LITERATURE REVIEW

2.1 Preamble

Network security is the practice of preventing and protecting against unauthorized intrusion into

corporate networks. According to the Fruhlinger, 2018 , it complements  endpoint security , which

focuses on individual devices; network security instead focuses on how those devices interact, and on

the connective tissue between them. Network security is the process of taking physical and

software preventative measures to protect the underlying networking infrastructure from

unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure,

thereby creating a secure platform for computers, users, and programs to perform their

permitted critical functions within a secure environment. There are many layers to consider when

addressing network security across an organization. Attacks can happen at any layer in the network

security layer model, so your network security hardware, software and policies must be designed to

address each area. Network security typically consists of three different controls: physical, technical and

administrative. Here is a brief description of the different types of network security and how each

control works.

2.1.1 Physical Network Security

Physical security controls are designed to prevent unauthorized personnel from gaining physical

access to network components such as routers, cabling cupboards and so on. Controlled access,

such as locks, biometric authentication and other devices, is essential in any organization.

2.1.2 Technical Network Security

Technical security controls protect data that is stored on the network or which is in transit across,

into or out of the network. Protection is twofold; it needs to protect data and systems from

unauthorized personnel, and it also needs to protect against malicious activities.

2.1.3. Administrative Network Security

Administrative security controls consist of security policies and processes that control user

behavior, including how users are authenticated, their level of access and also implement

changes to the infrastructure.

2.2 Definition of intrusion

Different organization across the world deploy firewalls to protect

their private network from the public network. But when it comes to
securing a private network from using firewalls no network can be
hundred percent secured. According to Lisong et al, 2007 The firewall
also protect the organization from malicious attack from the internet
bby dropping connections from unknown source.

An Intrusion therefore can be characterized in terms of confidentiality, integrity,

and availability. An event or action causes breach of confidentiality if it allows to access resources,
residing in a computer in an unauthorized manner. An event or action causes breach of integrity if it
allows to change the states of resources, residing in a computer in an unauthorized manner. Similarly, an
event or action causes breach of availability if it prohibits legitimate users to access resources or services,
residing in a computer.

2.2.1

Intrusion detection System These systems scan network traffic to identify

and block attacks, often by correlating network activity signatures with
databases of known attack techniques. An intrustion detection system (IDS)
is a software application or hardware appliance that monitors traffic moving
on networks and through systems to search for suspicious activity and
known threats, sending up alerts when it finds such items (Shahid et al,
2017). Each IDS is programmed to analyze traffic and identify patterns in that traffic
that may indicate a cyberattack of various sorts.
 According to Manusankarat et al, 2018 an IDS can identify “traffic that could be
considered universally malicious or General Architecture of Intrusion Detection System An
intrusion detection monitors dynamically the system actions in a given environment and decides
whether these actions resembles an attack. An intrusion detection system at its primitive level is
a detector that processes information coming from the system that is to be protected.

represents a simple intrusion detection system and uses three kinds of information namely long
term information related to the technique used to detect intrusions (knowledge based attacks),
configuration information about the current state of the system and audit information describing
the events occurring on the system. The role of the detector is to eliminate unnecessary
information from the audit trial and present a synthetic view of the security related actions taken
by the users. A decision is then made to evaluate the probability that these actions can be
considered as symptoms of an intrusion. The following five measures to evaluate the efficiency
of an intrusion detection have been highlighted.

• Accuracy – Inaccuracy occurs when an intrusion detection system flags as anomalous or

intrusive a legitimate action in the environment.

• Performance – The performance of an intrusion detection system is the rate at which audit
events are processed. If the performance of the intrusion detection is poor, then real-time
detection is not possible.

• Completeness – Incompleteness occurs when the intrusion detection system fails to detect an
attack. This measure is very difficult to evaluate because it is impossible to have a global
knowledge about the attacks or abuses of privileges.

• Fault Tolerance – An intrusion detection system should itself be resistant to attacks, especially
denial of service, and should be designed with this goal in mind. According to Nazer and
Selvakumar, 2018 most of the intrusion detection systems run on top of commercially available
operating systems or hardware, which are known to be vulnerable to attacks.

