A vision on a methodology for the application of an Intrusion Detection System for satellites

Introduction Considering the reliance of humans on computers and network infrastructures to perform virtually every aspect of day to day activity, there is a critical need for ensuring the reliability and integrity of these infrastructures. According to the National Institute of Standards and Technology, Intrusion is an attempt to compromise the confidentiality, integrity, availability or an attempt to bypass the security mechanisms of a computer or network (Jones & Sielkens, 2000). The reasons for these intrusions could be attempts to steal a company's most valuable information, personal employee and customer information or to use the company's computer resources, etc. For example, the 2003 CSI/FBI (Computer Security Institute/ Federal Bureau of Investigation) Computer Crime and Security Survey reported that participants in the survey lost about $135 million from the theft of proprietary information and denial of service attacks (Cisco Systems, 2004). Recently, Intrusion Detection Systems (IDS) have been used in monitoring attempts to break security, which provides important information for timely countermeasures (Chen, Abraham, & Yang, 2007). Intrusion Detection System (IDS) implements application monitors in the form of a software program to learn and monitor the behavior of system programs in order to detect attacks against computer hosts. Existing IDSs are built with either signature-based or anomaly-based system, Signature matching is based on a misuse model, this intrusion detection system detects intrusions by looking for activities that corresponds to known intrusion techniques(signatures)or system vulnerabilities while anomaly detection is based on a normal use model (Hwang, Cai, Chen, & Qin, 2007), they detect intrusion by looking for activities that is different from a user's or systems normal behavior. They may be classified into Host-based and Network-based according to the information used by each IDS. A Host-based IDS refers to the class of intrusion that resides on the monitor and the individual host machine, while A Network-based IDS monitors the packets that traverse a given network link (Jones & Sielken, 2000). The system proposed here is a type Host-based intrusion detection systems (HIDSs),these type of systems rely on events collected by the host they monitor .HIDSs can be classified based on the type of audit data they analyze or based on the techniques used to analyze their input. Common classes: * operating system-level intrusion detection systems * application-level intrusion detection systems The system proposed here is an operating system-level intrusion system, because the OS is a trusted entity and it controls access to resources, such as memory and files. Overview of Existing Systems From the literature, there are various works in the field of intrusion detection system. This paper reviews those that are closely related to the proposed work based on the Anomaly and Signature detection approaches and the combination of both. In order to ascertain the efficiency of the new approach, a comparison is drawn between the existing work that have used the combination of both approaches and the new system which shows further improvement over the existing ones. Adaptable Real-time Misuse Detection System (ARMD) (1998) is a host-based misuse detection system. Its pattern of signatures is over a sequence of abstract events and this is tagged MuSig'. This describes conditions that the abstract event attributes must satisfy. Based on the signatures (MuSigs), the available audit trail, and the strategy costs, ARMD uses a strategy generator to automatically generate monitoring strategies to govern the misuse detection process. It employs database query optimization techniques to speed up the processing of audit events. One advantage of ARMD is that knowing the characteristics of the audit trail helps estimate the cost of performing misuse detection and this gives the security officers the opportunity to tune the misuse detection system. …

Chapter 26 - Intrusion Prevention and Detection Systems

Chapter 5 - Intrusion Prevention and Detection Systems

Traffic classification is an automated technique that divides computer network traffic into several categories depending on different factors like protocol or port number. In a complicated context, traffic categorization is an important tool for network and system security. A monitoring system called intrusion detection looks for abnormal activity and sends out notifications. In order to safeguard a system from network-based attacks, Network Intrusion Detection Systems (NIDS) play a crucial role in monitoring and analyzing network traffic. Active and passive intrusion detection systems (IDS), network intrusion detection systems (NIDS), host intrusion detection systems (HIDS), knowledge-based (signature-based) IDS, and behaviorbased (anomaly-based) IDS are some of the numerous types of intrusion detection systems (IDS). Passive IDS is just designed to monitor and analyze network traffic behaviour and notify an operator of potential vulnerabilities and attacks, whereas Active IDS is also known as Intrusion Detection and Prevention System. A network's malicious traffic is identified using a network-based intrusion detection system (NIDS). A host-based IDS monitors system activity and seeks for indications of abnormal behaviour. For networks with unidentified traffic, the intrusion detection system designed using flow and payload statistical characteristics and clustering approach needs additional clusters. The present intrusion detection system however is affected by false alarm rate, poor detection rate, imbalanced datasets and response time which lead to misclassification of intrusions in various scenarios. Hence, there is a requirement for developing an automated intrusion detection system that works well in different scenarios. The proposed system uses supervised and unsupervised intrusion detection and classification methods to increase the classification accuracy. To categorize the intrusions, dimensionality reduction strategies are used in conjunction with the classification procedure of logistic regression. Performance of intrusion detection system using PCA as dimensionality reduction algorithm has been evaluated with different classifiers such as Logistic Regression (LR), K-Nearest Neighbors (K-NN), Random Forest (RF), Support Vector Machine (Kernel SVM), Decision Tree (DT) using CIC IDS 2022 dataset. An automated way to detect intrusions has been proposed with cluster formation using adaptive weight butterfly optimization algorithm.

