Intrusion detection system plays an important role in network security. However, network intrusion detection (NID) suffers from several problems, such as false positives, operational issues in high dimensional data, and the difficulty of detecting unknown threats. Most of the problems with intrusion detection are caused by improper implementation of the network intrusion detection system (NIDS). Over the past few years, computational intelligence (CI) has become an effective area in extending research capabilities. Thus, NIDS based upon CI is currently attracting considerable interest from the research community. The scope of this review will encompass the concept of NID and presents the core methods of CI, including support vector machine, hidden naïve Bayes, particle swarm optimization, genetic algorithm, and fuzzy logic. The findings of this review should provide useful insights into the application of different CI methods for NIDS over the literature, allowing to clearly define existing research challenges and progress, and to highlight promising new research directions.
TopIntrusion Detection System
Heady et al. (1990) define an intrusion as any set of actions that attempt to compromise the integrity, confidentiality and availability of host or network resources. James P. Anderson (1980) divides the system intruders into four categories:
- 1.
External Intruders: Who are unauthorized users of the machines they attack of.
- 2.
Masquerader: A user who gained access to the system and attempts to use the authentication information of another user. The masquerader can be either an external penetrator or other authorized user of the system;
- 3.
Misfeasor: A user has legitimate access to privileged information but abuses this privilege to violate the security policy of the installation.
- 4.
Clandestine: A user operates at a level below the normal auditing mechanisms, perhaps by accessing the machine with supervisory privileges.
In 1980, Anderson proposed the concept of intrusion detection (ID) (Anderson, 1980). ID is based on the assumption that; the behavior of intruders is different from a legal user (Stallings, 2006).
An intrusion detection system (IDS) dynamically monitors the events taking place in a system, and decides whether these events are symptomatic of an attack (intrusion) or constitute a legitimate use of the system (Debar et al., 1999). Figure 1 presents the general structure of an Intrusion detection system.
Figure 1.
General structure of intrusion detection system
TopIntrusion Detection System Taxonomy
There are several ways to categorize an IDS depending on, the location of the IDS in the system, the detection methodology used to generate alerts and respond action to the intrusion, as shown in Figure 2.
Figure 2.
Intrusion detection system taxonomy
Depending on the IDS location, the first type of IDS to appear was the Host-based Intrusion Detection System (HIDS) (Axelsson, 2000). HIDS are installed on the host and monitors the operating system information (e.g. system call sequences and application logs) (Debar et al., 1999). By checking traffic before being sent or just received, HIDS have the advantage of being able to detect attacks from the inside. However, the main problem of HIDSs is that they can only monitor the single host they are running on, and have to be specifically set up for each host. Thus, scalability is the main problem for HIDSs (Endorf et al., 2004; Bace & Mell, 2001). Network-based Intrusion Detection System (NIDS) identifies intrusions on external interfaces for network traffic among multiple hosts. NIDS gains access to network traffic by placing sniffers at hubs or network switches to monitor packets traveling among various communication mediums. The main advantage of NIDS is that a single system can be used to monitor the whole network. However, NIDS main disadvantages is that they can have difficulties when processing large amount of network packets (Sommers et al., 2004).