• Timeliness – An intrusion detection system has to perform and propagate its analysis as
quickly as possible to enable security procedures. This implies more than the measure of
performance, because it not only encompasses the intrinsic processing speed of the intrusion
detection system, but also the time required to propagate the same and to react to it.

2.2.2 Advantages of Intrusion Detection Systems

The network or computer is constantly monitored for any invasion or attack.
The system can be modified and changed according to needs of specific client and can help outside as
well as inner threats to the system and network.
It effectively prevents any damage to the network.
It provides user friendly interface which allows easy security management systems.
Any alterations to files and directories on the system can be easily detected and reported.

2.2.3 Type of intrusion detection

Intrusion detection software systems can be broken into two broad

A network intrusion detection system (NIDS) is deployed at a strategic point or
points within the network, where it can monitor inbound and outbound traffic to
and from all the devices on the network. Network intrusion detection systems (NIDS) are
placed at a strategic point or points within the network to monitor traffic to and from all devices on
the network. It performs an analysis of passing traffic on the entire subnet, and matches the traffic
that is passed on the subnets to the library of known attacks. Once an attack is identified, or
abnormal behavior is sensed, the alert can be sent to the administrator. NID Systems are also
capable of comparing signatures for similar packets to link and drop harmful detected packets which
have a signature matching the records in the NIDS

Host intrusion detection systems (HIDS) run on all computers or devices in the
network with direct access to both the internet and the enterprise internal
network. HIDS have an advantage over NIDS in that they may be able to detect
anomalous network packets that originate from inside the organization or
malicious traffic that a NIDS has failed to detect. HIDS may also be able to
identify malicious traffic that originates from the host itself, as when the host has
been infected with malware and is attempting to spread to other systems.
Advantages of Network based intrusion detection system
1. Detect network based attacks.Network based IDS sensors can detect
attacks. It checks for all packet headers for any malicious attack. Many IP
based denial of service attack like TCP SYN attack , DDOS attack etc. A
network based sensor can quickly detect this type of attack by looking at
the con tents of the packets at real time.
2. Real Time detection and quick response: Network based IDS monitors
traffic on a real time. So network based IDS can detect malicious activity
as they occur. This is based on how they are configured. Suck attack can
be stop even before they get to the host.
3. Lower cost of Ownership: Network based IDS can be deployed for each
network segment. An IDS monitor network traffic destined for all systems
in the network segment.
4. Easier to deploy: They are easier to deploy as it does not affect the
existing systems or infrastructure.
 5. Retaining evidence : They use live network traffic and does real time
intrusion detection .Therefore the attacker cannot remove evidence of the
attack.

2.2.2 Advantages of Host based Intrusion Detection Systems

1 Verifies success and failure of an attack : Host based IDS uses system
logs containing events that have actually occurred , They can determine
whether an attack occurred or not with greater accuracy and fewer false
postives than a network based system
2 Does not require additional hardware
3 Lower entry cost: The sensor for Host based IDS sensors are cheaper
than the network based IDS sensor
4 Near real time detection and response: Although it doesn’t offer true real
time response. It can come extremely close if implemented correctly.
5 Detection of attack failed by network based IDS

2.2.2 The drawbacks of Host Intrusion Detection Systems are

1 Difficult to analyse the intrusion attempts on multiple computers.

2 Host Intrusion Detection Systems (HIDS) can be very difficult to maintain in large
networks with different operating systems and configurations
3 Host Intrusion Detection Systems (HIDS) can be disabled by attackers after the system is
compromised.
4 Formation at a host may cause severe limitation-of-the network.
5 Any other attacks can involve software integrity breaches.

2. Intrusion Detection Approaches

There are four major approaches towards intrusion detection

1 Misuse Based Intrusion Detection
2 Anomaly Based Intrusion Detection
3 Policy Intrusion Detection
 4 Hybrid Intrusion Detection.

