Yue Shen,Fei Yu,Ling-Fen Zhang,Ji-Yao An,Miao-Liang Zhu

DOI: https://doi.org/10.1109/CANET.2005.1598184

2005-01-01

Abstract:Intrusion detection is an efficient way to protect information system. This paper puts forward a new method of anomalous intrusion detection based on system call. It uses system calls regarded as input, and creates a FSA for the functions in the program. Then the FSA is used to detect the attack. Moreover, It can find the place of the vulnerability which exists in the program. This can help to alter the source program. Results are shown that this method is effective for some intrusion events.

Navya Iyengar

DOI: https://doi.org/10.48550/arXiv.2007.11654

2020-07-22

Networking and Internet Architecture

Abstract:Cloud-based and network-based technology has witnessed an exponential rise in development. Adaptation of these latest technologies has opened flood gates for data breaches, an increase in sophistication of cyber threats, and, a multitude of new attack vectors. Numerous tools and solutions are currently available for detection of these threats. Network-based Intrusion Detection Systems is one of the most effective tools implemented to maintain confidentiality, integrity, and, availability of networks. While there are several open source tools in the offing, this paper evaluates two open-source NIDS Snort and Suricata, along with strategic placement of multi sensor IDS in a WAN environment, in combination with NIDS, for in time threat detection and protection of systems.

Igor Kotenko,Igor Saenko,Roman Zakharchenko,Dmitry Velichko,,,,

DOI: https://doi.org/10.21681/2311-3456-2023-1-13-27

2023-01-01

Voprosy kiberbezopasnosti

Abstract:The purpose of the article: conducting a system analysis of the requirements for the subsystem for preventing computer attacks on critical information infrastructure in order to substantiate the directions for further improved scientific and methodological apparatus for the full functioning of the subsystem for preventing computer attacks. Research method: theoretical and systematic analysis of the requirements of legal acts, scientific publications, protection technologies and means of their implementation in departmental systems for detecting and counteringcomputer attacks.The result obtained: the rationale for the need to build mechanisms for preventing computer attacks on critical information infrastructure objects and the requirements for the subsystem for preventing computer attacks was carried out, an approach was proposed to prevent computer attacks at the stages of reconnaissance by an attacker of critical information infrastructure objects, based on the introduction of a security event correlation mechanism with automatic adaptation to the analyzed information infrastructure and the functions it performs at the current time and a detailed specification of the correlation rules.Scope of the proposed approach: a subsystem for preventing computer attacks of departmental systems for detecting and countering computer attacks, which should identify and prevent attempts to conduct computer attacks on critical information infrastructure objects in advance.The scientific novelty consists in a comprehensive analysis of the need to build mechanisms for preventing computer attacks on critical information infrastructure objects, an analysis of the requirements for the computer attack prevention subsystem, its functions and means of implementation. It is shown that the functions of preventing computer attacks in domestic technical solutions are not fully implemented, and that there is a substitution of the concept of “subsystem for preventing computer attacks” by the concept of “control and technical measures”. It is substantiated that for the implementation of the functions of preventing computer attacks, there is a technological backlog in the form of a ready-made technology based on the technology for building SIEM systems. It is shown that there is a need to refine the scientific and methodological apparatus for implementing computer warning functions based on artificial intelligence methods and big data technologies.Contribution: Kotenko I.V. - analysis of the functionality of the subsystem for preventing computer attacks, setting the task and proposals for developing the functionality of the subsystem for preventing computer attacks on critical information infrastructure objects; Saenko I.B. - analysis of the subsystem for preventing computer attacks in the general context of the theory of information security, substantiation of the implementation of the functions of preventing computer attacks based on the technology of building SIEM systems and big data; Zakharchenko R.I. - analysis of technical solutions that ensure the implementation of the subsystem for preventing computer attacks, Velichko D.V. - an approach to detecting computer attacks at the stages of reconnaissance by an attacker of objects of critical information infrastructure. All authors participated in the writing of the article.

Kashif Ishaq,Hafiz Ahsan Javed

2023-08-26

Abstract:The security trade confidentiality, integrity and availability are the main pillar of the information systems as every organization emphasize of the security. From last few decades, digital data is the main asset for every digital or non-digital organization. The proliferation of easily accessible attack software on the internet has lowered the barrier for individuals without hacking skills to engage in malicious activities. An Industrial organization operates a server that (Confluence) serves as a learning platform for newly hired employees or Management training officers, thereby making it vulnerable to potential attacks using readily available internet-based software. To mitigate this risk, it is essential to implement a security system capable of detecting and preventing attacks, as well as conducting investigations. This research project aims to develop a comprehensive security system that can detect attack attempts, initiate preventive measures, and carry out investigations by analyzing attack logs. The study adopted a survey methodology and spanned a period of four months, from March 1, 2023, to June 31, 2023. The outcome of this research is a robust security system that effectively identifies attack attempts, blocks the attacker's IP address, and employs network forensic techniques for investigation purposes. The findings indicate that deploying Snort in IPS mode on PfSense enables the detection of attacks targeting e-learning servers, triggering automatic preventive measures such as IP address blocking. The alerts generated by Snort facilitate investigative actions through network forensics, allowing for accurate reporting on the detrimental effects of the attacks.

Cryptography and Security

YANG Tong,QIAO Xiang-dong,ZHENG Lian-qing

DOI: https://doi.org/10.3969/j.issn.1009-3516.2008.02.021

2008-01-01

Abstract:Snort,one of the best Open Source Network Intrusion Detection Systems,is analysed in detail,in this paper,for the sake of searching network intrusion detection system.Then a solution is proposed to eliminate the redundancy of snort's rule chain.Experiments are done,which show that the solution proposed is correct and effective.Finally,on the basis of ARP technology approach,NIDS is developed with the improved snort as kernel module.Its excellent performance proves the solution to be valid once again.

YU-XIN DING,MIN XIAO,AI-WU LIU,Yu-Xin Ding,Min Xiao,Ai-Wu Liu

DOI: https://doi.org/10.1109/icmlc.2009.5212282

2009-07-01

Abstract:Since most of current intrusion detection systems (IDS) only use one of the two detection methods, misused detection or anomaly detection, both of them have their own limitations. In this paper, the technique that combines misuse detection system with anomaly detection system (ADS) is used. The hybrid intrusion detection system (HIDS) contains three sub-modules, misused detection module, anomaly detection module and signature generation module. The basis of misused detection module is snort. Anomaly detection module is constructed by using frequent episode rule. And signature generation module is based on a variant of Apriori algorithm. Misused detection module uses the signature of attacks to detection the known attacks. Anomaly detection module can detect the unknown attacks and signature generation module extracts the signature of attacks that are detected by ADS module, and maps the signatures into snort rules.

Saloni Anand,Kshitij Patne

DOI: https://doi.org/10.22214/ijraset.2022.44761

2022-06-30

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: Intrusion Detection systems are now increasingly significant in network security. As the number of people using the internet grows, so does the chance of a cyberattack. People are adopting signature-based intrusion detection systems. Snort is a popular open-source signature-based intrusion detection system. It is widely utilised in the intrusion detection and prevention arena across the world. The aim of this research is to provide knowledge about intrusion detection systems, application vulnerabilities, and their prevention methods and to perform a comparison of the latest tools and mechanisms used to detect these threats and vulnerabilities.

Keturahlee Coulibaly

DOI: https://doi.org/10.48550/arXiv.2004.08967

2020-04-20

Abstract:Cyber threats are increasing not only in their volume but also in their sophistication and difficulty to detect. Attacks have become a national/global threat as they have targeted private and public, as well as government sectors over the years. This is a growing issue and organisations are taking steps to reduce, detect and prevent threats. To do this they need to use systems that are equipped with the capabilities to do either of those steps and develop them for the type of networks they use, for instance wired or wireless. One of these systems are Intrusion Detection Systems (IDS), which can be used as the first defence mechanism or a secondary defence mechanism of a threat or an attack. There are different types of attacks that can occur in a network, such as Denial of service (DoS)/Distributed Denial of Service (DDoS), port scanning, malware or ransomware and so forth that IDSs have a capability of detecting. Assisting in the mitigation of such attacks, there are also Intrusion Prevention Systems (IPS) whose role has a different purpose than that of IDSs. Unlike IDSs they not only detect threats but prevent them from disrupting the network, IPSs can be used in conjunction with IDSs to double the defences. This paper provides an overview of IDS and their classifications and IPS. It will detail typical benefits and limitations to using IDSs, IPSs and the hybrids (such as Intrusions Detection Prevention Systems (IDPSs and more)) which will be discussed further. It will also outline developments in the making using ML and how it is used to improve these systems and the dilemmas they produce and possible ways to counter act them.

