], the main shortcomings begin:

      1. Simple, limited network topology

      2. Low background traffic and linear attacks distribution

      3. Limited number of victim target systems

      4. Simulated traffic includes unlikely IP header attribute values.

      After seeing the shortcomings of correct offline evaluation,there is a critical need for realistic traffic and attack generators, as well as data sets mixing both type of traffic in a realistic manner [34].

      Current researchers focus their work on simulation test-beds and attacks generators [3]. Lincoln Labs work aiming at creating an online test-bed resulted in the Lincoln Adaptable Real-time Information Assurance Test-bed (LARIAT) tool [35]. LARIAT is capable of generating realistic background user traffic and real network attacks.

      It was created to overcome the issue inherent to the DARPA sets, in order to create a next generation of test-bed. The main two goals of LARIAT are supporting real-time evaluation and creating easily deployable and configurable test-bed [35]. It simulates an internal and external network: it is thus possible to evaluate IDSs plugged in between both simulated networks. The main issue with LARIAT is that its use is limited to the US military and to some academic organizations under special circumstances.

      Two main advantages of a real-time, on-line evaluation are that intrusion detection systems are able to perform active rather than passive monitoring during the evaluation and they can take

      action in response to a particular attack or a possible detection. Theoretically, these systems could query hosts to determine status and use data sources not provided in corpora used for the off- line evaluations. Another advantages is that an intrusion detection system such as CPU and memory usage, and ease of installation and configuration.

      The main disadvantage of the real-time evaluation is that in many cases only one intrusion detection system can be evaluated at a time and attacks and background traffic must be regenerated for each system evaluated. Therefore it is a very time- consuming process and is not well suited to training 9as opposed to testing) intrusion detection systems.

      In contrast, the off-line evaluations are produced once and can be used by any number of systems at any time for evaluation or training. In the off-line evaluation, systems and tested using network traffic, audit logs, system logs, files system information, and other host information collected on test-bed network and distributed to evaluation participant. Systems process this data in batch mode and attempts identify attack action in the midst of normal activities.

      The off-line approach was well suited for those research systems that participated in the 1999 evaluation, as support of active monitoring was not required for those systems. Eventually it will be necessary to support future research systems and existing commercial systems that perform dynamic querying of the network or host.

      Although parts of these systems might be evaluated in the exiting offline style, real-time evaluation components will be required.


      Snort is free, extremely powerful and widely used by researchers. Snort is a free and open source network intrusion prevention system (NIPS) and network Intrusion Detection System (NIDS) created by Martin Roesch in 1998. Snort is now developed by Source fire, of which Roesch is the founder and CTO. In 2009, Snort entered Info World Open Source Hall of Fame as one of the greatest [pieces of] open source software of all time [35].

      Snort is a Network Intrusion Detection System, which is used to detect malicious activity in the network traffic. It is a widely used NIDS and this motivated us to study its architecture and analyze the different components of an IDS. Snort can be configured to run in four different modes i.e., as packet sniffer, packet logger, Network-based Intrusion Detection System and Inline Mode (IPS).

      Sniffer mode- In this mode Snort uses a packet capturing tool to sniff packets from the network traffic and display it on console. No logging is done in Sniffer mode.

      Logger Mode- In this mode Snort will analyze the contents of a packet, compare them with set of pre- defined rules and generate alerts if a match is found (i.e., if a packet is found to be malicious).

      Inline mode- This mode is known as Intrusion Prevention mode. In this mode Snort will take raw data from IPTABLES and check it against its rule set. If any alerts are generated then IPTABLE rules are updated accordingly to prevent that malicious activity from occurring.

      A paper presented by Ciza Thomas [36] has analyzed the DARPA 1998 data set using Snort and has concluded that any sufficiently advanced IDS

      should be able to achieve good false positive detection performance on the DARPAIDS evaluation data set.

      The major benefit of SNORT is that it can detect a large number of different attacks such as viruses, Denial of Services, malware etc.

      The major drawback of Snort is that it uses only signature based technique to detect the intrusion but if anomaly behavior occur then it will not be possible for SNRT to detect that anomaly attack.

      1. EXPERIMENTAL EVALUATION The IDS Snort was evaluated with the DARPA 1999 data set [36] and the results are shown in table II. It can be noted in table II that some of the attacks for a certain attack type may get detected whereas some other attacks from the same attack type may not get detected. Hence some of the attack types appear in both rows of Table II.

        TABLE II

        Attack s detecte d by Snort

        Teardrop,Dosnuke,portseep,sshtroja,sechole,ft pwrite,ynga,phf,netcat,Iand.satan,no- setup,imap,nc- breakin,ncftp.guessftp,Tcpreset,sqlattack,ntinf oscan.neptune,httptunntl,udpstorm,ls,xclock,x snoop,named,loadmodule,ppmacro



        s not




        d by





        Attack s detecte d by Snort

        Teardrop,Dosnuke,portseep,sshtroja,sechole,ft pwrite,ynga,phf,netcat,Iand.satan,no- setup,imap,nc- breakin,ncftp.guessftp,Tcpreset,sqlattack,ntinf oscan.neptune,httptunntl,udpstorm,ls,xclock,x snoop,named,loadmodule,ppmacro



        s not




        d by






        The Snort is designed as network IDS; extremely good at detecting distributed port scans and also fragmented attacks which hide malicious packets by fragmentation. The preprocessor of Snort is highly capable of defragmenting the packets. Matching the alert produced by Snort with the packets in the data set by means of timestamp might those signatures.

        In a study made by Sommers et al. [37], after comparing the two IDSs Snort and Bro, they comment that Snorts drop rates seem to degrade less intensely with volume for the DARPA data set. They have also concluded in paper that Snorts signature set has been tuned to detect DARPA attacks. Even then, if we cannot detect all the attacks of this nine year old data set, it clearly shows the inability of reproducing the signatures of all available attacks in the data set of signature-based Ids. This shows the inability of the IDSs rather than the deficiency of the data set.


      In the most widely used open source network intrusion prevention and detection system, namely the Snort, attack classification is based on its impact on the computer system. The attacks whose effect is the most critical have the highest priority. The priority levels are divided into high, medium and low ones. High level priority attacks are such as the attempted administrator privilege gain, the network Trojan, or the web application attack. Medium priority attacks are the Denial of Service (DoS) attacks, a

      nonstandard protocol or event, potentially band traffic, attempted log-in using a suspicious user etc. Low-level priority attacks are the ICMP event, the network scan, the generic protocol command etc. [38].


      For Misuse Detection techniques (Signature Detection) mostly use SNORT IDS, will more accurately detect and generate correct alarm for the signature based attacks.

      At the same time for Anomaly Detection technique Anomaly detection based IDS will detect accurately and generate correct alarms for novel attacks.


[1]. Intrusion Detection Systems, Definition, Need and Challenges, SANS Institute, 2008.

[2]. Sriram Sundar Rajan, An overview of Intrusion Detection Systems, Ph.D. Dissertation.

[3]. Julien Corsini, Analysis and Evaluation of Network Intrusion Detection Methods to Uncover Data Theft. Ph. D. Dissertation, 2009.

[4]. N. I. of Standards & Technology, An Introduction to Computer Security: The NIST Handbook, NIST, Ed. U.S.

Department of Commerce,2006 [5]. J. Grossklags, N. Christin, and J.

Chuang. Security and insurance management in networks with heterogeneous agents, in 9th

ACM conference on Electronic


Commerce, New York, NY,


USA: ACM, 2008, pp 169-169.


Stillerman M. Morceau, and


Aurobindo Sundaram, An

Stillman M. (1999) Intrusion

Introduction to Intrusion

Detection for Distributed

Detection, Crossroads, Volume

Applications, Communications

2, Issue 4 Pages: 3-7, 1996.

of the ACM, 42(7), July, 1999,


K. Labib, Computer Security


and Intrusion Detection,


Denning DE. An Intrusion-

Crossroads, volume 11, Issue 1,

Detection Model. IEEE Trans

pp. 2-2, 2004.

Software Eng. 1997;13(2):222-32


Kanubhai K. Patel, An


Javitz HS, Vanldes A. The SRI

Architecture of Hybrid Intrusion

IDSE statistical Anomaly

Detection System, Volume 2,

Detector, In IEEE symposium

No. 2, pp. 197-202

on security and privacy, Oakland,


Axelsson, S. (2000). Intrusion-

CA, May 1991, pp. 361-26

detection systems: A taxonomy


Neuman PG, Porras Pa.

and survey. Tech. Rep. 99-15,

Experience with EMERALD to

Department Of Computer

date. In first USENIX workshop

Engineering, Chalmers

on intrusion detection and

University of Technology,

network monitoring, Santa Clara.

Goteborg, Sweden, 2000.

