Abstract

A computer network is simply an interconnection of several computers that follow common communication protocols. As network intrusion has been increasingly affecting organizational systems and crucial data, it is imperative that there exists an effective network security system in place. This is where the role of a sound intrusion detection system becomes important in an era where attempts at unauthorized access have become the norm rather than the exception. Such a system helps to keep malicious traffic at a distance and protects the computer network from a variety of threats. In this chapter, a study has been done in order to understand the system of an Intrusion Detection and Prevension System (IDPS), which not only helps detecting an ongoing intrusion, but also helps prevent it for future cases. Its functioning and comparison between the two divisions. Towards the end, an attempt has been made to enlist the administrator's functions towards ensuring the security of the computer network and understand what current challenges are being faced by the researchers and how they have tried to solve it.

Keywords: Intrusion detection, host-based, network-based, IDS, IDPS, network security

7.1 Introduction

7.1.1 Intrusion and Detection

An intrusion can be defined as an attempt to compromise the computer security policies, i.e., Confidentiality, Integrity and, Availability (CIA) or an effort at bypassing the mechanisms enforced in a network for security [1].

In 1980, the concept of Intrusion Detection was introduced by James Anderson, who proposed that a threat has the potential to access or manipulate information in an unauthorized manner. Intrusion Detection is the process that combines both the monitoring as well as the analysis of events in a computer network or system. Therefore, an Intrusion Detection System acts as a detector before information systems, deciding whether its monitored events are legitimate or symptomatic of an attack [2]. This is especially important in the case of wireless networks as wireless networks, as opposed to wired networks, are even more susceptible to attacks [3]. The model is presented below in Figure 7.1.

7.1.2 Some Basic Definitions

1. Threat: The potential likelihood of an intentional and unauthorized attempt towards:
   1. Acquiring details
   2. Modifying and manipulating information
   3. Making a system vulnerable and unworkable [4]

   

2. Risk: When the information is exposed accidentally or impairment of hardware occurs or the software design is faulty, the system is said to be at risk.
3. Attack: When the attacker executes his plan of working out the threat, it is called an attack.
4. Penetration: An attack that succeeds in the unauthorized acquisition of files and programs of a computer system is called penetration.

7.1.3 Intrusion Detection and Prevention System

An Intrusion Detection System (IDS) is a method for monitoring any activity carried out by persons or computers which is deemed to be unauthorized in nature [5]. These attempts could be intended to enter the computer system or might have secured actual access, sometime in the process. Possible incidents are identified and information about them is logged. An IPS or Intrusion Prevention System, on the other hand, is entrusted with preventing threats. Figures 7.2 (i) and 7.2 (ii) compare IDS and IPS, respectively.

The Intrusion Detection and Prevention System (IDPS), having vested with an added prevention element, focuses on the attempts at stopping intrusions and reporting them to the system administrators. Thus, IDPS has the best of both worlds, IDS as well as IPS. Besides the usual functioning, organizations are known to utilize the IDPSs for checking the effectiveness of their security policies and documenting the threats at hand.

The IDPS differs from the IDS in that it also attempts to prevent the attack or detected threat from succeeding. Thus, the IDPS picks off from where the IDS has left off. As network and security threats continue to show an alarming rise, the interest of researchers in this field has increased manifold. Almost every organization, irrespective of its sector, needs to have such a system in place to strengthen its security infrastructure. Throughout this chapter, both these terms have been used according to the context.

7.1.4 Need for IDPS: More Than Ever

The dependence of organizations big and small, civil and corporate societies, public and private agencies, and countries on computer networks has reached great heights. The threat to those networks comes not just from external breaches; even insiders are known to abuse their privileges. Any such violation causing intended or unintended access, if gone unchecked, can lead to disastrous consequences for the network as a whole. If that is the case, the security of computer networks and therefore the security of the enormous quantities of data stored on them will be compromised. Therefore, risk management measures are of immense importance since they secure the IT systems and data that support the organizations’ missions.

Statistics from Computer Emergency Response Team (CERT) show that the amount of such intrusions has been increasing dramatically with each passing year. As such, an efficient system to counter the challenges and reduce the vulnerability of network systems is indispensable. A strong security system enhances operational effectiveness and minimizes strategic and legal risks [6]. The Intrusion Detection and Prevention Systems, therefore, refer to both the hardware as well as the software that have automated the process of intrusion detection.

7.1.5 Introduction to Alarms

When an attack on a system has been identified, one of the first responses of an IDPS is to generate a signal as a form of an alert. Such a signal when generated is said to be an alarm. This signal is significant to get the administrator acquainted with the new event. There are four types of signals or alarms. In any event, one of the following alarms would be generated [7]:

1. True Positive: Whenever there is an attack and the Intrusion Detection System is able to identify it while triggering an alarm, it is called the case of True Positive.
2. False Positive: Whenever the Intrusion Detection System produces an alarm but there is no attack, this is known as the case of False Positive. The anomaly-based methodology is overpowered by false positive alarms.
3. True Negative: This is the case when no attack happens, and corresponding to it, no alarm is generated by the system.
4. False Negative: This case is said to have occurred when the attack had taken place, but no alarm was generated. The anomaly-based methodology displays the highest number of false negatives when compared to signature-based method.

