Characterizing Intelligent Intrusion Detection and Prevention Systems Using Data Mining

Characterizing Intelligent Intrusion Detection and Prevention Systems Using Data Mining

Mrutyunjaya Panda (GITA, India) and Manas Ranjan Patra (Berhampur University, India)
Copyright: © 2014 |Pages: 14
DOI: 10.4018/978-1-4666-4940-8.ch005


Intrusion Detection and Prevention Systems (IDPS) are being widely implemented to prevent suspicious threats in computer networks. Intrusion detection and prevention systems are security systems that are used to detect and prevent security threats to computer networks. In order to understand the security risks and IDPS, in this chapter, the authors make a quick review on classification of the IDPSs and categorize them in certain groups. Further, in order to improve accuracy and security, data mining techniques have been used to analyze audit data and extract features that can distinguish normal activities from intrusions. Experiments have been conducted for building efficient intrusion detection and prevention systems by combining online detection and offline data mining. During online data examination, real-time data are captured and are passed through a detection engine that uses a set of rules and parameters for analysis. During offline data mining, necessary knowledge is extracted about the process of intrusion.
Chapter Preview


Computer network security and their resource protection is one of the major concerns in today's IT activities, as complete removal of security breaches at present, found to be unrealistic (John, 2006, p.84-87). In the present scenario, one can use either Firewall in order to strengthen the implementation of executing rules and policy being silent on insider security violations or can think of deploying antivirus software which is ineffective in detecting new viruses. Alternatively, one can go for intrusion detection systems which can only detect intrusions and send alerts to the network administrator for appropriate action, but cannot prevent any intrusions to occur further in the network. Thus, what is required in such a scenario is an Intrusion Prevention System (IPS) which combines both the requirements, viz., ability to detect intrusions and try to stop the detected intrusion attempts.

Intrusion Prevention System

The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. Intrusion prevention systems (IPS) were developed to resolve ambiguities in passive network monitoring by placing detection systems in-line. With improved firewall technologies, IPS can make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of intrusion detection systems, they continue to be related. Intrusion prevention systems may also serve secondarily at the host level to stop potentially malicious activity. An Intrusion Prevention system must also be enabling a low rate of false positives and false negative errors in detection alerts. Some IPS systems can also prevent yet to be discovered attacks, such as those caused by a Buffer overflow. There are three common detection and prevention methodologies: misuse detection, novel or anomaly detection, and stateful protocol analysis with regards to the former. We can make another distinction in terms of the residency of the IPS. In this respect, IPS is usually divided into host-based, Network Behavior Analysis (NBA) and network-based systems technologies, which are differentiated, primarily by the types of events that they can recognize and the methodologies that they use to identify possible incidents (Scarfone & Mell, 2007, p.457-471). Host-based systems are present on each host that requires monitoring, and collect data concerning the operation of this host for suspicious activity. While Network Behavior Analysis examines network traffic to identify threats that generate unusual traffic flows, such as detect denies of service attacks, scanning, and certain forms of malware (Choo, 2011, p.719-731). In contrast, network-based IPSs monitor the network traffic on the network containing the hosts to be protected. Hybrid systems, which include host and network-based elements, can offer the best prevention and protective capabilities, and systems to protect against attacks from multiple sources have been developed (Shabtai, Fledel, Kanonov, Elovici, Dolev & Glezer, 2010,p. 35-44). To achieve secure and multi defense capability of network security system, the hybrid technology has been applied in the proposed approach. Intrusion prevention is a new approach system to defense networking systems, which combine the technique firewall with the Intrusion detection properly, which is proactive technique. Prevent the attacks from entering the network by examining various data record and prevention demeanor of pattern recognition sensor. When an attack is identified, intrusion prevention blocks and logs the offending data. The primary IPS uses signature to identify activity in network traffic and host perform detection on inbound-outbound packets and would be to block that activity before the damage and access network resources. A general architecture of IDPS consisting of four functional blocks is shown in Figure 1.

Figure 1.

General architecture for IDPS systems

The Event block captures events from the environment and passes them to the database block where they are maintained for further processing. The analyst block extracts the events from the database block and analyses them for possible intrusion. In case some intrusive behavior is detected alerts are raised. The alerts are then passed on to the Response block in order to initiate suitable action to deal with the intrusion.

Complete Chapter List

Search this Book: