Abstract
Data breaches pose the most significant threat to many companies, especially those doing business in the digital space. In this regard, Intrusion Detection Systems draw special attention from scholars, IT experts, and business leaders since their functions are directly related to monitoring network traffic and identifying malicious activity or policy violations. Thus, this paper aims at analyzing the methods, features, and techniques associated with contemporary Intrusion Detection Systems (IDSs) and providing an example of a company that implemented them. In particular, the paper will discuss network-based intrusion detection systems and host-based intrusion detection systems, and signature-based and anomaly-based IDSs. Besides, the paper will concern machine learning, a knowledge-based method, or a statistical-based method and gives a taxonomy for AIDS based on their features, including Pattern-based, Statistics-based, Rule-based, Heuristic-based, and State-based.
Introduction
Nowadays, the risk of data breaches is the most significant concern for business leaders due to their ability to threaten million customers’ sensible information, ruin a business reputation, and cause trade secret loss. To prevent such dangerous and nefarious incidents, every organization implements advanced and sophisticated cybersecurity systems related to Intrusion Detection and prevention, Network access control, web application firewalls, and antiviruses. This paper will focus on examining the implementation, methods, features, and techniques of contemporary Intrusion Detection Systems (IDSs) and provide an example of a company that implemented them.
Description and Analysis
Protection on the Internet is becoming a critical necessity since online services, especially digital banking and e-commerce, experience fast-growing development. An intrusion detection system is software or hardware designed to monitor network traffic and identify malicious activity or policy violations, including unauthorized access to a computer system or network and unauthorized control of them. Any breach or suspicious activity is generally reported and stored in a Security Information and Event Management System (SIEM) applying alarm filtering methods to recognize malicious acts (Elrawy et al., 2018). Currently, a broad array of IDS exists, ranging from antivirus programs to complex, multilevel monitoring systems that track the total network traffic. In particular, most typical classifications based on the input data sources to identify unauthorized activities include network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS) (Khraisat et al., 2019). While the former implies analyzing inbound and outbound network traffic, the latter is intended to monitor valuable operating files and seek malicious activity on a particular host.
In addition, IDS can be distinguished based on detection methods, the primary variants of which are signature detection and anomaly detection. Signature-based IDS (SIDS) reveals potential threats, detecting malware’s malicious instruction sequences by comparing all the packets passing through the network with available specific patterns (Khraisat et al., 2019). Therefore, SIDS applies matching methods to find a previous intrusion. In other words, an alarm signal is triggered when an intrusion signature coincides with a prior intrusion’s signature that the signature database already contains. Although SIDS usually provides superior detection accuracy for familiar attacks, it fails to expose new intrusions due to the absence of matching signatures (Khraisat et al., 2019). SIDS is utilized in many software tools, the most famous of which are Snort and NetSTAT. The name of this system relates to antivirus software that defines these patterns as signatures.
Anomaly-based IDS (AIDS) is an innovative technology targeted at detecting and adapting to unfamiliar attacks by developing a specific, trustworthy activity model and then matching unacquainted behavior against it. Thus, any considerable deviation of the observed behavior from the model refers to an anomaly that can be regarded by the system as an intrusion. In AIDS, a standard model of the computer system behavior is designed using machine learning, a knowledge-based method, or a statistical-based method (Khraisat et al., 2019). For example, the statistics-based method assumes gathering and analyzing all data records in an item set and developing a statistical pattern of normal user behavior. Besides, Khraisat et al. (2019) distinguish five subclasses of a taxonomy for AIDS based on their features, including Pattern-based, Statistics-based, Rule-based, Heuristic-based, and State-based (Khraisat et al., 2019). For instance, the State-based investigates a flow of events to detect any potential attack. It also has a self-training function and a low false-positive rate.
Therefore, AIDS overcomes SIDS’s limitations, primarily in novel threat detection, by employing a broad model instead of specific patterns and signatures. Specifically, the system possesses the ability to discover internal malicious activities. It triggers an alarm when an intruder begins conducting transactions in a stolen account unidentified in the usual user activity (Khraisat et al., 2019). Second, cybercriminals face significant difficulties in identifying normal user behavior without creating an alert because AIDS is built on customized profiles (Khraisat et al., 2019). However, although this technique allows for the previously unknown attack detection, it can occasionally be inclined to false positives; namely, formerly unfamiliar legitimate acts can mistakenly be determined as malicious.
Finally, machine learning methods can be divided into supervised, unsupervised, semi-supervised learning, ensemble, and hybrid-based types. For example, the supervised learning-based IDS approach reveals attacks by means of labeled training data and consists of training and testing stages (Khraisat et al., 2019). Unsupervised learning is a type of machine learning method applied to receive valuable information from input datasets without class labels (Khraisat et al., 2019). It is also worth noting that IDS with Machine Learning algorithms are utilized on the most popular mobile Operating System (OS) Android run by Google, possessing over 85% market share (Ribeiro et al., 2020). Moreover, HIDS with statistical and semi-supervised ML algorithms were implemented on the smartphone Samsung Galaxy (J1 model: SM-J100H) as a regular Android application (Ribeiro et al., 2020). Such an IDS is entirely autonomous and works on the device without a need for connection to a server.
Conclusion
In summary, the paper has examined the implementation, methods, features, and techniques of contemporary Intrusion Detection Systems (IDSs) and provided an example of a company that implemented them. In particular, most typical classifications based on the input data sources to identify unauthorized activities include network-based intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS). Based on detection methods, IDS can be signature-based and anomaly-based. SIDS reveals potential threats, detecting malware’s malicious instruction sequences by comparing all the packets passing through the network with available specific patterns. AIDS is an innovative technology targeted at detecting and adapting to unfamiliar attacks by developing a specific, trustworthy activity model and then matching unacquainted behavior against it. Android, the most popular mobile OS, uses IDS with Machine Learning algorithms.
References
Elrawy, M. F., Awad, A. I., & Hamed, H. F. (2018). Intrusion detection systems for IoT-based smart environments: A survey. Journal of Cloud Computing, 7(1), 21.
Khraisat, A., Gondal, I., Vamplew, P., & Kamruzzaman, J. (2019). Survey of intrusion detection systems: Techniques, datasets, and challenges. Cybersecurity, 2(1), 20.
Ribeiro, J., Saghezchi, F. B., Mantas, G., Rodriguez, J., Shepherd, S. J., & Abd-Alhameed, R. A. (2020). An autonomous host-based intrusion detection system for android mobile devices. Mobile Networks and Applications, 25(1), 164-172.