There is a massive quantity of alarms that are generated from the intrusion detection systems. It becomes truly a cumbersome task to analyse all of them. The onus is on the network system administrators. This certainly means that there is always a possibility of overlooking some important alerts, which could cost the system dearly [8]. Often it becomes difficult to analyse what is happening to the system as a whole. New technologies in the field are aimed to provide a working solution to effectively tackle the huge quantity of signals generated.

7.1.6 Components of an IDPS

1. Sensor: The sensor in an IDPS can sense threats by efficiently monitoring the networks. The range of operation of these sensors covers not just network-based technologies but also the wireless and NBA-based technologies. In the case of host-based intrusion detection technologies, there is an “agent”, which is the functional equivalent of a sensor.
2. Console: There is a need for an interface that could provide the necessary link between the administrators and the intrusion detection systems. The console serves this purpose. They are most suitable for sensors’ configuration. It is the user interface that allows the user to interact with the intrusion detection system [9]. Many of these sensors also perform software update activities in addition to their tracking and monitoring jobs.
3. Management server: These are mostly used in large-scale firms. Available in software and appliance formats, the server is the device to which the alerts and information are sent. This central device acts as the platform where the information deposited through alarms and alerts is stored. Therefore, attacks against the management server can be the most troublesome issues [10].

   

4. Database server: The database server helps to have a repository of the alerts. The information herein can be periodically fed by the alarms as well as the management server. A huge compilation of records about network intrusion and allied events are kept here.

The block diagram in Figure 7.3 gives the architecture of a typical IDPS.

7.2 Configuring IDPS

7.2.1 Network Architecture of IDPS

The components of an IDPS can be connected through a common network that is the standard network of the organization. Such a network is called by different names, one of which is the production network. Alternatively, a totally different network can also be used. This second type of network is separately carved out for the management of various security and monitoring applications that are running all the time. If the latter is the case, it is said to be a management network [11].

This establishment means that the production and management networks have been separated from each other, aiming towards no interference of any sort. To a management network, the management servers, database servers, and consoles are linked. This is very effective as it provides a mechanism of concealment such that the underlying Intrusion Detection and Prevention System remains safe and secure to the extent possible.

Now that there has been a discussion about the rosy side with multiple advantages of this architecture, there is a need to know the challenges as well. First and foremost is the cost factor. Just as a totally different network is placed as a separate entity, we increase the cost of procuring the networking equipment and other hardware. For instance: Personal Computers for the consoles [12]. A look at the effectiveness of the system and the cost of its positioning is important to assess the cost-benefit trade-off of employing the system. On top of it, there is a need for challenges for the network systems’ administrators who are now required to work with separate computers earmarked for monitoring and management of the IDPS.

7.2.2 A Glance at Common Types

The range or scope of their monitoring and their deployment determines the types of Intrusion Detection and Prevention Systems. Though there are roughly two divisions of IDS, viz., the Network-based (NIDS) and Host-based (HIDS), there remain quite a number of ways to classify and include some other divisions. In this chapter, they are divided into the following four types on the basis of their deployment and the types of events they detect:

1. Network-based: The network-based intrusion detection and prevention systems monitor traffic in the network for some specific network segments and devices. This type of technology keeps track of suspicious activities by analysing the network and application protocol activity [13].
2. NBA: The Network Behaviour Analysis is that type that keeps a tab on the unusual flow of traffic. Such detection technologies are capable of examining not just malware but policy violations as well. These are very effective in monitoring the DDoS type attacks. DDoS refers to Distributed Denial of Service. An NBA system typically works with sensors and consoles and less frequently, the management servers in addition.
3. Wireless: The wireless systems are those systems that examine and monitor unusual instances in the wireless protocols. Sometimes it is argued that the building of an IDPS in a wireless environment can be more challenging than in wired ones owing to certain practical connectivity issues [14]. The components are similar to a network-based IDPS.
4. Host-based: These IDPSs are different in the sense that a single host is monitored thoroughly. Any suspicious activity that takes place within that host comes under the purview of a host-based IDPS. This can keep an eye on system logs, network traffic- both wireless and wired confined to that particular host, file access, and a range of other domains.

A detailed insight into Network-based IDS and Host-based IDS is discussed in the following section. Figure 7.4 and Figure 7.5 give a basic structure of NIDS and HIDS, respectively.

7.2.2.1 Network-Based IDS

7.2.2.1.1 Network Architecture

The network communications are provided by the TCP/IP layers. The data across the network is passed through these layers beginning from the highest layer to the lowest layer. Afterward, the lowest layer passes the data to the physical network. These are the four layers:

1. Application layer: In this layer, application data is generated through hundreds of application layer protocols. Some of these protocols are Hypertext Transfer Protocol or HTTP, Simple Mail Transfer Protocol or SMTP, File Transfer Protocol or FTP, Domain Name System or DNS, and Simple Network Management Protocol or SNMP. The data at this stage is sent to the transport layer.
2. Transport layer: This layer helps in the reliable delivery of the application layer services to networks by either TCP or UDP protocols. Transmission Control Protocol or TCP and User Datagram Protocol or UDP are the generally employed protocols at the transport layer.
3. Network layer: The data received from the Transport layer is managed and routed here. Data is transported in units known as “packets” which have information about the IP Version, IP protocol number, and IP addresses of source and destination. This layer is also known as the Internet Protocol layer.
4. Hardware layer: This layer is responsible for linking the hardware components of the network. Thus, it is here that switches, cables, and routers are involved. The common protocol used is Ethernet.