2.1. Misuse-Based Intrusion Detection

A

Misuse-based approach uses a set of signatures representing the patterns of already

known attacks to filter malicious activities. Misuse-based systems which is also known as
signature-based systems have the capability of detecting known attacks more precisely
with less false-positive rate but prove to be inefficient for detecting zero-day or unknown
ones.(Nazar and Selvakumar , 2017)

The signature database should be up to date for recognizing novel attacks which is quite
tedious and intensive process since new attacking techniques are being frequently
discovered. According to Serpen and Aghaei , 2018 The signature-based intrusion detection
technique is useful when there exist a proper, new and up-to-date dataset because type of threats
are changing over time and detection process should be able to detect the most recent instance of
malicious activities. Various techniques used include:
State transition analysis: An intrusion is viewed as a sequence of actions performed by an intruder that leads from
some initial state on a computer system to a target compromised state. State transition analysis diagrams identify the
requirements and the compromised state of the penetration.
Expert System The expert system contains
set of rules that describe the attacks. Audit events are then translated in to facts carrying their
semantic
signification in the expert system and the interference engine draws conclusions using these rules
and
facts. This method increases the abstraction level of the audit data by attaching a semantic to it.
Pattern matching model It is the encoding of known intrusion signatures as patterns, to be matched
against the audit data. It attempts to match incoming events to patterns
representing intrusion scenarios. This model is based on the notion of an
event, which consists of monitored changes in the state of the system, or
part of the system.

2.2. Anomaly-Based Intrusion Detection

The anomaly-based technique assumes that malicious activities are significantly different
from expected behavior, and that can be studied quantitatively. The incoming events are
analyzed to check whether they deviate from the normal ones. Unlike misuse, anomaly-
based systems support detection of unknown and novel attacks and can also be trained to
cater the problems caused by the custom vulnerabilities. Besides having great potential,
there are some critical issues associated with the approach. Anomaly-based components
can model the acceptable behavior by using the multitude of different machine learning
techniques [10], and selecting the best ones is a significant issue. Also, deciding the
optimal thresholds of the machine learning parameters is challenging. The high threshold
value may increase the number of undetected attacks whereas too lenient configuration
may cause higher false-positive alerts. However, the solution depends upon the
variability of the behavior being observed. If the web traffic is highly variable, the
generalized model can handle the situation better while low variable traffic requires a
strict model to detect doubtful movement. Anomaly-based systems are also known for
producing high false-positive rates which may cause blocking or denying of a good
number of legitimate requests. The assumption (i.e., attacks manifest unusual behavior)
behind the approach is the prime reason since at times a benign user does exhibit strange
behavior which might not have been recorded during the training phase.

2.3. Policy-Based Intrusion Detection

The two discussed techniques suffer from their inherent limitations. Misuse detection can
never maintain data of all possible attack vectors, and, likewise, anomaly detection
cannot record all legitimate behaviors of users. An alternative approach, namely, policy-
based intrusion detection, is receiving considerable attention these days as it allows
overcoming these limitations. Policy-based techniques establish boundaries between the
allowed and not allowed events by imposing a set of rules [11]. It solves two major
problems: (1) detection of unknown attacks, (2) classification of normal unseen behavior
into attack class. Although this approach seems useful and flexible, there are also certain
drawbacks associated with it. First, a security specialist is required to design effective
policies. Second, defined policies should be consistent and in a logically correct state
throughout the system to avoid any adverse circumstances. Policies are interrelated
through their associated conditions, and, therefore, there may exist inter- or intrapolicy
conflicts as an incoming event may trigger more than one rule either within a policy or
between two policies. Moreover, these policies are usually implemented sequentially, and
improper ordering can cause a feedback loop or deadlock situation. However, ontology-
based systems [12–14] can be used to simplify the policy specification and management
tasks.

2.3. Hybrid-Based Intrusion Detection

A hybrid system is the fusion of different intrusion detection approaches into a single
integrated detection system [15, 16]. Hybrid-based systems give better performance by
utilizing the strength of more than one approach to overcome the limitations of individual
techniques. However, while incorporating the different methods, a few things should be
taken into consideration. First, hybrid systems can have either a layered or parallel
architecture but opting for one of them is a preliminary requirement. Moreover, in
layered architecture deciding the correct sequence of multiple components for processing
events is another challenge. For example, the authors in work [16] proposed the hybrid
system where the anomaly detection component is placed first followed by the misuse
component. The second point to be considered is how to resolve the conflicts between
results classified by these components since there may be the case when one classifies an
event into a safe class and