Cryptography and Security

M. M. Zaporozhchenko,

DOI: https://doi.org/10.31673/2412-4338.2023.015360

2023-01-01

Telecommunication and information technologies

Abstract:In recent years, there has been a trend towards an increase in the number of cyber attacks on organizations and individual users. In many cases, a key factor in the implementation of an information security incident is the attacker's effective preparation for a cyber attack: target selection, reconnaissance, i.e. obtaining any information that may be needed when planning an attack, weaponization based on discovered defense mechanisms, software and hardware, etc. and delivery, i.e. choosing how the malware will reach the victim and what steps will be required to activate it further. Having a significant amount of important and critical information for the organization from the point of view of ensuring security provides the attacker with the opportunity to choose the optimal attack scenario and significantly increases the chances of its success. The problem is that today's OSINT methods and tools allow you to find almost any information that is not protected in a real way, which significantly increases the risks, especially for organizations that find it difficult to control all the information that their employees post on social networks, disclose in interviews or accidentally enters the Internet. However, most intelligence tools are not only available to attackers, so ethical hackers and penetration testers can also use OSINT tools to examine an organization's vulnerabilities and improve its defenses before attackers exploit those vulnerabilities. The article examines the main methods of intelligence based on open sources, considers the most common and most often used OSINT tools, describes the life cycle of a cyber attack and defines the stages that require the use of OSINT tools when conducting an audit of the organization's information security and penetration tests.

Liu Hua Yeo,Xiangdong Che,Shalini Lakkaraju

DOI: https://doi.org/10.48550/arXiv.1708.07174

2017-08-23

Cryptography and Security

Abstract:Intrusion detection systems (IDS) help detect unauthorized activities or intrusions that may compromise the confidentiality, integrity or availability of a resource. This paper presents a general overview of IDSs, the way they are classified, and the different algorithms used to detect anomalous activities. It attempts to compare the various methods of intrusion techniques. It also describes the various approaches and the importance of IDSs in information security.

Syed Ali Raza Shah,Biju Issac

DOI: https://doi.org/10.1016/j.future.2017.10.016

2017-11-07

Abstract:This study investigates the performance of two open source intrusion detection systems (IDSs) namely Snort and Suricata for accurately detecting the malicious traffic on computer networks. Snort and Suricata were installed on two different but identical computers and the performance was evaluated at 10 Gbps network speed. It was noted that Suricata could process a higher speed of network traffic than Snort with lower packet drop rate but it consumed higher computational resources. Snort had higher detection accuracy and was thus selected for further experiments. It was observed that the Snort triggered a high rate of false positive alarms. To solve this problem a Snort adaptive plug-in was developed. To select the best performing algorithm for Snort adaptive plug-in, an empirical study was carried out with different learning algorithms and Support Vector Machine (SVM) was selected. A hybrid version of SVM and Fuzzy logic produced a better detection accuracy. But the best result was achieved using an optimised SVM with firefly algorithm with FPR (false positive rate) as 8.6% and FNR (false negative rate) as 2.2%, which is a good result. The novelty of this work is the performance comparison of two IDSs at 10 Gbps and the application of hybrid and optimised machine learning algorithms to Snort.

Networking and Internet Architecture,Cryptography and Security,Machine Learning

Darren R. Hayes,Francesco Cappa

DOI: https://doi.org/10.1016/j.bushor.2018.02.001

IF: 10.562

2018-09-01

Business Horizons

Abstract:Advances in information technology (IT) have prompted tremendous growth in security issues for companies. Increasingly, cyberattacks represent a threat to companies and national security; to prevent them, firms should routinely perform risk assessments of their IT infrastructure and employees. This article highlights the importance of open-source intelligence (OSINT) tools in conducting risk assessments to prevent cyberattacks. More specifically, we performed a vulnerability assessment on the critical infrastructure of a company operating on the U.S. electrical grid. We successfully profiled the company’s network software, hardware, and key IT personnel—using OSINT—and detailed potential vulnerabilities associated with these findings. The results of our study provide empirical evidence for the efficacy of OSINT in improving the security posture of organizations. Our research findings were subsequently used to produce tactical and strategic recommendations for organizations based on the use of OSINT to identify vulnerabilities, mitigate risks, and formulate more robust security policies to prevent cyberattacks.