Intrusion detection and prevention are security measures used to detect and prevent cybersecurity risks to computer systems, networks, infrastructure resources, and others. Intrusion detection and prevention systems automatically detect and respond to cybersecurity risks in order to reduce potential risks through threat event attacks. They use different methods for a successful execution. In this context, the signature-based approach that corresponds to known threat event attacks is used, or the anomaly-based detection that compares definitions of what activity is considered normal against observed threat event attacks, to identify significant deviations. Other methods are the stateful protocol analysis, which compares predetermined profiles of general accepted definitions of benign protocol activities for each protocol state against observed events, to identify deviations, or the hybrid system approach that combines some or all of the other methodologies to detect and respond to cybersecurity risks, and others. However, the need of intrusion detection and prevention systems architectures require distinguished decisions to the essential methodology used and the deployed system architecture. Against this background, this chapter seeks to offer a clear explanation of respective methodologies and comparing theses methodologies with regard to effectivity and efficiency. This requires (i) a discussion regarding the importance of intrusion detection and prevention to combat against threat event attack risks, malicious threat event attacks, by logging information about them and attempt to stop this, and (ii) reporting the identified malicious threat event attacks to the cybersecurity response team. Furthermore, investigation of threat event attacks is done, because threat event actor’s seeking out computer systems, networks, and infrastructure resources to exploit vulnerabilities and to attack, causing serious problems for threat event attacks for the targeted industrial, public, and private organizations. Therefore, Intrusion Detection and Prevention Systems (IDPSs) are a valuable approach in keeping information systems secure against malicious threat event attack risks by monitoring, analyzing, and responding to possible cybersecurity violations against computer systems, networks, or infrastructure resources. The violations may result from attempts by unauthorized intruders that try to compromise the computer systems, networks, infrastructure resources, and others. These intruders can be privileged internal users that misuse their authority, or external single cyberattackers or attacker-groups. In this context, Chap. 3 introduces in Sect. 3.1 in the specific background of intrusion detection methods and in Sect. 3.1.1 in the specific characteristics and capabilities of the different intrusion detection forms and their advantages and disadvantages. Thus, anomaly detection is part of Sect. 3.1.2, while Sect. 3.1.3 refers to misuse intrusion detection, and Sect. 3.1.4 focuses on advantages and disadvantages of anomaly and misuse intrusion detection forms. Section 3.1.5 refers to the Specification-based Intrusion Detection, which combines the strength of anomaly and misuse detection, and Sect. 3.1.6 refers to the characteristics of intrusion detection types. The focus of Sect. 3.1.7 is on intrusion detection systems and its architecture. In this sense, Sect. 3.2 focusses on intrusion prevention, whereby Sect. 3.2.1 describes the intrusion prevention system, while Sect. 3.2.2 focuses on the architecture of the intrusion prevention system. Section 3.3 refers to the intrusion detection and prevention system architecture and the respective performance measures as constraints for the proof of concept approach. Section 3.4 introduces the intrusion detection capability metric, which includes the necessity developing the respective detection approach to detect known and unknown threat event attacks. Finally, Sect. 3.5 summarizes the intrusion detection and intrusion prevention approaches, concerning a stable and resilient system operation. Section 3.6 contains comprehensive questions from the topics intrusion detection and intrusion prevention methodologies and architectures, while reference section refers to references for further reading.

