Search results

A zero-day vulnerability is a complimentary ticket to the attackers for gaining entry into the network. Thus, there is necessity to device appropriate threat detection systems and establish an innovative and safe solution that prevents unauthorised intrusions for defending various components of cybersecurity. We present a survey of recent Intrusion Detection Systems (IDS) in detecting zero-day vulnerabilities based on the following dimensions: types of cyber-attacks, datasets used and kinds of network detection systems.

Purpose: The study focuses on presenting an exhaustive review on the effectiveness of the recent IDS with respect to zero-day vulnerabilities.

Methodology: Systematic exploration was done at the IEEE, Elsevier, Springer, RAID, ESCORICS, Google Scholar, and other relevant platforms of studies published in English between 2015 and 2021 using keywords and combinations of relevant terms.

Findings: It is possible to train IDS for zero-day attacks. The existing IDS have strengths that make them capable of effective detection against zero-day attacks. However, they display certain limitations that reduce their credibility. Novel strategies like deep learning, machine learning, fuzzing technique, runtime verification technique, and Hidden Markov Models can be used to design IDS to detect malicious traffic.

Implication: This paper explored and highlighted the advantages and limitations of existing IDS enabling the selection of best possible IDS to protect the system. Moreover, the comparison between signature-based and anomaly-based IDS exemplifies that one viable approach to accurately detect the zero-day vulnerabilities would be the integration of hybrid mechanism.

Researchers have used many techniques in designing intrusion detection systems (IDS) and yet we still do not have an effective IDS. The interest in this work is to combine techniques of data mining and expert systems in designing an effective anomaly‐based IDS. Combining methods may give better coverage, and make the detection more effective. The idea is to mine system audit data for consistent and useful patterns of user behaviour, and then keep these normal behaviours in profiles. An expert system is used as the detection system that recognizes anomalies and raises an alarm. The evaluation of the intrusion detection system design was carried out to justify the importance of the work.

The goal of our work is to discuss the fundamental issues of privacy and anomaly‐based intrusion detection systems (IDS) and to design an efficient anomaly‐based intrusion IDS architecture where users' privacy is maintained.

In this work, any information that can link intrusion detection activity to a user is encrypted so as to pseudonyze the sensitive information. A database of encrypted information would then be created which becomes the source database for the IDS. The design makes use of dynamic key generation algorithm that generates key randomly when an intrusion is detected. The keys are only released when an intrusion occurs and immediately swapped to protect harm access to the mapping database.

The result after testing the new privacy maintained IDS architecture on an application package shows greater improvement over the ordinary IDSs. Privacy complaints reduced considerably from between 8 and 16 per week to about 1‐2.

We only tested the new privacy maintained IDS on a package, it would also be interesting to test the design on some other systems. There is a possibility that time to detection would increase because of the encryption/decryption part of the new design. All the same, we have designed an IDS architecture where privacy of users on the systems is guaranteed.

This work provides a background for researchers in IDS and it requires further improvements and extensions.

The work shows that it is possible to design an IDS architecture for maintaining privacy of users on the network. The result shows the originality of the new design.

The purpose of this paper is to propose a web intrusion detection system (IDS), SensorWebIDS, which applies data mining, anomaly and misuse intrusion detection on web environment.

SensorWebIDS has three main components: the network sensor for extracting parameters from real‐time network traffic, the log digger for extracting parameters from web log files and the audit engine for analyzing all web request parameters for intrusion detection. To combat web intrusions like buffer‐over‐flow attack, SensorWebIDS utilizes an algorithm based on standard deviation (δ) theory's empirical rule of 99.7 percent of data lying within 3δ of the mean, to calculate the possible maximum value length of input parameters. Association rule mining technique is employed for mining frequent parameter list and their sequential order to identify intrusions.

Experiments show that proposed system has higher detection rate for web intrusions than SNORT and mod security for such classes of web intrusions like cross‐site scripting, SQL‐Injection, session hijacking, cookie poison, denial of service, buffer overflow, and probes attacks.

Future work may extend the system to detect intrusions implanted with hacking tools and not through straight HTTP requests or intrusions embedded in non‐basic resources like multimedia files and others, track illegal web users with their prior web‐access sequences, implement minimum and maximum values for integer data, and automate the process of pre‐processing training data so that it is clean and free of intrusion for accurate detection results.

Web service security, as a branch of network security, is becoming more important as more business and social activities are moved online to the web.

Existing network IDSs are not directly applicable to web intrusion detection, because these IDSs are mostly sitting on the lower (network/transport) level of network model while web services are running on the higher (application) level. Proposed SensorWebIDS detects XSS and SQL‐Injection attacks through signatures, while other types of attacks are detected using association rule mining and statistics to compute frequent parameter list order and their maximum value lengths.

Defines and categorizes the types of intrusions that can be made on information systems. Characterizes a good intrusion detection system and examines and compares commercial intrusion detection products. Reports on continuing intrusion detection.