CA; 11-15 April 1999.pp. 73-80


Base R. Intrusion Detection


Lankewicz L., Bernard M.Real

Technology, Indianapolis, USA,

time Anomaly Detection Using A

Macmillan Technical Publishing,

Nonparametric Pattern


Recognition Approach. In


Mukherjee B, Heberlin LT,

proceeding of the seventh annual

Levitt KN. Network Intrusion

computer security applications

Detection IEEE Network 1994,

conference, San Antonio TX; 8-


6 December 1991,pp.80-9


Gong F. (2003). Deciphering


Noel S, Wijesekera D, Youman

Detection Techniques, Part II

C. Modern Intrusion Detection,

Anomaly Based Intrusion

Data Mining and Degrees of

Detection [White Paper], McAfee

Attack Guilt In Applications of

Security, McAfee Security White

data mining in computer security.

Paper, 2003, Retrieved October

Kluwer Academic Publisher,

10, 2012, from



Lee W. Stolfo S. Data Mining


Approaches for Intrusion Detection. In proceeding of the

seventh USENIX security symposium (Security 1998), San Antonio, TX; 26-29 January

Proceedings of eighth International Conference on Knowledge discovery and data


mining, 2000, pp. 376-85.


Debar H., Becker M., Siboni D.


Rosech M. Snort-Lightweight

A Neural Network Component

Intrusion Detection For

For An Intrusion Detection

Networks. In Proceeding Of The

System. In proceedings of the

13th LISA Conference of

1992 IEEE symposium on

USENIX association; 1990.

security and privacy, Oakland,


K. Kendall.A Database of

CA; 4-6 May 1992, pp.240-50

Computer Attacks For The


Ludovic M. GASSATA; A

Evaluation Of Intrusion

Genetic Algorithm as an

Detection System, Thesis, MIT,

Alternative Tool for Security


Audit Trails Analysis. In First


M.L Laboratory, DARPA

International Workshop on the

Intrusion Detection Datasets,

recent advanced in intrusion

1999 [Online], Available:

detection, Louvain-la-Neuve,


Belgium; 14-16 September 1998. Kim J, Bentley P.The Artificial



Immune Model for Network


Snort Manual,

Intrsion Detection. In Seventh

European Congress On

l. 260

Intelligent Techniques and Soft


H. Bidgoli, Handbook of

Computing (EUFIT99), Aachen,

Information Security, Ed. Wiely,

Germany, 13-19 September 1999



Machoney MV, Chan PK,


D. J. Fried, I. Graf, W. Haines,

PHAD: Packet Header Anomaly

K. R Kenall, D Mcclung, D.

Detection For Identifying Hostile

Weber, S. E. Webwe, D

Network Traffic Florida

Wyschogrod, R. K. Cunningham

Institute of Technology,

and M. A Zissman, Evaluation

Technical report, CS-20001-04

Of Intrusion Detection System:


Machoney MV, Network Traffic

The 1998 DARPA Offline

Anomaly Detection Based On

Intrusion Detection Evaluation,

Packet Bytes. In Proceeding of

In proceedings of the 2000

ACM-SAC, 2003.

DARPA Information


Machoney MV, Chan PK,

Survivability Conference and

Learning Non stationary Models

Exposition, 2000, pp. 12-26

of Normal Network Traffic for


M. V. Machoney and P. K. Chan,

Detecting Novel Attacks.

An analysis of the 1999

DARPA data for Network

conference on Computer and

Anomaly Detection, In

Communication Security, New

proceedings of Sixth

York, USA: ACM, 2006.

International Symposium On


Ciza Thomas, Vishwas Sharma,

Recent Advances in Intrusion

N. Balakrishnan, Usefulness

Detection. Springer-Verlag,

DARPA Dataset for Intrusion

2003.pp 220-237.

Detection Evaluation,


A. Patecha and J.M Park, An

International symposium and

overview of Anomaly Detection

security, proceeding of SPIE,

Techniques: Existing Solutions

6973, 15, 2008.

and Latest Technological


J. Sommers, V. Yegneswaram, P.

Trends, Computer Networks,

Barford, Toward

volume. 51, pp. 3448-3470

Comprehensive transfer


R. Braden, Requirements of

generation for Online IDS

Internet Hosts-Communication

Evaluation, Technical Report,

Layers, United States, 1989.

University of Wisconsin.


P. Fogla and W. Lee, Evading


A. Baker. J. B. Beale, Snort 2.1

Network Anomaly Detection

Intrusion Detection (Second

System Formal Reasoning and

Edition), pp.751, 2004.

Practical Techniques, in CC06.

In proceeding of the 13th ACM

Leave a Reply