Internet of things (IoT) is an emerging paradigm that integrates several technologies. IoT network constitutes of many interconnected devices that include various sensors, actu-ators, services and other communicable objects. The increasing demand for IoT and its services have created several security vulnerabilities. Conventional security approaches like intrusion detection systems are not up to the expectation to fulfil the security challenges of IoT networks, due to the conventional technologies used in them. This article presents a survey of intrusion detection and prevention system (IDPS), using state of art technologies, in the context of IoT security. IDPS constitutes of two parts: intrusion detection system and intrusion prevention system. An intrusion detection system (IDS) is used to detect and analyze both inbound and outbound network traffic for malicious activities. An intrusion prevention system (IPS) can be aligned with IDS by proactively inspecting a system’s incoming traffic to mitigate harmful requests. The alignment of IDS and IPS is known as intrusion detection and prevention systems (IDPS). The amalgamation of new technologies, like software-defined network (SDN), machine learning (ML), and manufacturer usage description (MUD), in IDPS is putting the security on the next level. In this study IDPS and its performance benefits are analyzed in the context of IoT security. This survey describes all these prominent technologies in detail and their integrated applications to complement IDPS in the IoT network. Future research directions and challenges of IoT security have been elaborated in the end.

Blockchain and federated learning-based intrusion detection approaches for edge-enabled industrial IoT networks: a survey

Unprecedented security challenges were offered by the rapid evolution of 6G networks. These unprecedented security challenges, especially segmented attacks (SA), exploit network susceptibilities. Here, advanced detection and migration methods are needed to ensure robust security. Here, the limited potential of the limited feature extraction (FE) and feature classification of the intrusion detection (ID) systems (IDS) may result in the lack of real‐time (RT) adaptability. This IDS also fails to detect advanced segmentation‐based threats accurately. For 6G networks, an AI‐driven intrusion detection system (IDS) with deep packet inspection (AI‐IDS‐DSP) is suggested in this paper. This suggested method will assist in overcoming those limitations. Then, the digital signal processing (DSP) techniques are also integrated into this suggested method, and this integration will help in analyzing signal anomalies. Those DSP methods include wavelet transforms (WT) and Fourier transforms (FT). Then, the hybrid AI model (CNN + Transformer) is utilized by the suggested method for the purpose of anomaly detection (AD). The application of reinforcement learning (RL) may enhance the adaptive security measures in the RT. Finally, the sensitive financial transactions are secured by the suggested robust network security (NS) method. This suggested NS application will help in preventing single account (SA) issues and offers proactive detection. The data integrity (DI) in university financial management systems were also implemented by this suggested NS method.

Purpose – The purpose of this paper is to mitigate vulnerabilities in web applications, security detection and prevention are the most important mechanisms for security. However, most existing research focuses on how to prevent an attack at the web application layer, with less work dedicated to setting up a response action if a possible attack happened. Design/methodology/approach – A combination of a Signature-based Intrusion Detection System (SIDS) and an Anomaly-based Intrusion Detection System (AIDS), namely, the Intelligent Intrusion Detection and Prevention System (IIDPS). Findings – After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system. Research limitations/implications – Data limitation. Originality/value – The contributions of this paper are to first address the problem of web application vulnerabilities. Second, to propose a combination of an SIDS and an AIDS, namely, the IIDPS. Third, this paper presents a novel approach by connecting the IIDPS with a response action using fuzzy logic. Fourth, use the risk assessment to determine an appropriate response action against each attack event. Combining the system provides a better performance for the Intrusion Detection System, and makes the detection and prevention more effective.

Intrusion Detection System (IDS) is the process of monitoring the events that occur in a system or network and process them for possible intrusions where as Intrusion Prevention System (IPS) has the capability to attempt to stop such possible intrusions. Combining the two systems will result in IDPS which not only detects the attacks but also prevent such attacks to occur in the networks. Distributed Denial of Service (DDOS) attacks are the major concern for security in the collaborative networks. Although non DDOS attacks are also make the network performances poor, the effect of DDOS attacks is severe. In DDOS attacks, flooding of the particular node as victim and jam it with massive traffic happens and the complete network performance is affected. In this paper, a novel Intrusion Detection and Prevention System is designed which detects the flooding DDOS attacks based on Firecol and prevents the attacks based on Dynamic Growing Self Organizing Tree (DGSOT) for collaborative networks. Simulation results show that DGSOT with Firecol (DGSOTFC) produces better intrusion detection and prevention system. Performance metrics based on the parameters delay and energy conservation are better in DGSOT-FC than the traditional IDPS systems.

Machine learning techniques are becoming mainstream in intrusion detection systems as they allow real-time response and have the ability to learn and adapt. By using a comprehensive dataset with multiple attack types, a well-trained model can be created to improve the anomaly detection performance. However, high dimensional data present a significant challenge for machine learning techniques. Processing similar features that provide redundant information increases the computational time, which is a critical problem especially for users with constrained resources (battery, energy). In this paper, we propose two models for intrusion detection and classification scheme Trust-based Intrusion Detection and Classification System (TIDCS) and Trust-based Intrusion Detection and Classification System- Accelerated (TIDCS-A) for secure network. TIDCS reduces the number of features in the input data based on a new algorithm for feature selection. Initially, the features are grouped randomly to increase the probability of making them participating in the generation of different groups, and sorted based on their accuracy scores. Only the high ranked features are then selected to obtain a classification for any received packet from the nodes in the network, which is saved as part of the node’s past performance. TIDCS proposes a periodic system cleansing where trust relationships between participant nodes are evaluated and renewed periodically. TIDCS-A proposes a dynamic algorithm to compute the exact time for nodes cleansing states and restricts the exposure window of the nodes. The final classification decision for both models is estimated by incorporating the node’s past behavior with the machine learning algorithm. Any detected attack reduces the trustworthiness of the nodes involved, leading to a dynamic system cleansing. An evaluation of TIDCS and TIDCS-A using the NSL-KDD and UNSW datasets shows that both models can detect malicious behaviors providing higher accuracy, detection rates, and lower false alarm than state-of-art techniques. For instance, for UNSW dataset, the accuracy detection is 91% for TICDS, 83.47%by using online AODE, 88% for CADF, 90% for EDM, 90% for TANN and 69.6% for NB. Consequently, TICDS has better performance than the state of art techniques in terms of accuracy detection, while providing good detection and false alarm rates.

The novelty and growing sophistication of cyber threats mean that high accuracy and interpretable machine learning models are needed more than ever before for Intrusion Detection and Prevention Systems. This study aims to solve this challenge by applying Explainable AI techniques, including Shapley Additive explanations feature selection, to improve model performance, robustness, and transparency. The method systematically employs different classifiers and proposes a new hybrid method called Hybrid Bagging-Boosting and Boosting on Residuals. Then, performance is taken in four steps: the multistep evaluation of hybrid ensemble learning methods for binary classification and fine-tuning of performance; feature selection using Shapley Additive explanations values retraining the hybrid model for better performance and reducing overfitting; the generalization of the proposed model for multiclass classification; and the evaluation using standard information metrics such as accuracy, precision, recall, and F1-score. Key results indicate that the proposed methods outperform state-of-the-art algorithms, achieving a peak accuracy of 98.47% and an F1 score of 96.19%. These improvements stem from advanced feature selection and resampling techniques, enhancing model accuracy and balancing precision and recall. Integrating Shapley Additive explanations-based feature selection with hybrid ensemble methods significantly boosts the predictive and explanatory power of Intrusion Detection and Prevention Systems, addressing common pitfalls in traditional cybersecurity models. This study paves the way for further research on statistical innovations to enhance Intrusion Detection and Prevention Systems performance.

With the rapid development of machine learning and Internet technology, the combination of the two methods is well appreciated recently.An anomaly and intrusion detection system is a mechanism that monitors network or system activities for malicious activities.Intrusion detection and prevention systems are primarily focused on identifying possible incidents, logging information about them and reporting attempts.As far as other usages of Intrusion detection and prevention systems are concerned, such as identifying problems with security policies and deterring individuals from violating security policies.Anomaly detection systems are becoming an important addition to the security infrastructure of nearly every organization.In this paper, we propose a novel mechanism for real-world traffic and research there cases with theoretical analysis.

Nowadays, network attacks are the most crucial problem of modern society. All networks, from small to large, are vulnerable to network threats. An intrusion detection (ID) system is critical for mitigating and identifying malicious threats in networks. Currently, deep learning (DL) and machine learning (ML) are being applied in different domains, especially information security, for developing effective ID systems. These ID systems are capable of detecting malicious threats automatically and on time. However, malicious threats are occurring and changing continuously, so the network requires a very advanced security solution. Thus, creating an effective and smart ID system is a massive research problem. Various ID datasets are publicly available for ID research. Due to the complex nature of malicious attacks with a constantly changing attack detection mechanism, publicly existing ID datasets must be modified systematically on a regular basis. So, in this paper, a convolutional recurrent neural network (CRNN) is used to create a DL-based hybrid ID framework that predicts and classifies malicious cyberattacks in the network. In the HCRNNIDS, the convolutional neural network (CNN) performs convolution to capture local features, and the recurrent neural network (RNN) captures temporal features to improve the ID system’s performance and prediction. To assess the efficacy of the hybrid convolutional recurrent neural network intrusion detection system (HCRNNIDS), experiments were done on publicly available ID data, specifically the modern and realistic CSE-CIC-DS2018 data. The simulation outcomes prove that the proposed HCRNNIDS substantially outperforms current ID methodologies, attaining a high malicious attack detection rate accuracy of up to 97.75% for CSE-CIC-IDS2018 data with 10-fold cross-validation.

The structure of modern intrusion detection systems (IDS) is reviewed. The main directions of recognition of security violations of protected systems are characterized in modern IDS. The analysis of the used methods and models of the structure of IDS was carried out according to the defined main groups. The main disadvantages of the current IDS are given and directions for their improvement are justified. Intrusion detection systems (IDS) are systems that collect information from various points of a protected computer system (computer network) and analyze this information to identify both attempts to breach and real security breaches (intrusions). It has been shown that in modern detection systems, the following main elements are logically distinguished: the information collection subsystem, the analysis subsystem, and the data presentation module. Each intrusion detection method has been reviewed separately and the disadvantages of the methods have been highlighted. The current situation regarding intrusion detection systems and methods is described and directions for improvement are indicated. Among the methods used in the analysis subsystem of modern IDS, two directions can be distinguished: one is aimed at detecting anomalies in the protected system, and the other is aimed at finding abuses. Each of these directions has its advantages and disadvantages, therefore, in most of the existing IDSs, combined solutions are used based on the synthesis of the corresponding methods. It was noted that there are two groups of methods: with controlled training (“training with an instructor”), and with unsupervised training (“training without an instructor”). The main difference between them is that supervised training methods use a fixed set of evaluation parameters and some a priori knowledge about the values of the evaluation parameters. The main methods of detecting anomalies are explained in detail and detailed in the Tables. It has been pointed out that the methods currently applied in IDS are based on the general concepts of pattern recognition theory. Several main methods of creating an “image” in modern IDS are discussed and the topic of choosing the optimal set of functions for evaluating the protected system is highlighted. Information about Bayesian statistics, Covariance matrices, Confidence networks (Bayesian networks) is reflected. Pros and cons of descriptive statistics, Neural networks, Pattern Generation, abuse detection methods are also discussed. It has been explained that the methods currently implemented in IDS are based on the general concepts of pattern recognition theory. In accordance with them, in order to detect an anomaly, an image of the normal functioning of the information system is formed on the basis of an expert assessment. This image acts as a set of evaluation parameter values. The data presentation subsystem is necessary to inform interested parties about the state of the protected system. Some systems assume the existence of groups of users, each of which controls certain subsystems of the protected system. Therefore, in such IDSs access control, group policies, permissions, and etc. is applied. In the end, the disadvantages of the existing detection systems were noted and recommendations were given for improving the IDS. It has been noted that due to the presence of a significant number of factors of various nature, the functioning of the information system and IDS has a probabilistic nature. Therefore, it is relevant to substantiate the type of probabilistic laws of specific parameters of functioning. Of particular note is the problem of substantiating the loss function of an information system, which is set in accordance with its objective function and on the area of the parameters of the system functioning. At the same time, the objective function should be determined not only at the expert level, but also in accordance with the totality of the parameters of the functioning of the entire information system and the tasks assigned to it. Then the IDS quality indicator will be defined as one of the parameters that affect the objective function, and its admissible values will be determined by the admissible values of the loss function. Based on the foregoing, it can be concluded that considerable experience has been accumulated in practical activities in solving intrusion detection problems. The applied IDS are largely based on empirical schemes of the intrusion detection process, further improvement of IDS is associated with the specification of methods for the synthesis and analysis of complex systems, the theory of pattern recognition as applied to IDS. Keywords: IDS, optimal function, Covariance matrix, Bayes statistics, detection systems.