7.2.2.1.2 Data Collection and Detection Capabilities

Some network-based IDSs first go for information gathering. As part of this, they collect information on hosts, operating systems, and applications. This helps them to identify potentially vulnerable hosts and applications. Machine learning and data mining in NIDS are being applied extensively to decode behaviour patterns [15].

Data fields like transport, network and application layer protocols, source and destination of ports, timestamp containing date and time, type of alert, IP addresses of source and destination are logged on a large scale.

This massive logging helps the network-based IDS to check the authenticity of alerts and correlate the events when they occur the very next time. Network-based IDSs provide a wide range of detections. Signature and anomaly-based methods and their combinations are employed. The detections are carried out based on already observed behaviours in real-time. Application layer attacks like malware intrusion, password cracking, and DoS attacks are detected through the analysis of numerous protocols like DNS, FTP, HTTP, SMTP, etc. Attacks with spoofed IP addresses are recognized by analyzing network layer protocols like IPv4 and ICMP. These IDSs can detect policy violations too.

7.2.2.1.3 Limitations

Inside the host machines, NIDS has very limited visibility. Ideally, the NIDS should be installed where detection has to be done before encryption or after decryption. It is so because the Network-based IDSs are not able to detect threats where the network traffic is encrypted. Another drawback is that in case of heavy load and large traffic, these IDSs are not as effective. In fact, then they become vulnerable to many attacks.

7.2.2.2 Host-Based IDS

7.2.2.2.1 Network Architecture

Compared to the Network-based IDSs, the Host-based ones have fairly easy deployments. Usually, there is no requirement of a separate management network as the detection software of these IDSs (also called Agents) is put up with the hosts in exactly the same network. These agents are installed in line with the host that is to be protected. For example: In the case of appliance-based agents, the IDS consoles could be erected in line with the router, switch, and firewall.

7.2.2.2.2 Data Collection and Detection Capabilities

Each agent monitors a single host which could be a desktop or an application like a database program or a server’s operating system. For example, some HIDSs like Snort and Dragon Squire monitor a specific computer system [16]. The HIDS is usually deployed in the case of critical and sensitive servers. Just like NIDS, these also operate with a wide range of logging of data. Some data fields that are logged are the type of alert, IP addresses, source and destination of ports, timestamp containing date and time, etc.

The Host-based systems are able to observe unencrypted activity if placed at the endpoints, something which other detection technologies like the NIDS are not able to offer. They function with an efficient combination of signature as well as anomaly-based techniques. They can analyze and filter both wireless and wired network traffic and code. HIDS monitors changes in the host kernel, host file system, and the program behaviour [17]. Files shared over the web and emails too can be examined. Some HIDS agents can also clean the network traffic that they encounter. Some can even monitor audio-video devices like cameras or microphones to detect an attack.

7.2.2.2.3 Limitations

Since alerts are not reported on a real-time basis to a centralized management server, delays are frequent. Such delays mean that any event with rapidly spreading malware could pose a daunting situation. This, however, is not the case with smaller networks. Another drawback is the significant consumption of the host’s resources by the agent deployed to protect it. This consumption is manifested in the form of processor use, memory, and storage. Again, as few detection techniques are done periodically, there is a possibility for the attack to creep in between two successive detections.

7.2.3 Intrusion Detection Techniques

7.2.3.1 Conventional Techniques

The techniques that have been conventionally employed in intrusion detection are known as conventional techniques. These detection techniques are reliable to their users but are lacking in one critical aspect: they cannot detect new or foreign threats. Thus, new attacks are prone to get penetrated despite their being in place. But a significant advantage is that they are extremely capable of detecting known threats. The techniques can be divided into three broad divisions:

1. Rule-based: Certain rules are decided beforehand and the data is traversed across this set of rules performing certain specific functions. Data that fail to satisfy the rules are restrained by the intrusion detection system. These rules need to be updated by the administrator regularly. Though it efficiently detects known attacks, the rule-based intrusion detection cannot shield against foreign and new attacks. An important advantage is that the number of false alarms is lower. An efficient approach to go with is the State Transition Analysis where initial secured state and later compromised states are presented.
2. Signature-based: This intrusion detection is also known as misuse detection system. Within the analysed data, the signature-based detection system looks for patterns or signatures. It has a lot of signatures that are significant for catching the threat at the outset. The same is already collected in a repository of known data. This repository acts as a database of malicious threats. Thus, the unacceptable patterns are compared with network traffics and alerts. Unlike the anomaly-based methodology, this does not need to learn the environment and hence is easy to deploy [18].
3. Anomaly-based: This is also called profile-based intrusion detection. In anomaly-based detections, just as the name suggests, the IDS looks for anomalies and works against a baseline profile depicting any known normal behaviour. That could be a pattern of any activity that reflects a significant deviation from the behaviour otherwise considered normal. The anomaly-based detection can shield against novel attacks. Thus, unforeseen vulnerabilities can be effectively tackled by this technique. For example, it can spot a malformed Internet Protocol (IP) and new automated worms [19]. For comparing with existing data sets, a lot of information needs to be fed. It has an acceptable accuracy but a crucial downside is that the number of false alarms is very large.

Figures 7.6 and 7.7 below represent the Signature-based and Anomaly-based techniques, respectively.

Table 7.1 gives a comparison of the above three techniques.

7.2.3.2 Machine Learning-Based and Hybrid Techniques

In Machine Learning models, the aim is to establish an implicit or explicit model. Although they are resource expensive in nature, such schemes can modify their execution strategy just as new details are acquired. The hybrid methodology (as shown in Figure 7.8) works with a combination of two or more methodologies. This means that the strengths of each of the individual methodologies are incorporated into one. For example, when an Anomaly-based engine to filter the data is combined with a Signature-based engine which detects the intrusions, the outcome is a hybrid detection system. Interestingly, the general architecture of many Hybrid IDPSs imitates the human immune system [20]. This gives us a better system that has a high accuracy rate and can give very sound protection against new attacks.

1. Bayesian Network

   Bayesian Theory has been named after Thomas Bayes. When the Bayesian Probability model is heavily simplified, the outcome is a naive Bayes model that performs well. For a given situation, Bayesian networks can obtain a coherent result from probabilistic relationships. The Bayesian IDS is made of a naive Anomaly-based Bayesian classifier. The Bayesian filter contains a training engine and a testing engine [21].

   

   For a series of n attributes, the classifier makes 2n! assumptions. Since these assumptions are independent, the probability of one does not impact that of another attribute [22]. Once the filter is trained, it can classify a TCP connection as either an attack or regular traffic. A drawback is that results depend heavily on these assumptions which can sometimes deviate and cause error [23].

2. Markov Models

   Within the Markov models, there are two varieties. The first one is Markov Chains and the next one is Hidden Markov Models (HMMs). Both these techniques find wide application in a Host-based intrusion detection system. A classifier first segregates normal and abnormal traces and then the Markov Chain is built upon the set of normal traces [24]. A set of states that are connected through some transition probabilities is known as a Markov Chain. Afterward, the anomaly score for the observations is computed by comparison with some fixed threshold. In the Hidden Markov Model, only productions are visible while the states and transitions are hidden. IoT services in smart cities are of great interest; they are implemented not only for human welfare but also to reduce the operational costs in administration.

3. Genetic Algorithms

   While no previous knowledge about the system behaviour is taken up, this machine learning-based detection technique is able to select the optimal features for the detection process [25]. The genetic algorithms, as the name suggests, are conceptually inspired by the principles of evolutionary biology. Thus, the naturally observed processes of inheritance, natural selection, mutation, and recombination form the underlying core of the intrusion detections in this methodology. The biggest advantage of this technique is that it solves in a multi-directional manner, making efficient use of its strong global search method.

4. Artificial Neural Network

   The neural network derives its fundamental footing from the human brain and nervous system. Somewhat like our nervous system that consists of billions of neurons and trillions of synapses to get us functioning every second, the neural networks simulate a similar approach in the field of intrusion detection. An artificial neural network works upon the disadvantages of conventional IDSs like their time taking analysis, non-adaptability, need for regular updates, etc. It can recognize the intrusive nature of traffic patterns as well as create user profiles [26, 27].

5. Fuzzy Logic

   The fuzzy logic approach is used by a Fuzzy Intrusion Recognition Engine (FIRE) which is an anomaly-based intrusion detection system. It has a Network Data Collection system that is capable of collecting data from the data input for a given interval in order to detect any intrusions. It has been effectively utilized in port scans and probes. In the main IDS program, the fuzzy logic section is usually employed to manage the vast inaccuracies of the input data. The Fuzzy technique makes use of fuzzy variables under the Fuzzy set theory where the reasoning is approximate and not precise in nature. A fixed interval is demarcated in the processing scheme beforehand which would identify an observation as being either normal or abnormal [28]. A significant drawback is its huge resource consumption.

7.2.4 Three Considerations

Years of cumulative researches and experiences have shown that even the safest systems are vulnerable to computerized thefts, break-ins, and viruses [29]. An Intrusion Detection System, as opposed to the firewalls and traditional access control methods, allows detection and assessment of the damage caused on a real-time basis [30]. Improvisation in technology and the administrative acumen to utilise them have certainly impacted the process enormously. In this section, three such considerations are discussed: location of sensors, security capabilities, and management capabilities.

7.2.4.1 Location of Sensors

This is a most crucial decision. As administrators decide on having the most suitable network to set the components right, they have an additional task to determine a suitable location for sensors. It is always desired and acceptable to have passive sensors in place, for instance in the case of NBAs. These passive sensors effectively perform meticulous monitoring of the direct network.

7.2.4.2 Security Capabilities

The security capabilities offered by an Intrusion Detection and Prevention System are truly vast and extensive. Gathering of information, logging, prevention, and detection capabilities are the four most crucial functions that an IDPS performs. These functions are as described below.

