Analysis of Intrusion Detection Approaches

Intrusion detection systems (IDSs) are software or hardware systems that automate the
process of monitoring the events occurring in a computer system or network, analyzing
them for signs of security problems. As network attacks have increased in number and
severity over the past few years, intrusion detection systems have become a necessary
addition to the security infrastructure of most organizations. Building effective IDSs,
unfortunately, has remained an elusive goal owing to the great technical challenges
involved; and various techniques are increasingly being utilized in attempts to overcome
the difficulties. This paper presents a comparative study of intrusion detection approaches
which are the building block of any intrusion detection system.

Statistical approach

This approach involves statistical comparison of specific events based on a

predetermined set of criteria. The data is collected from the system and the network. This
collected data is tested for attack analysis by statistical models. The models which have
been frequently used are Operational Model, Average and Standard Deviation Model, the
Multivaried Model, the Markovian Model, and the Time Series Model. The analysis of
threats is much laborious and time consuming because first data are collected and then
different models are applied. They often analyze properties such as the overall system
load and statistical distribution of events, which represent a summary measure. When the
deviations exceed a predefined threshold, the system triggers an alarm. To determine this
threshold accurately is a critical issue. When the threshold is low, the system raises a
large number of (false) alarms and when the threshold is high, the system may not detect
attacks reliably. Though these methods can handle multiple features in the audit patterns,
very often, in order to reduce complexity and improve system performance only a single
feature is considered, as in the Intrusion Detection Expert System (IDES), or the features
are assumed to be independent, as in the Haystack system. This, however, affects the
attack detection accuracy. Statistical methods can operate either in batch mode (Haystack
system) or in real-time mode (IDES). A Statistical system must “learn” what is
“normal” traffic for a particular network, so the effectiveness of the system depends on
the learning process. Another concern with statistical approach is the fact that it will not
pinpoint the attack or the problem. It will only flag the packet as being anomalous and
either drop the packet or trigger an alert. The administrator will then have to perform
the necessary analysis on it and will require reasonable amount of expertise.

Rule based approach

This approach relies on sets of predefined rules which are provided by an administrator,
automatically created by the system, or both. Each rule is mapped to a specific operation
in the system. The rules serve as operational preconditions which are continuously
checked in the audit record by the intrusion detection mechanism. If the required
conditions of a rule are satisfied by user activity the specified operation is executed. A
frequent update of rules is required in this approach that is time consuming. Moreover,
this approach is unable to detect new attacks.

Expert System approach

This approach consists of a set of rules, which encode the knowledge of a human
"expert". Unfortunately, Expert Systems require frequent updates by a system
administrator to remain up to date [17]. The lack of maintenance or update is the
weakness of this approach. Further, the accurate knowledge acquisition and its encoding
is also a complex phenomenon.

Pattern recognition approach

In this approach, a series of penetration scenarios are coded into the system. This
approach is effective in reducing the need to review a large amount of audit data [17, 19].
This is also unable to detect new attacks. Therefore, a frequent updating of penetration
scenarios is required. Further, the creating of accurate penetration scenarios and their
coding into the system is a serious and complex issue.

Graph-based approach
In this approach, the data is collected about an activity on computer and network traffic
and this information is given to activity graphs that reveal the fundamental structure of
network activity. By analyzing the characteristics of the activity graphs, different reports
are generated. This analysis is generally done through searching the graphs built for
known bad patterns. A policy language to express acceptable and unacceptable behavior
on the network is included with this approach so that an administrator can define policies
in their departments. This approach has a drawback that an administrator continuously
monitors the activities on the screen. Further, it faces other issues such frequent updating,
false positive and false negative.

Hybrid approach
This approach is a combination of above two approaches such a graph based approach
and statistical approach or any other. In this approach, administrators continuously watch
on the screen and observe anomalies behavior. Once anomaly occurred then it is analyzed
by different statistical models that are time consuming. Therefore, an accurate and timely
detection of intrusion is very necessary.

