Newest collaborative and hybrid network intrusion detection framework based on suricata and isolation forest algorithm

Abstract

With the advent of digital technology, computer networks have developed rapidly at an unprecedented pace contributing tremendously to social and economic development. They have become the backbone for all critical sectors and all the top Multi-National companies. Unfortunately, security threats for computer networks have increased dramatically over the last decade being much brazen and bolder. Indeed, intrusions or attacks can lead to irreparable damages, information leakage and significant financial losses. Hence, there is a great need for an effective Network Intrusion Detection System (NIDS). In the current study, we propose a hybrid NIDS to detect network attacks in the network environment by monitoring network traffic, thereby achieving a solid line of protection against inside and outside intruders and maintaining performance and service quality. In our NIDS framework, we use Suricata as a signature based detection to uncover known attacks, while for detecting network anomaly, we use Isolation Forest Algorithm (IFA). By applying Suricata prior to the IFA classifier, IFA has to detect only unknown attacks. Therefore, detection time is reduced and computational power is saved. Suricata is an open source IDS, which has been advanced as a multi-threaded alternative to popular Snort IDS. The major benefits of a multi-threaded design is that it offers increased speed and efficiency in network traffic analysis and can also help divide up the IDS workload based on where the processing needs are. Consequently, Suricata shows an increase in accuracy and system performance over the de facto standard, single threaded NIDS Snort. While, IFA is one of the newest approaches to detect anomalies/outliers, which introduces the use of isolation as a more effective and efficient means to recognize anomalies than the popularly used basic distance and density measures. In fact, IFA uses no distance or density measures to identify outliers, this eliminates major computational cost of distance calculation in all distance-based and density-based algorithms. Additionally, IFA has a low constant in its computational complexity. Moreover, in this framework, the NIDSs operate in collaborative way to oppose attacks by sharing alerts stored in central log. In this way, unknown attacks that were detected by any NIDS can easily be detected by others IDSs. This also helps to reduce computational cost for detecting intrusions at others NIDSs, and improve detection rate in overall the network environment.