7.2.4.2.1 Gathering of Data

The first and most fundamental step is the collection of information. A huge quantity of data from source and networks is generated and gathered from operating systems as well as the hosts after it is identified that they could be potential mischief-mongers. Large volumes of data that are fuzzy, noisy, and dynamic are analysed. The involvement of Data Mining has added a new dimension to the analysis of large quantities of data [31]. Information is collected to be pre-processed to remove the noise. As a first, the irrelevant stuff is replaced while the rest of the data is analysed and bundled.

7.2.4.2.2 Logging

After collection, extensive logging of data is performed and the logs are stored either locally or centrally. These logs are crucial in the sense that they allow the administrator to validate the authenticity of alerts and establish a correlation among detected threats. This serves as a massive database where the data fields are also equally important. The data fields which are generally logged in Network Behaviour Analysis include date and time, estimation on the severity of threats, prevention and impact of threats, network, transport and protocols of application layer. It is preferable to store them locally as well as centrally. When stored on local servers, the copies of logs are usually forwarded to the centralized security servers as well.

7.2.4.2.3 Threat Detection

A combination of techniques is generally used by a typical Intrusion Detection and Prevention system. Mostly anomaly-based detection is used as opposed to the signature-based detection. This is especially true for the NBAs. It is the tuning and customization capabilities that greatly determine and largely differentiate one detection technology from the other. Using a combination of techniques facilitates greater flexibility in the tuning and customization domain.

There are two types of detection methodologies. These are Knowledge-based detection and Behaviour-based detection. For it to be Knowledge-based detection, the IDS should be utilizing some sort of misuse detection, while Behaviour-based detection implies that Intrusion Detection follows the path of anomaly detection [32]. Following are the most common detections that are usually observed.

1. Alerts: Alerts are the signals generated whenever a potential threat is detected by the IDS. Alerts can be flexibly designed as per the needs of the administrator and the demand of the networks. Thus, default settings regarding the severity and the type of information needed can be made. Basically, alerts are also switched between ‘ON’ and ‘OFF’.
2. Blacklists: Blacklists allow the detection system to recognize all those activities which have been previously flagged as dangerous. Thus, malicious events can be identified quickly using this feature. The URLs, filenames, applications, ICMP codes, TCP, or UDP port numbers are some of the entities that are detected in a bid to establish a connection between the current sample and an already recognized malicious activity. It relies heavily on the detection of characteristics akin to that of malware [33]. Signature-based detections usually go with Blacklists.
3. Whitelists: Contrary to blacklists, this list includes a number of conducive and agreeable entities, such as discrete entities from verified hosts. Signature-based detections usually go with Whitelists along with Blacklists. They are important in the sense that the number of false positives can be reduced with the help of such a list in place. These should be checked by the administrator and updated regularly.

7.2.4.2.4 Prevention of Threats

Usually, there are a variety of prevention capabilities provided to any IDPS. The administrator has also got a plethora of roles to decide which of the multiple prevention capabilities is to be used, depending upon the type of alert. Prevention mostly comes into the picture when the system is about to detect a new threat. IDPSs also let the administrators specify the configuration for each form of an alert. Some of the general prevention capabilities are [34]:

1. Ending TCP session: This is the passive-only approach. In this prevention method, the sensors end the TCP session currently in operation [35].
2. Inline firewall: This is an active approach wherein the inline sensors impose an outright rejection of events that appear to be malicious in intent.
3. Administrator’s program: An administrator can impose its script on sensors such that they operate this program under certain specific situations.
4. Both passive and inline approaches: Sensors in the Network Behaviour Analysis are empowered enough to push the network’s security devices like routers and firewalls to block suspicious activity through their reconfiguration.

7.2.4.3 Management Capabilities

After security capabilities have been assessed and the location of sensors determined, management comes into the picture. Implementation as well as operation and maintenance are the prime aspects of management. We briefly look at these below.

7.2.4.3.1 Implementation

The IDPS product needs to be chosen wisely as the first step. Thereafter, an efficient network architecture is designed by the administrator. Testing of components for operation and security is done to ensure that everything is fine before the organization deploys that IDPS product. While deploying the sensors, it is tried that they are deployed within the minimum time gap. This is especially important as there is no need for these sensors to have different sets of inventories. This helps to keep up with the initial baseline.

7.2.4.3.2 Operation, Updates, and Maintenance

A console is that Graphical User Interface (GUI) or Command Line Interface (CLI) that has been entrusted with the task of operation and maintenance of the IDPS products like sensors and management servers. Even the updating and configuring of sensors are attributed to the console itself. Consoles also carry out the herculean task of analysing the reports and data generated by the detection system.

Sensors, console, and management server need to be regularly given software updates. Appliance-based IDPSs like the NBA can be updated fairly simply by rebooting the sensor, inducting the software, or even changing the CD.

7.2.5 Administrators’ Functions

7.2.5.1 Deployment

The administrator has various roles at all stages while bringing the whole methodology into action. First, an IDPS product needs to be chosen. Once that is done, the network architecture needs to be designed. Next up, the deployment of the IDPS is done after ensuring a secure environment. The deployment of IDS in a large majority of corporate networks requires it to be scalable.

7.2.5.2 Testing

Care must be taken to examine the operation of the product in a test environment. This substantially reduces the problems during implementation. Again, operationalizing too many sensors at once can overwhelm the servers by producing tons of false positives. Care needs to be taken here as well.

7.2.5.3 Security Consideration of IDPS

Ensuring the safety of the IDPS should be the topmost priority since it contains sensitive data and is often on the attackers’ radar. If the IDPS gets attacked, the whole underlying system would become vulnerable. Direct access to IDPS should be limited, and strong authentication measures should be undertaken. There should be separate accounts for users and administrators. Additional protective layering like a virtual private network (VPN) can also be incorporated to minimize traffic.

7.2.5.4 Regular Backups and Monitoring

Administrators are also required to back up the configurations periodically. They have a continuous job of monitoring security issues and vulnerabilities. They need to be supportive yet cautious of updates in the IDPS. Starting from the decision of employing the sensors at just the right place to further performing tuning and customization, the administrator has a binding influence throughout.

7.2.6 Types of Events Detected

1. DOS and DDoS Attacks

   The denial of service and the distributed denial of service attacks are fairly common detections. In this, the usage of bandwidth increases substantially. Distributed Denial of Service (DDoS) attacks are easily prevented by the denial of the capability approach. First of all, the legitimate traffic is segregated from malicious traffic and afterward the performance of legitimate traffic is reduced slowly.

2. Worms

   Worms are fairly common detections. They are detected comparatively easily as they tend to get those hosts communicating with each other which normally they do not. They multiply and spread pretty fast. These worms use large bandwidth and some even start performing scanning. This helps the IDPS in catching them.

3. Scanning

   Scanning can be distinguished from others by their contrasting flow styles observed at the application, transport, and network layers [36]. Banner grabbing at the application layer, TCP, and UDP port scanning at the transport layer and Internet Control Message Protocol (ICMP) scanning at the network layer are some common examples.

4. Policy violations

   Administrators lay down firm and extensive policies that give an account of details that are concerned with permissions. Thus, the time of activity and the type of hosts and the forms of interaction are already specified by the admin. If any of this is found to be violated, for instance, the presence of an unauthorized host, then the IDPS detects a policy violation.

5. Bots

   Botnets have recently become one of the primary threats to computer networks. A self-propagating application in nature, bots impact vulnerable hosts [37]. For their purpose to succeed, they could either employ Trojans or go for direct exploitation. These assume command and control, unlike malware [38].

6. Forbidden applications

   Some application services as well as application protocols, backdoors, and tunnel protocols come under this category. The event occurring in this segment is checked against the expected protocols.

7.2.7 Role of State in Network Security

A state has tremendous amounts of information that it juggles daily. Since the dawn of the digital era, while bidding adieu to paper modes, the computer networks have often been vested with overwhelming responsibilities. In disciplines like defence, communication, energy, etc., data has assumed a stellar role, which also points to more vulnerability.

Thus, it becomes a necessity for the state to come up with solid regulations and protocols in place that adhere to industry standards.

The government has been focussing with renewed vigour on the development of state standards and criteria. For example, the DOD 5200.28-STD trusted by NCSC enforces objective evaluation of computer security [39]. Here, predefined thresholds are strictly adhered to, which if found exceeding, leads to termination of the event. There is a lot of scope for the state’s facilitation of research in adjoining areas like IDPS environment and security, social and operational aspects of intrusion detection, and novel detection methods [40].

7.3 Literature Review

In this section, some of the works done in the field of Intrusion Detection and Prevention Systems will be reviewed, major researchers have given a lot of breakthroughs with the usage of IDPS in terms of security; however, more work is expected in the field, and this review hopes to motivate readers to pursue their interest in the field. Radoglou and Sarigiannidis [41] used IDPS technology in order to secure the smart grids being used in the smart city infrastructure’s electrical grid; with increased reliability in the power grid, the smart city will be more efficient, economically and socially as well.

Baykara and Das [42] proposed a honeypot-based approach for improving the existing system of IDPS. The main usage of honeypot helped the system to gain real-time access of the data, with low-cost management and management of the system. This setting of the IDPS allowed itself to detect the zero-day attacks in real time.

Tan and Sherwood [43] presented an improved version of string matching algorithm for the IDS systems in order to improve the speed of the system without having to go through crashes or unintentional system drops. Their experiment was based on converting the large amount of strings into tiny state machines, in which each of them work on a single rule, hence improving the overall complexity.

In order to prevent Supervisory Control and Data Acquisition (SCADA) from data frauds and breaches, Zhu and Sastry [44] presented the taxonomy of the techniques that can be used to prevent such attacks, in which IDPS is also a key participant. They presented the voids and defects with the IDPS system and motivated researchers to further improve the system.

More et al. [45] presented an architecture for the system of IDPS to work in a manner that can correlate heterogeneous data sources using the cross-referencing features of the signature-based IDPS. The major outcome of their experiment was a knowledge base which is being used to model other systems for detecting cyber-attacks and vulnerabilities.

Patel et al. [46] worked on improving the anomaly detection in IDPS, by proposing a self-managed agent-based approach which assess the risk management as well, using the Autonomic Computing (AC) principles of self-management. This method will help in not just the detection, but the stopping of the attack before the system is critically damaged.

