Intrusion Detection Systems

IDSes use several different techniques to detect malicious network activity. Anti-virus Software uses IDS to discover, flag, and remove.

Types of IDS:

Signature Based – good at identifying known attacks, but not for new attacks
Protocol Based – good at identifying new attacks, but not for known attacks
Hybrid (both the above)

Signature based attacks are good at identifying known attacks based on signatures in the databases, but they fail in identifying new zero day attacks with new patterns. Protocol based detection systems are good at identifying new zero day attacks by studying the normal activity and defining what is abnormal activity on the network. Since each of these systems have specific disadvantages, hybrid systems are designed using both methods to identify both new attacks and known signature based attacks.

Nevertheless, signature based systems are more popular – identifying malicious threats and adding their signatures to a repository is the primary technique used by antivirus products.

What is a Signature?

A signature is a typical footprint or pattern associated with a malicious attack on a computer network or system. It may be a byte sequence in network traffic or inside a file or a series of instructions.

Many security organizations share homegrown signature-based detections. This allows the security community at large to help individual security operations centers (SOCs), and analysts keep current and effectively leverage the overall effectiveness of signature-based detection tools.

Recognize attack patterns from the network packets
Monitor the user behavior
Identify the abnormal traffic activity
Ensure that user and system activity do not go against security policies

Sits on the front-end of a server

A typical use for a PIDS would be at the front end of a web server monitoring the HTTP (or HTTPS) stream. Because it understands the HTTP relative to the web server/system it is trying to protect it can offer greater protection than less in-depth techniques such as filtering by IP address or Port Number alone.

At a basic level a PIDS would look for, and enforce, the correct use of the protocol. At a more advanced level the PIDS can learn or be taught acceptable constructs of the protocol, and thus better detect anomalous behavior.

The threat landscape is evolving constantly, and therefore there is a need for the detection landscape to evolve constantly. These include behavior based detection, AI threat detection, advanced malware scanning, and remote security management.

ML based IDS

Although signature-based IDSs are more common, recent developments in anomaly-based IDSes use machine-learning algorithms. A model uses one or more algorithms to learn to recognize malicious activity. Each model is built using a certain set of features that are available for a specific dataset. The accuracy of machine learning IDSs with test datasets can be higher than 90%.

Machine Learning (ML) techniques have recently become promising solutions for developing IDSs. ML is a collection of techniques that employ mathematical formulae to automatically discover, examine, and extract patterns from data. Extracting and acquiring meaningful information helps ML models make informed judgments and predictions.

ML algorithms can be classified as supervised and unsupervised learning algorithms. Supervised learning algorithms are a class of ML algorithms that map input variables to a target variable using labeled data for training, such as K-Nearest Neighbors (KNN), Decision Tree (DT) based models, and Deep Learning (DL) algorithms, etc. Unsupervised learning algorithms are utilized to discover patterns from unlabeled data, such as k-means, Gaussian Mixture Model (GMM), isolation forest, etc. For IDS development, supervised learning algorithms are often used to develop signature-based IDSs by training on labeled network datasets, while unsupervised learning algorithms can be used in anomaly-based IDSs to distinguish outliers from normal data.

Researchers are still looking to find the most efficient ways to detect IDSes. There is continuous research to find good models that have low false positives. Cyber attacks are becoming more damaging and sophisticated. Detecting different types of attacks and understanding their patterns are crucial procedures in network security frameworks.

Hope this is useful, thank you.

Understand more about in our Cyber Security and Ethical Hacking Course.