business

Andriy Luntovskyy,Mykhailo Klymash

DOI: https://doi.org/10.20535/2411-2976.22017.44-48

2017-12-28

Information and Telecommunication Sciences

Abstract:Background. Modern firewall systems are compared to classical concepts. The filtering rules are analyzed on the examples of the leading solutions (presented by Gartner Inc.). The collaborative intrusion detection systems and networks as well as the threats based on the insider attacks on CIDN are examined. A common CIDN functionality catalogue is discussed. The aspects of the application of modern systems of network intrusion detection and prevention by the peculiarities of their implementation at different levels are considered in accordance with the model of ISO/OSI. Brief recommendations on the use of known network security solutions in the construction of modern infocommunication networks to overcome various types of threats, in particular DoS type, virus and social engineering, are given. Objective. The aim of the paper is to study the implementation and application of modern concepts of firewalls and collaborative network intrusion detection systems. Methods. The research was carried out based on analysis of a large number of literary sources, the theory of building information security systems and avenues of manufacturers of systems for detecting and preventing network intrusion. Results. The advanced firewalls like SMLIF, IPS, the collaborative intrusion detection systems gain in importance increasingly nowadays. They can be also deployed within the scenarios of NFC and IoT (Internet of Things). The FW and IDS are often combined into individual participating peers (LAN, WLAN, 2G-4G, NFC and Bluetooth) with possibility of collaboration and better prevention of both external and insider attacks. Conclusions. The conducted research indicates the need to improve the implementation of modern network architecture with the use of integrated systems for detecting and counteracting network attacks. Despite the wide variety of network security solutions, this area of research remains relevant and suggests that the development of new concepts for protecting network architectures meets the current state of the industry, is timely and relevant, given the wide range of capabilities and scenarios for malicious intrusions and network system impacts. Keywords: firewall; network attacks; intrusion detection systems; intrusion prevention systems; CIDN.

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Theuns Verwoerd,Ray Hunt

DOI: https://doi.org/10.1016/s0140-3664(02)00037-3

IF: 5.047

2002-09-01

Computer Communications

Abstract:Recent security incidents and analysis have demonstrated that manual response to such attacks is no longer feasible. Intrusion detection systems (IDS) offer techniques for modelling and recognising normal and abusive system behaviour. Such methodologies include statistical models, immune system approaches, protocol verification, file and taint checking, neural networks, whitelisting, expression matching, state transition analysis, dedicated languages, genetic algorithms and burglar alarms. This paper describes these techniques including an IDS architectural outline and an analysis of IDS probe techniques finishing with a summary of associated technologies.

computer science, information systems,telecommunications,engineering, electrical & electronic

Abdulganiyu, Oluwadamilare Harazeem

DOI: https://doi.org/10.1007/s10207-023-00682-2

2023-03-28

International Journal of Information Security

Abstract:With the recent increase in internet usage, the number of important, sensitive, confidential individual and corporate data passing through internet has increasingly grown. With gaps in the security systems, attackers have attempted to intrude the network, thereby gaining access to essential and confidential information, which may cause harm to the operation of the systems, and also affect the confidentiality of the data. To counter these possible attacks, intrusion detection systems (IDSs), which is an essential branch of cybersecurity, were employed to monitor and analyze network traffic thereby detects and reports malicious activities. A large number of review papers have covered different approaches for intrusion detection in networks, most of which follow a non-systematic approach, merely made a comparison of the existing techniques without reflecting an in-depth analytical synthesis of the methodologies and performances of the approaches to give a complete understanding of the state of IDS. Nonetheless, many of these reviews investigated more about the anomaly-based IDS with more emphasis on deep-learning models, while signature, hybrid-based (signature + anomaly-based) have received minimal focus. Hence, by adhering to the principles of Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA), this work reviewed existing contributions on anomaly-, signature-, and hybrid-based approaches to provide a comprehensive overview of network IDS's state of the art. The articles were retrieved from seven databases (ScienceDirect, SpringerNature, IEEE, MDPI, Hindawi, PeerJ, and Taylor & Francis) which cut across various reputable journals and conference Proceedings. Among the 776 pieces of the literature identified, 71 were selected for analysis and synthesis to answer the research questions. Based on the research findings, we identified unexplored study areas and unresolved research challenges. In order to create a better IDS model, we conclude by presenting promising, high-impact future research areas.

computer science, information systems, theory & methods, software engineering

Tarrah R. Glass-Vanderlan,Michael D. Iannacone,Maria S. Vincent,Qian,Chen,Robert A. Bridges

DOI: https://doi.org/10.48550/arXiv.1805.06070

2018-05-17

Abstract:This survey focuses on intrusion detection systems (IDS) that leverage host-based data sources for detecting attacks on enterprise network. The host-based IDS (HIDS) literature is organized by the input data source, presenting targeted sub-surveys of HIDS research leveraging system logs, audit data, Windows Registry, file systems, and program analysis. While system calls are generally included in audit data, several publicly available system call datasets have spawned a flurry of IDS research on this topic, which merits a separate section. Similarly, a section surveying algorithmic developments that are applicable to HIDS but tested on network data sets is included, as this is a large and growing area of applicable literature. To accommodate current researchers, a supplementary section giving descriptions of publicly available datasets is included, outlining their characteristics and shortcomings when used for IDS evaluation. Related surveys are organized and described. All sections are accompanied by tables concisely organizing the literature and datasets discussed. Finally, challenges, trends, and broader observations are throughout the survey and in the conclusion along with future directions of IDS research.

Cryptography and Security

Faisal Alsakran,Gueltoum Bendiab,Stavros Shiaeles,Nicholas Kolokotronis

DOI: https://doi.org/10.48550/arXiv.2101.06519

2021-01-16

Cryptography and Security

Abstract:Smart homes are one of the most promising applications of the emerging Internet of Things (IoT) technology. With the growing number of IoT related devices such as smart thermostats, smart fridges, smart speaker, smart light bulbs and smart locks, smart homes promise to make our lives easier and more comfortable. However, the increased deployment of such smart devices brings an increase in potential security risks and home privacy breaches. In order to overcome such risks, Intrusion Detection Systems are presented as pertinent tools that can provide network-level protection for smart devices deployed in home environments. These systems monitor the network activities of the smart home-connected de-vices and focus on alerting suspicious or malicious activity. They also can deal with detected abnormal activities by hindering the impostors in accessing the victim devices. However, the employment of such systems in the context of a smart home can be challenging due to the devices hardware limitations, which may restrict their ability to counter the existing and emerging attack vectors. Therefore, this paper proposes an experimental comparison between the widely used open-source NIDSs namely Snort, Suricata and Bro IDS to find the most appropriate one for smart homes in term of detection accuracy and resources consumption including CP and memory utilization. Experimental Results show that Suricata is the best performing NIDS for smart homes

Zouhair Chiba,Noreddine Abghour,Khalid Moussaid,Amina El Omri,Mohamed Rida

DOI: https://doi.org/10.1145/3368756.3369061

2019-10-02

Abstract:With the advent of digital technology, computer networks have developed rapidly at an unprecedented pace contributing tremendously to social and economic development. They have become the backbone for all critical sectors and all the top Multi-National companies. Unfortunately, security threats for computer networks have increased dramatically over the last decade being much brazen and bolder. Indeed, intrusions or attacks can lead to irreparable damages, information leakage and significant financial losses. Hence, there is a great need for an effective Network Intrusion Detection System (NIDS). In the current study, we propose a hybrid NIDS to detect network attacks in the network environment by monitoring network traffic, thereby achieving a solid line of protection against inside and outside intruders and maintaining performance and service quality. In our NIDS framework, we use Suricata as a signature based detection to uncover known attacks, while for detecting network anomaly, we use Isolation Forest Algorithm (IFA). By applying Suricata prior to the IFA classifier, IFA has to detect only unknown attacks. Therefore, detection time is reduced and computational power is saved. Suricata is an open source IDS, which has been advanced as a multi-threaded alternative to popular Snort IDS. The major benefits of a multi-threaded design is that it offers increased speed and efficiency in network traffic analysis and can also help divide up the IDS workload based on where the processing needs are. Consequently, Suricata shows an increase in accuracy and system performance over the de facto standard, single threaded NIDS Snort. While, IFA is one of the newest approaches to detect anomalies/outliers, which introduces the use of isolation as a more effective and efficient means to recognize anomalies than the popularly used basic distance and density measures. In fact, IFA uses no distance or density measures to identify outliers, this eliminates major computational cost of distance calculation in all distance-based and density-based algorithms. Additionally, IFA has a low constant in its computational complexity. Moreover, in this framework, the NIDSs operate in collaborative way to oppose attacks by sharing alerts stored in central log. In this way, unknown attacks that were detected by any NIDS can easily be detected by others IDSs. This also helps to reduce computational cost for detecting intrusions at others NIDSs, and improve detection rate in overall the network environment.

Robert Mitchell,Ing-Ray Chen

DOI: https://doi.org/10.1145/2542049

IF: 16.6

2014-04-01

ACM Computing Surveys

Abstract:Pervasive healthcare systems, smart grids, and unmanned aircraft systems are examples of Cyber-Physical Systems (CPSs) that have become highly integrated in the modern world. As this integration deepens, the importance of securing these systems increases. In order to identify gaps and propose research directions in CPS intrusion detection research, we survey the literature of this area. Our approach is to classify modern CPS Intrusion Detection System (IDS) techniques based on two design dimensions: detection technique and audit material. We summarize advantages and drawbacks of each dimension’s options. We also summarize the most and least studied CPS IDS techniques in the literature and provide insight on the effectiveness of IDS techniques as they apply to CPSs. Finally, we identify gaps in CPS IDS research and suggest future research areas.

computer science, theory & methods