Article Preview
Top1. Introduction
The advancements in computing and communication technology made our life simple and every task in daily life is driven by technology. Today our life depends on the internet for everything starting from professional, personal needs to the domestic needs. Internet use for our daily needs such as shopping, banking, hotel booking, daily news etc., becoming very common in our daily life. As the computer literacy rate increasing day by day, the use of IT related services is increasing exponentially. Previously cyber-attacks were limited to only organizations. But, now, the cyber-attacks not only restricted to organizations but also to the personal computers, laptops or the mobile devices. This clearly underlines the need for the protection at different levels.
When we investigate the history, first steps for intrusion detection laid by the United States Air Force (USAF). For the first time in the literature, James P Anderson who was working as deputy for command and management systems in USAF (Anderson, 1972) uses the phrase “malicious threat” in his report to US government which, is defined as “external penetration threat in closed or open systems and boil down to gaining an unauthorized access to classified data directly or indirectly”. He proposed the use of reference monitor to safeguard classified data, which is currently called as an intrusion detection system. The formal definition for intrusion detection can be given as “…the process of discovering the presence or the possibility of presence, of unauthorized uses of network or computing infrastructure activities on a continuous basis…” The first real-time Intrusion Detection System (IDS) was researched and developed by Neumann during 1984 and 1986, named as Intrusion Detection Expert System (IDES) which was developed as a rule-based system that detects malicious activity from known threats, later known as Next Generation Intrusion Detection Expert System (NIDES) (Schwab, 2015).
In the late 1990s the design approaches of intrusion detection systems were greatly improved to accommodate the increase in volume and complexity of network attacks. Till the 1990s the IDS’s were functioning on principle of correlating the signatures of a new incoming threat with the already existing knowledge base of attack data, if any match found, will be declared as a threat. This approach is called as signature-based intrusion detection system. These kinds of systems cannot detect new threats. When a new attack arrived, will be passed through the IDS without any blockage and, only on realization damage caused by the attack, its signature pattern will be added to the knowledge base, thus enabling IDS to detect the same in future. Another method, named as an anomaly detection system, learns from the history and understands the behavioral patterns of normal packets and abnormal packets. On receiving any abnormal packet even though its signature is not matching with the knowledge base, it understands its behavior and warns the user about the intrusion. Strictly speaking both the approaches are important. Why, because we must shield the IT infrastructure from known and unknown threats.
There are two levels of intrusion detection system host-based intrusion detection system (HIDS) and network-based intrusion detection system (NIDS). NIDS fails when some malicious activity takes place inside the organization’s network behind NIDS, it fails to identify as it is not in its scope and NIDS is engaged in the process of incoming packets. It happens when a malicious packet enters the network because of overflow or congestion at the entry point of the organization's network. Thus, it is bypassed by the network security mechanism and creates damage within the organization's network. Hence, network-based intrusion detection cannot protect alone. Alternately, HIDS can be combined along with HIDS for combating against incoming threats. HIDS can be helpful in the collection of audit data from different hosts within the organization's network and report back to NIDS and NIDS acts accordingly in the case of any detection of malicious activity.