The expertise of a system administrator is believed to be important for effective use of intrusion detection systems (IDS). This paper examines two hypotheses concerning the system administrators' ability to filter alarms produced by an IDS by comparing the performance of an IDS to the performance of a system administrator using the IDS.

An experiment was constructed where five computer networks are attacked during four days. The experiment assessed difference made between the output of a system administrator using an IDS and the output of the IDS alone. The administrator's analysis process was also investigated through interviews.

The experiment shows that the system administrator analysing the output from the IDS significantly improves the portion of alarms corresponding to attacks, without decreasing the probability that an attack is detected significantly. In addition, an analysis is made of the types of expertise that is used when output from the IDS is processed by the administrator.

Previous work, based on interviews with system administrators, has suggested that competent system administrators are important in order to achieve effective IDS solutions. This paper presents a quantitative test of the value system administrators add to the intrusion detection solution.

This paper is part II of a previous article of the same title: Intrusion detection. Part II is concerned with intrusion threats, attacks, defense, models, methods and systems.

The purpose of this paper is to mitigate vulnerabilities in web applications, security detection and prevention are the most important mechanisms for security. However, most existing research focuses on how to prevent an attack at the web application layer, with less work dedicated to setting up a response action if a possible attack happened.

A combination of a Signature-based Intrusion Detection System (SIDS) and an Anomaly-based Intrusion Detection System (AIDS), namely, the Intelligent Intrusion Detection and Prevention System (IIDPS).

After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system.

Data limitation.

The contributions of this paper are to first address the problem of web application vulnerabilities. Second, to propose a combination of an SIDS and an AIDS, namely, the IIDPS. Third, this paper presents a novel approach by connecting the IIDPS with a response action using fuzzy logic. Fourth, use the risk assessment to determine an appropriate response action against each attack event. Combining the system provides a better performance for the Intrusion Detection System, and makes the detection and prevention more effective.

In this research, the authors demonstrate the advantage of reinforcement learning (RL) based intrusion detection systems (IDS) to solve very complex problems (e.g. selecting input features, considering scarce resources and constrains) that cannot be solved by classical machine learning. The authors include a comparative study to build intrusion detection based on statistical machine learning and representational learning, using knowledge discovery in databases (KDD) Cup99 and Installation Support Center of Expertise (ISCX) 2012.

The methodology applies a data analytics approach, consisting of data exploration and machine learning model training and evaluation. To build a network-based intrusion detection system, the authors apply dueling double deep Q-networks architecture enabled with costly features, k-nearest neighbors (K-NN), support-vector machines (SVM) and convolution neural networks (CNN).

Machine learning-based intrusion detection are trained on historical datasets which lead to model drift and lack of generalization whereas RL is trained with data collected through interactions. RL is bound to learn from its interactions with a stochastic environment in the absence of a training dataset whereas supervised learning simply learns from collected data and require less computational resources.

All machine learning models have achieved high accuracy values and performance. One potential reason is that both datasets are simulated, and not realistic. It was not clear whether a validation was ever performed to show that data were collected from real network traffics.

The study provides guidelines to implement IDS with classical supervised learning, deep learning and RL.

The research applied the dueling double deep Q-networks architecture enabled with costly features to build network-based intrusion detection from network traffics. This research presents a comparative study of reinforcement-based instruction detection with counterparts built with statistical and representational machine learning.

The purpose of this paper is to build a new hierarchical intrusion detection system (IDS) based on a binary tree of different types of classifiers. The proposed IDS model must possess the following characteristics: combine a high detection rate and a low false alarm rate, and classify any connection in a specific category of network connection.

To build the binary tree, the authors cluster the different categories of network connections hierarchically based on the proportion of false-positives and false-negatives generated between each of the two categories. The built model is a binary tree with multi-levels. At first, the authors use the best classifier in the classification of the network connections in category A and category G2 that clusters the rest of the categories. Then, in the second level, they use the best classifier in the classification of G2 network connections in category B and category G3 that represents the different categories clustered in G2 without category B. This process is repeated until the last two categories of network connections. Note that one of these categories represents the normal connection, and the rest represent the different types of abnormal connections.

The experimentation on the labeled data set for flow-based intrusion detection, NSL-KDD and KDD’99 shows the high performance of the authors' model compared to the results obtained by some well-known classifiers and recent IDS models. The experiments’ results show that the authors' model gives a low false alarm rate and the highest detection rate. Moreover, the model is more accurate than some well-known classifiers like SVM, C4.5 decision tree, MLP neural network and naïve Bayes with accuracy equal to 83.26 per cent on NSL-KDD and equal to 99.92 per cent on the labeled data set for flow-based intrusion detection. As well, it is more accurate than the best of related works and recent IDS models with accuracy equal to 95.72 per cent on KDD’99.

This paper proposes a novel hierarchical IDS based on a binary tree of classifiers, where different types of classifiers are used to create a high-performance model. Therefore, it confirms the capacity of the hierarchical model to combine a high detection rate and a low false alarm rate.