Ribeiro et al. [47] proposed an android-based solution for the IDPS, termed as HIDROID, which does not provide any complexity on the mobile system. The model used in the application is made for the detection of benign behaviour. Their application is a self-learner, and does not require much interaction with malicious data to learn about the anomalies. This application provided an accuracy of up to 0.9 in ideal situations.

The work done in the field has been summarized in Table 7.2; it majorly talks about the current open challenges that can be faced by the current researchers of the field.

7.4 Conclusion

A substantial amount of research is going on in the field of Intrusion Detection. By no means should this be considered an exhaustive solution at its present position. Suffice to say that developments in this field are at a nascent stage and there is a lot of scope for further changes and development. Spreading awareness about data security, sensitizing the masses, and encouraging organizations to devote a part of their resources towards safeguarding their computer networks and data, is the need of the hour. Timely and appropriate interventions by the state along with civilians would prove to be pivotal in this direction.

References

1. 1. Bace, R., & Mell, P. (2001). Intrusion detection systems, National Institute of Standards and Technology (NIST). Technical Report 800-31.
2. 2. Debar, H., Dacier, M., & Wespi, A. (1999). Towards a taxonomy of intrusion-detection systems. Computer Networks, 31(8), 805-822.
3. 3. Liao, H. J., Lin, C. H. R., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.
4. 4. Anderson, J. P. (1980). Computer security threat monitoring and surveillance, James P. Anderson Co., Fort Washington, PA.
5. 5. Rowland, C. H. (2002). U.S. Patent No. 6,405,318. Washington, DC: U.S. Patent and Trademark Office.
6. 6. Bhati, N. S., & Khari, M. (2021). A Survey on Hybrid Intrusion Detection Techniques. In Research in Intelligent and Computing in Engineering (pp. 815-825). Springer, Singapore.
7. 7. Bhati, B. S., & Rai, C. S. (2016). Intrusion detection systems and techniques: a review. International Journal of Critical Computer-Based Systems, 6(3), 173-190.
8. 8. Abdullah, K., Lee, C. P., Conti, G. J., Copeland, J. A., & Stasko, J. T. (2005, October). IDS RainStorm: Visualizing IDS Alarms. In VizSEC (p. 1).
9. 9. Raikar, A., Stephenson, B., & Mendonca, J. (2010). U.S. Patent No. 7,712,133. Washington, DC: U.S. Patent and Trademark Office.
10. 10. Bhati, B. S., Chugh, G., Al-Turjman, F., & Bhati, N. S. (2020). An improved ensemble based intrusion detection technique using XGBoost. Transactions on Emerging Telecommunications Technologies, e4076.
11. 11. Scarfone, K., & Mell, P. (2012). Guide to intrusion detection and prevention systems (idps) (No. NIST Special Publication (SP) 800-94 Rev. 1 (Draft)). National Institute of Standards and Technology.
12. 12. Nitin, T., Singh, S. R., & Singh, P. G. (2012). Intrusion detection and prevention system (idps) technology-network behavior analysis system (nbas). ISCA J. Engineering Sci, 1(1), 51-56.
13. 13. Dave, S., Trivedi, B., & Mahadevia, J. (2013). Efficacy of Attack detection capability of IDPS based on its deployment in wired and wireless environment. arXiv preprint arXiv:1304.5022.
14. 14. Bhati, N. S., Khari, M., Garcia-Diaz, V., & Verdu, E. (2020). A Review on Intrusion Detection Systems and Techniques. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 28 (Supp02), 65-91.
15. 15. Li, L., Yang, D. Z., & Shen, F. C. (2010, July). A novel rule-based Intrusion Detection System using data mining. In 2010 3rd International Conference on Computer Science and Information Technology (Vol. 6, pp. 169-172). IEEE.
16. 16. Bhati, N. S., & Khari, M. (2021). A new ensemble based approach for intrusion detection system using voting. Journal of Intelligent & Fuzzy Systems (Preprint), 1-11.
17. 17. Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., & Rajarajan, M. (2013). A survey of intrusion detection techniques in cloud. Journal of Network and Computer Applications, 36(1), 42-57.
18. 18. Denning, D. E. (1987). An intrusion-detection model. IEEE Transactions on Software Engineering, (2), 222-232.
19. 19. Jyothsna, V. V. R. P. V., Prasad, V. R., & Prasad, K. M. (2011). A review of anomaly based intrusion detection systems. International Journal of Computer Applications, 28(7), 26-35.
20. 20. Bhati, B. S., & Rai, C. S. (2021). Intrusion detection technique using Coarse Gaussian SVM. International Journal of Grid and Utility Computing, 12(1), 27-32.
21. 21. Altwaijry, H. (2013). Bayesian based intrusion detection system. In IAENG Transactions on Engineering Technologies (pp. 29-44). Springer, Dordrecht.
22. 22. Panda, M., & Patra, M. R. (2007). Network intrusion detection using naive bayes. International Journal of Computer Science and Network Security, 7(12), 258-263.
