A Multi-Layered Approach to the Design of Intelligent Intrusion Detection and Prevention System (IIDPS)

Abstract

Introduction Considering the reliance of humans on computers and network infrastructures to perform virtually every aspect of day to day activity, there is a critical need for ensuring the reliability and integrity of these infrastructures. According to the National Institute of Standards and Technology, Intrusion is an attempt to compromise the confidentiality, integrity, availability or an attempt to bypass the security mechanisms of a computer or network (Jones & Sielkens, 2000). The reasons for these intrusions could be attempts to steal a company's most valuable information, personal employee and customer information or to use the company's computer resources, etc. For example, the 2003 CSI/FBI (Computer Security Institute/ Federal Bureau of Investigation) Computer Crime and Security Survey reported that participants in the survey lost about $135 million from the theft of proprietary information and denial of service attacks (Cisco Systems, 2004). Recently, Intrusion Detection Systems (IDS) have been used in monitoring attempts to break security, which provides important information for timely countermeasures (Chen, Abraham, & Yang, 2007). Intrusion Detection System (IDS) implements application monitors in the form of a software program to learn and monitor the behavior of system programs in order to detect attacks against computer hosts. Existing IDSs are built with either signature-based or anomaly-based system, Signature matching is based on a misuse model, this intrusion detection system detects intrusions by looking for activities that corresponds to known intrusion techniques(signatures)or system vulnerabilities while anomaly detection is based on a normal use model (Hwang, Cai, Chen, & Qin, 2007), they detect intrusion by looking for activities that is different from a user's or systems normal behavior. They may be classified into Host-based and Network-based according to the information used by each IDS. A Host-based IDS refers to the class of intrusion that resides on the monitor and the individual host machine, while A Network-based IDS monitors the packets that traverse a given network link (Jones & Sielken, 2000). The system proposed here is a type Host-based intrusion detection systems (HIDSs),these type of systems rely on events collected by the host they monitor .HIDSs can be classified based on the type of audit data they analyze or based on the techniques used to analyze their input. Common classes: * operating system-level intrusion detection systems * application-level intrusion detection systems The system proposed here is an operating system-level intrusion system, because the OS is a trusted entity and it controls access to resources, such as memory and files. Overview of Existing Systems From the literature, there are various works in the field of intrusion detection system. This paper reviews those that are closely related to the proposed work based on the Anomaly and Signature detection approaches and the combination of both. In order to ascertain the efficiency of the new approach, a comparison is drawn between the existing work that have used the combination of both approaches and the new system which shows further improvement over the existing ones. Adaptable Real-time Misuse Detection System (ARMD) (1998) is a host-based misuse detection system. Its pattern of signatures is over a sequence of abstract events and this is tagged MuSig'. This describes conditions that the abstract event attributes must satisfy. Based on the signatures (MuSigs), the available audit trail, and the strategy costs, ARMD uses a strategy generator to automatically generate monitoring strategies to govern the misuse detection process. It employs database query optimization techniques to speed up the processing of audit events. One advantage of ARMD is that knowing the characteristics of the audit trail helps estimate the cost of performing misuse detection and this gives the security officers the opportunity to tune the misuse detection system. …