Intrusion Detection Systems in Network Security

1. Introduction

With the evolution of Internet and networking of computers, security of each has always been a major concern over the years. There have been protections against security concerns such as firewalls that protect a network by preventing intrusions from the Internet and control the flow of data going into or out of the network. Firewalls have the ability to protect the network to a certain extent, but it may not be an effective solution for preventing attacks that originate within the network of an organization.

In this scenario, Intrusion Detection Systems (IDS) come into play that monitor, detect and initiate a quick response when an unauthorized activity takes place within and outside the networked system [1]. IDS proves to be an integral part of the system and when used with “security policy, vulnerability assessments, data encryption, user authentication, access control, and firewalls, they can greatly enhance network safety” [1].

Suspicious and malicious activities may be detected by the IDS and in some cases the network administrators are also notified of a security threat via email, SNMP trap or in a form of a page, that are generated automatically in case of security concerns [1]. Advanced and updated IDS respond in a manner such that scripts are launched, the user’s computer is logged off or the user account is disabled, in order to protect the user’s system from any malicious activity.

2. Security Issues addressed in the Paper

2.1 Types of Intrusions

Security is compromised by the intrusions made in the system. Such intrusions or threats can be categorized as Misuse intrusions and Anomaly intrusions.

    • Misuse intrusions are those in which the attacks are well defined and are targeted in the weak links of the network [1]. These intrusions can be detected by observing actions performed on certain objects which may help to make the detection process more accurate in the future [1].

      • Anomaly intrusions are those in which the normal system behaves in a different manner deviating from the normal operation. Such an intrusion is detected by keeping a check and monitoring the deviation from the normal working profile by creating a profile for the system under concern [1].

2.2 Challenging errors for the IDS

The rule of thumb is that no attack is ever a mild attack. All kinds of attacks or malicious activities must be taken seriously and should be detected by the system with the best of its ability. Sometimes, IDS may incorrectly indentify an attack such that it may go through the detection process. The challenging errors for the Intrusion Detection Systems are false positive, false negative and subversion errors [1].

    • False positive errors: “When the system classifies an action as anomalous (a possible intrusion) when it is legitimate” [1]. Legitimate actions are classified as intrusions by this error [1].

    • False negative errors: If an intrusion takes place and the system allows the intrusion stating it as non-intrusive is termed as false negative [1]. These errors are more complex than false positive errors as security is compromised much more in false negative errors.

    • Subversion errors: These occur if modifications are made in the system such that false negative errors are forced to occur. This modification is a major security threat to the network and therefore these errors get more complicated and serious since they are collaborated with the false negative errors to result in inappropriate activities.

2.3 Categorization of Intrusion Detection Systems

Two types of IDS exist, namely, Host-based IDS (HIDS) and Network-based IDS (NIDS). Each of these IDS, identify and monitor attacks in a way best designated by them. HIDS deals with malicious data or information on the hosts themselves, whereas, NIDS is concerned with inappropriate information transmitted from one host to another within the specifications of the network.

3. Core Ideas of the Paper

3.1 Components of Intrusion Detection Systems

“An IDS comprises of Management Console and Sensors” [1]. The Management Console is responsible to manage and report in case of any malicious activity. Sensors are agents which monitor hosts or networks such that in an event where a malicious activity is detected, the information must be passed over in real-time.

The IDS also has a database where various patterns of previous attacks signatures are stored, so that if an inappropriate event is identified, the signature is matched with the database so as to confirm the attack and the type of attack including errors and other minor details.

Figure 1 as shown above consists of all the components mentioned in the earlier description. A network-based IDS sensor has two interfaces, namely monitoring and management interfaces. The IDS Management console is connected to the sensor via the management interface and the communication takes place through the management interface only. The monitoring interface communicates with the NIDS, i.e., the network under the monitoring process. Pre-defined signatures in the database are checked during the continuous monitoring process, and an alert is sent if any malicious activity or attack is detected after matching the signature present in the database.

3.2 IDS models based upon the nature of intrusion

3.2.1 Misuse Detection Model

The incoming data or information is analyzed, compared with the existing pre-defined signatures for rule matching in the database and only then a response is generated. If a false positive error occurs, then the profile is updated and the process is started once again. It is assumed that false negative errors do not take place and all the activities taking place are purely in the suspicious state [1].

3.2.2 Anomaly Detection Model

The incoming data is analyzed, checked for significant deviations and then a response is generated. In case of a false positive error, the profile undergoes an upgrade and is monitored again to check for the changes made within the system or network. False negative errors are assumed not to take place and all activities occurring are in all suspicious state.

3.3.3 Hybrid Anomaly/Misuse Detection Model

In this model, both the models discussed previously are mapped together such that the analysis of incoming data is determined with matching the database for pre-defined signatures and the deviation of the profiles. In this way, the network can be protected against malicious data.

4. Potential Applications of Intrusion Detection Systems

    • May be used in large, medium or small organizations where critical data exists

    • Used in Defensive IT operations to protect data from intruders

    • Private Internet security

    • Businesses based on e-commerce

5. Future Opportunities of IDS in Network Security

At present large firms such as Cisco Systems sell the IDS in the market, which itself shows that IDS is an integral part of the system and it needs to be used on a larger scale so as to keep the data safe, both within and out of the organizational network.

Since the number of attacks in the e-business sectors and Government Defense databases has increased significantly, the use of powerful Intrusion Detection Systems is the best solution in order to protect valuable information that may be of national interest as well.

6. Conclusion

Working together with Firewalls, make the IDS an incomparable solution to prevent malicious attacks or events that may either damage the system or deprive of important information on the database. The IDS may also be selected depending upon the type of application that is to be used for, such as host-based, network-based or hybrid model IDS.

Attacks such as DoS, Distributed DoS and similar unauthorized attacks can be prevented with the use of IDS.

Summary of contents

    • Intrusion Detection Systems (IDS) work in conjunction with Firewalls to provide a powerful security interface solution

    • IDS monitors, detects and responds to any malicious activity, either inside or from outside an organization, and can also alert the network administrator in case of any such events

    • IDS comprises of Management Console and Sensors

    • The challenging errors for the Intrusion Detection Systems are false positive, false negative and subversion errors

    • Misuse intrusions and anomaly intrusions are 2 types of intrusions that needs to be prevented

    • These intrusions are detected by the use of models as discussed in this report, based upon each type and a hybrid solution combining the two

    • IDS may be used in large, medium and/or small scale organizations. Defense IT operations tend to use IDS in order to protect data concerning national interests

    • IDS may be selected based upon the type of applications, i.e., either host-based, network-based or hybrid IDS


[1] “Study of Intrusion Detection Systems (IDSs) in Network Security”, Wu Junqi; Hu Zhengbing; Wireless Communications, Networking and Mobile Computing, 2008. WiCOM '08. 4th International Conference on

Digital Object Identifier: 10.1109/WiCom.2008.1085

Publication Year: 2008