Research of Intrusion Detection System

Sui Xin College of Humanities and Sciences of Northeast Normal University

Changchun, China e-mail:suixin1997@126.com

Abstract—Intrusion detection technology is one of the core

technologies of dynamic security defense. It and static security

technologies can form a strong network security system. Firstly,

this article introduces the development of intrusion detection

system. Secondly, this paper introduces the new technologies of

intrusion detection system. Finally, the paper prospects the

development of intrusion detection system.

Keywords- Intrusion detection; active; model; new technology;

prospect

I. INTRODUCTION With the rapid development of information technology

and networks, the computer and network security issues become more complex, and network security has become essential. Since there are a variety of large and small defects in internet areas such as the Internet Protocol, management, service, as well as software designable flaws that exist on the system itself. Network hackers can exploit these vulnerabilities existing on network implement intrusion attacks to internet. According to the United States Computer Emergency Response Team annual year-end report shows the number of computer security accidents has been an upward trend , and the number of major security events is more than ever before. Network security problems should not be ignored.

II. THE DEVELOPMENT OF INTRUSION DETECTION

SYSTEM A sound network information system security program

consists of 4 levels: protect, detect, react and detect [1]. Common security measures are only for protection, and major technologies include anti-virus software, firewalls, cryptography, authentication technologies, and so on. These preventive measures can cope with most security threats, but any security product has some disadvantages. The firewall itself is vulnerable to attack, and it is often helpless for network security issues. Firewall security policy uses static passive security policy, with only the static defense is far from enough to meet network security requirements.

As early as in April 1980, the concept of intrusion detection was first elaborated by James P. Anderson in his paper on network intrusions of the Computer Security Threat

Monitoring and Surveillance. In 1986, the Georgetown University Dorothy Denning and Peter Neumann of SRI company computer science laboratory researched and designed of a real time intrusion detection system model [2].ID (Intrusion Detection) is refer to monitoring the running status of system to detect attack attempts or attacks and detecting malicious probes or attacks by all illegal intrusion from internal and external. IDS (Intrusion Detection System) is to monitor the whole system and all user activities, identify attacks behavior, statistic and analysis of abnormal behavior; its main task is to implement the function of intrusion detection.

Intrusion Detection is an important means to achieve database security.Intrusion detection system finds unauthorized or malious network accessing behavior by means of monitoring the states and activities of running system, and raises intrusion alert in time and provides effective method for Intrusion countermine.

III. CLASSIFICATION OF INTRUSION DETECTION

SYSTEMS According to different criteria, there are different

classifications of IDS. Main classification is based on sources of information and the use of detection technologies. According to the different analysis methods that used to detect, IDS can be divided two classes: misuse detection and anomaly detection. A. Misuse Detection

Figure 1. Misuse detection model.

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.385

1461

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.385

1460

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.385

1460

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.385

1460

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.385

1460

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.385

1460

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.385

1460

2013 International Conference on Computational and Information Sciences

978-0-7695-5004-6/13 $26.00 © 2013 IEEE

DOI 10.1109/ICCIS.2013.385

1460

Set the characteristics of intrusion, and compare with the collected information. If it matches with these characteristics, the intrusion occurs. Misuse detection based on conditional probability is a commonly used intrusion detection technology. According to Bayesian theorem to analyze, we can detect whether the intrusions have invaded. The sequence of events represents as ES, and prior probability represents as P, intrusion represents as I, then the posterior probability P ES Intrusion , the invasion appearing probability P ES . So we can calculate the value of P(ES) is:

P(ES) (P(ES I P(ES I))P(I)+P(ES I) [3].

B. Abnormal Detection Anomaly detection technology is to compare current

activities with user profiles; user profile generally refers to the normal parameters collection and thresholds. If normal user activities get a more significant deviation from normal system behaviors, it is called invasion. Anomaly detection is commonly used statistical method. Its biggest feature is the ability to make intrusion detection system learn autonomously. Therefore detection rates and availability are higher.

Here’s an alternate method of identifying, through analysis of fingerprint information issued by the package on the target host, we identify the target host features.

IV. NEW TECHNOLOGIES FOR INTRUSION

DETECTION SYSTEM Main research directions of intrusion detection technique

are to apply the research results of other fields to intrusion detection systems, mixing gradually with other various security technology integrations. A. Biological Immune Technology

Immune system of the organism itself is primarily to conserve the organism itself, making it defeat viruses or bacteria from the outside world. Its function is very close to the role of IDS. They both belong to the defense system. The processes of organism immune and computer intrusion contrast as shown in Figure 3.