Clustering
Clustering of data has been applied extensively for intrusion detection using a number of
methods such as k-means, fuzzy c-means and others [56], [57]. Clustering methods are
based upon calculating the numeric distance of a test point from different cluster centres’
and then adding the point to the closest cluster. One of the main drawbacks of clustering
technique is that since a numeric distance measure is used, the observations must be
numeric. Observations with symbolic features cannot be readily used for clustering which
results in inaccuracy. In addition, clustering methods consider the features independently
and are unable to capture the relationship between different features of a single record
which results in lower accuracy. Another issue when applying any clustering method is to
select the distance measure as different distance measures result in clusters with different
shapes and sizes. Frequently used distance measures are the Euclidian distance and the
Mahalanobis distance [9]. Clustering can, however, be performed in case only the normal
audit patterns are available. In such cases, density based clustering methods can be used
which are based on the assumption that intrusions are rare and dissimilar to the normal
events.
This is similar to identifying the outlier points which can be considered as intrusions.

Bayesian Classifiers

Naive Bayes classifiers are also proposed for intrusion detection. However, they make
strict independence assumption between the features in an observation resulting in lower
attack detection accuracy when the features are correlated, which is often the case.
Bayesian network can also be used for intrusion detection. However, they tend to be
attack specific and build a decision network based on special characteristics of individual
attacks. As a result, the size of a Bayesian network increases rapidly as the number of
features and the type of attacks modeled by the network increases.

Decision Trees

Decision trees have also been used for intrusion detection. Decision trees select the best
features for each decision node during tree construction based on some well defined
criteria. Decision trees generally have very high speed of operation and high attack
detection accuracy and have been successfully used to build effective intrusion detection
systems.

Artificial neural network approach

This approach is a substitute to other approaches. This approach may learn from
examples. After training or learning the system is able to detect intrusion. This approach
offers the potential to resolve a number of the problems encountered by the other present
approaches such as varying nature of attacks. The first advantage in the use of a neural
network in the intrusion detection would be the flexibility that the network would
provide. A neural network would be able of analyzing the data from the network, even if
the data is incomplete or partial. In the same way, the network would have the ability to
conduct an analysis with data in a non-linear fashion. Further, because some attacks may
be conducted against the network in a coordinated attack by multiple attackers, the
capability to process data from a number of sources in a non-linear fashion is particularly
important. The problem of regularly updating of traditional intrusion detection systems is
also reduced by ANN. It has generalization property and hence able to detect unknown
and even variation of known attacks. Another reason to employ ANN in intrusion
detection is that, ANN can cluster patterns which share similar features, thus the
classification problem in intrusion detection can be solved by this approach. The natural
speed of neural networks is another advantage. Though, the neural networks can work
effectively with noisy data, like other methods, they require large amount of data for
training and it is often hard to select the best possible architecture for the neural network.

Support Vector Machines

Support vector machines map real valued input feature vector to higher dimensional
feature space through nonlinear mapping and have been used for detecting intrusions.
They can provide real-time attack detection capability, deal with large dimensionality of
data and perform multi class classification.

Genetic Algorithm
Genetic algorithm (GA) field is one of the up-coming fields in intrusion detection,
especially in intrusion detection systems (IDS. GA operates on a population of potential
solutions applying the principle of survival of the fittest to produce better and better
approximations to the solution of the problem that GA is trying to solve. At each
generation, a new set of approximations is created by the process of selecting individuals
according to their level of fitness value in the problem domain and breeding them
together using the operators borrowed from the genetic process performed in nature, i.e.
crossover and mutation. This process leads to the evolution of populations of individuals
that are better adapted to their environment than the individuals that they were created
from, just as it happens in natural adaptation. High attack detection rate and low
false positive rate are the advantages of applying GA technique to
intrusion detection

Conclusion
According to the research results, Genetic Algorithm is successfully able to generate a
model with the desired characteristics of low false positive rate and for high correct
detection rate Intrusion Detection System. The rule based approach is more matured to
intrusion detection. However, it is not good in other cases such as time saving,
economical, less updating, detection rate, minimum false positive, minimum false
negative, handling varied and coordinated intrusion. Artificial neural network is more
suitable in other cases such as time saving, economical, less updating, detection rate, and
minimum false positive, minimum false negative, handling varied and coordinated
intrusion.