23. 23. Kruegel, C., Mutz, D., Robertson, W., & Valeur, F. (2003, December). Bayesian event classification for intrusion detection. In 19th Annual Computer Security Applications Conference, 2003. Proceedings. (pp. 14-23). IEEE.
24. 24. Jha, S., Tan, K. M., & Maxion, R. A. (2001, June). Markov Chains, Classifiers, and Intrusion Detection. In csfw (Vol. 1, p. 206).
25. 25. Bridges, S. M., & Vaughn, R. B. (2000, October). Fuzzy data mining and genetic algorithms applied to intrusion detection. In Proceedings of 12th Annual Canadian Information Technology Security Symposium (pp. 109-122).
26. 26. Cansian, A. M., Moreira, E., Carvalho, A. C. P. L., & Bonifacio, J. M. (1997, February). Network intrusion detection using neural networks. In Proc. Int. Conf. on Computational Intelligence and Multimedia Applications (pp. 276-280).
27. 27. Fox, K. L., Henning, R. R., Reed, J. H., & Simonian, R. P. (1990). A Neural Network Approach Towards Intrusion Detection, rapport technique. Harris Corporation.
28. 28. Dickerson, J. E., & Dickerson, J. A. (2000, July). Fuzzy network profiling for intrusion detection. In PeachFuzz 2000. 19th International Conference of the North American Fuzzy Information Processing Society-NAFIPS (Cat. No. 00TH8500) (pp. 301-306). IEEE.
29. 29. Lunt, T. (1993, October). Detecting intruders in computer systems. In Proceedings of the 1993 Conference on Auditing and Computer Technology (Vol. 61).
30. 30. Bhati, N. S., & Khari, M. (2021). A New Intrusion Detection Scheme Using CatBoost Classifier. In Forthcoming Networks and Sustainability in the IoT Era: First EAI International Conference, FoNeS–IoT 2020, Virtual Event, October 1-2, 2020, Proceedings 1 (pp. 169-176). Springer International Publishing.
31. 31. Nadiammai, G. V., & Hemalatha, M. (2014). Effective approach toward Intrusion Detection System using data mining techniques. Egyptian Informatics Journal, 15(1), 37-50.
32. 32. Jackson, K. A. (1999). Intrusion detection system (IDS) product survey. Los Alamos National Laboratory.
33. 33. Johnson, C. W. (2014, September). Barriers to the use of intrusion detection systems in safety-critical applications. In International Conference on Computer Safety, Reliability, and Security (pp. 375-384). Springer, Cham.
34. 34. Dhiraj, G., & Gupta, V. K. (2012). Approaches for deadlock detection and deadlock prevention for distributed systems. Research Journal of Recent Sciences ISSN, 2277, 2502.
35. 35. Northcutt, S., & Novak, J. (2002). Network intrusion detection. Sams Publishing.
36. 36. Arkin, O. (2001). Icmp usage in scanning. The Complete Know-How, 3.
37. 37. Holz, T., Steiner, M., Dahl, F., Biersack, E., & Freiling, F. C. (2008). Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. LEET, 8(1), 1-9.
38. 38. Gu, G., Porras, P. A., Yegneswaran, V., Fong, M. W., & Lee, W. (2007, August). Bothunter: Detecting malware infection through ids-driven dialog correlation. In USENIX Security Symposium (Vol. 7, pp. 1-16).
39. 39. Smaha, S. E. (1988, December). Haystack: An intrusion detection system. In Fourth Aerospace Computer Security Applications Conference (Vol. 44).
40. 40. Lundin, E., & Jonsson, E. (2002). Survey of intrusion detection research. Chalmers University of Technology.
41. 41. Radoglou-Grammatikis, P. I., & Sarigiannidis, P. G. (2019). Securing the smart grid: A comprehensive compilation of intrusion detection and prevention systems. IEEE Access, 7, 46595-46620.
42. 42. Baykara, M., & Das, R. (2018). A novel honeypot based security approach for real-time intrusion detection and prevention systems. Journal of Information Security and Applications, 41, 103-116.
43. 43. Tan, L., & Sherwood, T. (2005, June). A high throughput string matching architecture for intrusion detection and prevention. In 32nd International Symposium on Computer Architecture (ISCA’05) (pp. 112-122). IEEE.
44. 44. Zhu, B., & Sastry, S. (2010, April). SCADA-specific intrusion detection/prevention systems: a survey and taxonomy. In Proceedings of the 1st Workshop on Secure Control Systems (SCS) (Vol. 11, p. 7).
45. 45. More, S., Matthews, M., Joshi, A., & Finin, T. (2012, May). A knowledge-based approach to intrusion detection modeling. In 2012 IEEE Symposium on Security and Privacy Workshops (pp. 75-81). IEEE.
46. 46. Patel, A., Qassim, Q., Shukor, Z., Nogueira, J., Júnior, J., Wills, C., & Federal, P. (2011). Autonomic agent-based self-managed intrusion detection and prevention system. In Proceedings of the South African Information Security Multi-Conference (SAISMC 2010) (pp. 223-234).
47. 47. Ribeiro, J., Saghezchi, F. B., Mantas, G., Rodriguez, J., & Abd-Alhameed, R. A. (2020). Hidroid: prototyping a behavioral host-based intrusion detection and prevention system for android. IEEE Access, 8, 23154-23168.