Intrusion detection system based on biological immune uses negative selection algorithm [4].The core of the algorithm is encoded according to the object characteristics, and produces a range of detectors. Basing on negative selection algorithm discovers intrusions and attacks. This intrusion detection system has a strong learning ability and great adaptive capacity. Using it can detect a lot of unknown types of intrusions and attacks. B. Distributed Collaborative Technology

Distributed intrusion detection includes two implications: for distributed network intrusion detection technology and using of distributed methods to detect distributed attacks. Key technology is collaboration with detection information, secure information sharing, effectively extracting effective information of intrusion attacks.

Under normal circumstances, distributed intrusion detection system is made up of 5 units, its system structure as shown in Figure 4.

Figure 4. Distributed intrusion detection system structure.

Distributed detection method based on protocol analysis technology can better solve the problems of heavy computation and low efficiency resulted from the use of traditional intrusion detection technology [5]. C. Data Mining Technology

Data mining refers to extract useful knowledge from

Figure 3. The processes of organism immune and intrusion detection system.

Figure 2. Anomaly detection model.

14621461146114611461146114611461

databases. Knowledge can be represented as concepts, rules, models and other forms. Using data mining technology processes the collected audit data, extracts relevant knowledge and forms the corresponding rules. Taking advantage of this technology can establish precise patterns of behavior. IDS uses these behavior patterns to implement the intrusion detection of the entire network. The technology can make up for some of the methods of attack detection difficult in traditional Distributed Intrusion Detection System, thereby increasing the intrusion detection rates of IDS.

V. INTRUSION DETECTION PRODUCTS In recent years, rapid development of intrusion detection

systems, Internet Security System, Cisco, Intrusion Detection, and other companies have launched products for intrusion detection system. A. Model of Open Source Snort

1998 Martin Roesch developed open source Snort Intrusion Detection System, which is a software written in C language. Snort is a lightweight, portable, good and powerful Network Intrusion Detection System.

Figure 5. Snort system structure. B. SkyBell of Venustech

SkyBell intrusion detection system is a network security product which was developed by the company of SkyBell. SkyBell Intrusion Detection System consists of software edition of the intrusion detection control center and the intrusion detection engine in hardware. Its main architecture is shown as Figure 6.

VI. THE DEVELOPMENT TREND OF INTRUSION

DETECTION SYSTEM Currently network attack means are developing from

single executive to distributed. Network intrusions and attacks have been expanding. Intruders often use a variety of intrusion methods, its concealment and extent of damage is more and more strong.

• The architecture of IDS is changing to the cooperation. • Shift response from passive to active. • Direction is targeting IPv6. • In order to improve the efficiency of intrusion

detection we should development and design of newer and better algorithms. Developing more generic evaluation method detects and evaluates of intrusion detection system.

VII. CONCLUDING REMARKS Intrusion detection system is called the second strobe of

security which is a very useful addition to the firewall. It adopts proactive security policy, can effectively identify legitimate users of abusive behavior and illegal users of all infringements.

Current intrusion detection system comprehensively applied a variety of technology method, with intelligence, and to reduce the non-response rates and the rate of misinformation, showed its vigorous development trend.

Attacks on network are becoming more common, with increasingly uncertain attack technique. Intrusion behavior becomes more and more complicated and varied. Intrusion detection system faces many new problems, such as further analysis of the test results, real-time response of the intrusion detection , IDS self-learning, its own security problem and so on.

Although some technology problems need overcoming, intrusion detection technologies are steadily updated and mature as attack technologies continue to sophisticate.

REFERENCES [1] Qing Si-han. Cryptography and Network Security [M].Bei Jing:

Tsinghua University Press, 2009. [2] Denning D. An Intrusion Detection Model[J].IEEE Transactions on

Software Engineering, February 1987(2), pp. 222. [3] Ge Yan-qiang. Practical Computer Network Security Technology. .Bei

Jing: Publishing House of China Water Resources and Hydropower, 2010.

[4] Marrack P kappler J W How the Immune System Recognizes the Body[J].Scientific American 2003 269(3), pp. 80-90.

[5] Qu Xiao-hong.Research on distributed intrusion detection system based on Protocol analysis Anti-counterfeiting Security and Identification in Communication 2009.ASID 2009 3rd International Conference on 20-22 Aug, 2009.

Figure 6. Main architecture of SkyBell IDS.

14631462146214621462146214621462