Adaptive Intrusion Detection Systems: The Next Generation of IDSs

Adaptive Intrusion Detection Systems: The Next Generation of IDSs

Hassina Bensefia, Nassira Ghoualmi-Zine
DOI: 10.4018/978-1-4666-9562-7.ch108
(Individual Chapters)
No Current Special Offers


This chapter deals with a challenging issue in intrusion detection research field, which is IDS adaptability. First, it introduces the intrusion detection concepts, then presents with details the two existing generations of IDSs and addresses their major problem: permanent coverage of new attacks patterns in a dynamic changing environment. Thereafter, it evokes the requirement of adaptability in IDS as a mean to remedy this deficiency. Later, it explores the most eminent approaches that are proposed for IDS adaptability. It describes their functional architecture and discusses their strong aspects and weaknesses. At the end, new trends toward the intrusion detection adaptability problematic are mentioned and followed by a conclusion.
Chapter Preview

2. Generalities And Basic Concepts

2.1 Intrusion Detection Concept

The intrusion detection concept was founded by James Anderson in 1980(Anderson, 1980). In his report entitled “Computer Security Threat Monitoring and Surveillance,” Anderson states that it is possible to characterize normal use of a computer system thanks to statistical parameters in the records of users’ habitual activities, called audit trials. He demonstrates that the audit trials contain the relevant information to reconstitute user’s activities. Their analysis enables retracing and understanding the user’s behaviour. It identifies the abusive use of the computing resources, the privilege abuse, the excessive use of computer, and may reveal the ongoing and completed attacks. In this way, Anderson plants the original idea of intrusion detection, which was firstly focused on the mainframe environments. In 1986, Dorothy Denning concretised the ideas of Anderson by developing a prototype for Stanford Research Institute which was baptized « Intrusion Detection Expert System (IDES) ». It was destined to analyze audit trials of government systems and inspect user’s activity. In 1987, Denning published the foundations of IDES prototype in a paper entitled « An Intrusion Detection Model » (Denning, 1987). This publication was the beginning of the intrusion detection era. By the IDES, Denning proposed not only the first IDS but a methodological model revealing the necessary knowledge for the intrusion detection. This concept reaches thereafter a blossoming in research field and technology, thanks to the American government considerateness and financing granted to the research projects.

The intrusion detection is closely linked to the audit mechanism which is an ubiquitous functioning option in the modern operating systems (Mé, 1997) that records the events occurring in a computer system. An event may be any undertaken action in a computing system such as logging session, program execution or file access (An Introduction, 1995) (Noel et al., 2002). The recording of events is performed chronologically and takes the form of a file which includes the date and the time of the occurring event, the identifier of the user who initiates the event, the application employed to execute the event as well as the result of the event progress (success or failure). Audit trial is a chronological sequence of event records. It represents the full history of any user activity, system process or application process (An Introduction, 1995) (Mé, 1997). Audit trials analysis enables reconstructing the complete activity, determining its duration, the user who accomplished it, the involved system resources and the results of its achievement (success or failure).

Complete Chapter List

Search this Book: