INTRUSION DETECTION SYSTEMS AND METHODS: CURRENT SITUATION AND DIRECTIONS FOR IMPROVEMENT

Abstract

The structure of modern intrusion detection systems (IDS) is reviewed. The main directions of recognition of security violations of protected systems are characterized in modern IDS. The analysis of the used methods and models of the structure of IDS was carried out according to the defined main groups. The main disadvantages of the current IDS are given and directions for their improvement are justified. Intrusion detection systems (IDS) are systems that collect information from various points of a protected computer system (computer network) and analyze this information to identify both attempts to breach and real security breaches (intrusions). It has been shown that in modern detection systems, the following main elements are logically distinguished: the information collection subsystem, the analysis subsystem, and the data presentation module. Each intrusion detection method has been reviewed separately and the disadvantages of the methods have been highlighted. The current situation regarding intrusion detection systems and methods is described and directions for improvement are indicated. Among the methods used in the analysis subsystem of modern IDS, two directions can be distinguished: one is aimed at detecting anomalies in the protected system, and the other is aimed at finding abuses. Each of these directions has its advantages and disadvantages, therefore, in most of the existing IDSs, combined solutions are used based on the synthesis of the corresponding methods. It was noted that there are two groups of methods: with controlled training (“training with an instructor”), and with unsupervised training (“training without an instructor”). The main difference between them is that supervised training methods use a fixed set of evaluation parameters and some a priori knowledge about the values of the evaluation parameters. The main methods of detecting anomalies are explained in detail and detailed in the Tables. It has been pointed out that the methods currently applied in IDS are based on the general concepts of pattern recognition theory. Several main methods of creating an “image” in modern IDS are discussed and the topic of choosing the optimal set of functions for evaluating the protected system is highlighted. Information about Bayesian statistics, Covariance matrices, Confidence networks (Bayesian networks) is reflected. Pros and cons of descriptive statistics, Neural networks, Pattern Generation, abuse detection methods are also discussed. It has been explained that the methods currently implemented in IDS are based on the general concepts of pattern recognition theory. In accordance with them, in order to detect an anomaly, an image of the normal functioning of the information system is formed on the basis of an expert assessment. This image acts as a set of evaluation parameter values. The data presentation subsystem is necessary to inform interested parties about the state of the protected system. Some systems assume the existence of groups of users, each of which controls certain subsystems of the protected system. Therefore, in such IDSs access control, group policies, permissions, and etc. is applied. In the end, the disadvantages of the existing detection systems were noted and recommendations were given for improving the IDS. It has been noted that due to the presence of a significant number of factors of various nature, the functioning of the information system and IDS has a probabilistic nature. Therefore, it is relevant to substantiate the type of probabilistic laws of specific parameters of functioning. Of particular note is the problem of substantiating the loss function of an information system, which is set in accordance with its objective function and on the area of the parameters of the system functioning. At the same time, the objective function should be determined not only at the expert level, but also in accordance with the totality of the parameters of the functioning of the entire information system and the tasks assigned to it. Then the IDS quality indicator will be defined as one of the parameters that affect the objective function, and its admissible values will be determined by the admissible values of the loss function. Based on the foregoing, it can be concluded that considerable experience has been accumulated in practical activities in solving intrusion detection problems. The applied IDS are largely based on empirical schemes of the intrusion detection process, further improvement of IDS is associated with the specification of methods for the synthesis and analysis of complex systems, the theory of pattern recognition as applied to IDS. Keywords: IDS, optimal function, Covariance matrix, Bayes statistics, detection systems.