Intrusion Detection System in Cyber Security

I. INTRODUCTION

In today’s world internet security has become a challenge for organizations. To protect
credential data from the intruders. In process of safeguarding the data Web Firewalls, encryption,
authentication and Virtual Private Networks (VPN) have been deployed since a long time to
secure the network infrastructure and communication over the internet. Intrusion detection is a
relatively new addition to set of security technologies. IDS is an evolution which enhance the
network security and safeguarding the data of the organisation. The IDS helps the network
administrator to detect any malicious activity on the network and alerts the administrator to get
the data secured by taking the appropriate actions against those attacks. An intrusion refers to
any unauthorized access or malicious utilization of information resources.

An intruder or an attacker is a real world entity that tries to find a means to gain
unauthorized access to information, causes harm or engage in other malicious activities. The
Intrusion detection system is about the firewall security. The firewall protects an organization
from the malicious attacks from the Internet and the IDS detects if someone tries to access in
through the firewall or manages to break in the firewall security and tries to have an access on
any system in the organization and alerts the system administrator if there is an undesired
activity in the firewall. Therefore, an Intrusion detection system (IDS) is a security system that
monitors network traffic and computer systems and works to analyse that traffic for possible
hostile attacks originating from outside the organization and also for misuse of system or attacks
originating from inside the organization.

1
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

II. CYBER SECURITY

The technique of protecting internet-connected systems such as computers, servers,

mobile devices, electronic systems, networks, and data from malicious attacks is known as cyber
security. We can divide cyber security into two parts one is cyber, and the other is security.
Cyber refers to the technology that includes systems, networks, programs, and data. And security
is concerned with the protection of systems, networks, applications, and information. In some
cases, it is also called electronic information security or information technology security. Cyber
security is the practice of defending computers, servers, mobile devices, electronic systems,
networks, and data from malicious attacks. It's also known as information technology security or
electronic information security. A major part of cyber security is to fix the broken software.

III. VARIOUS CYBER ATTACKS

Cyber attacks are the actions that attempt to bypass the security mechanisms of computer
system. Any set of actions that threatens the integrity, availability or confidentiality of network
resource. Cyber attacks are deliberate and malicious attempts to disrupt, damage, or gain
unauthorized access to computer systems, networks, or digital devices. They are carried out by
individuals or groups of hackers with various motives, such as financial gain, political activism,
espionage, or just for fun.

Ex:

 Malware,
 Phishing,
 Worms and Viruses,
 Denial of service(DoS), etc.

2
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

IV. INTRUSION DETECTION SYSTEM

 Intrusion: Any set of actions that threatens the integrity, availability or confidentiality of
network resource.

 Intrusion Detection: The process of monitoring the events occurring in a computer

system or network and analysing them for signs of intrusion.

 Intrusion Detection System: It is a security technology or software that monitors and

analyzes computer systems, networks, or software applications for signs of unauthorized
access attempts or malicious activities.

V. NEED OF INTRUSION DETECTION SYSTEM

Now a day’s internet has become part of our daily life infect, the business world is
getting connected to Internet. Number of peoples are getting connected to the Internet every
day to take advantage of the new business model which is known as e-Business.
Connectivity enhancement has therefore become very critical aspect of today's e- business. There
are two phases of business on the Internet. First phase is the Internet brings in outstanding
potential to business in terms of reaching the users and at the same time it also brings a lot of risk
to the business. There are both harmless and harmful users on the Internet. Whereas an
organization makes its information system accessible to harmless Internet users. Malicious users
or hackers can also get an access to organization’s internal systems in various reasons.
These are,
 Software bugs called vulnerabilities in a system
 Failure in administration security
 Leaving systems to default configuration

The intruders are use different types of techniques like Password cracking, peer-to-peer
attack, Sniffing attack, Dos attacks, Eavesdropping attack, Application layer attack etc. to
exploit the system vulnerabilities mentioned above and compromise critical systems.
Therefore, there required to be some kind of security to the private resources of the
organization from the Internet as well as from users inside the organization.

3
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

VI. BLOCK DIAGRAM OF INTRUSION DETECTION SYSTEM

Fig 6.1: Block Diagram of IDS System

The block diagram fig 6.2 of Intrusion detection system consist of Network Traffic
(input), Intrusion Detection (analysis), Alert generation (output). The data packet which is
present in the network traffic is given as input to the intrusion detection system and it analyse the
packet then decides whether it is malicious or normal data packet, if it contains the malicious
activity then it generates the alert and send it to the server.

The Intrusion detection system is about the firewall security. The firewall protects an
organization from the malicious attacks from the Internet and the IDS detects if someone tries
to access in through the firewall or manages to break in the firewall security and tries to have an
access on any system in the organization and alerts the system administrator if there is an
undesired activity in the firewall.

4
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

VII. TYPES OF INTRUSION DETECTION SYSTEM

There are two types of IDS they are Network based intrusion detection system and Host based
intrusion detection system.

1. Network based intrusion detection system:

Fig 7.1 : Network based intrusion detection system

The above fig 7.1 of Network intrusion detection systems (NIDS) are set up at a planned
point within the network to examine traffic from all devices on the network. It performs an
observation of passing traffic on the entire subnet and matches the traffic that is passed on the
subnets to the collection of known attacks. Once an attack is identified or abnormal behavior is
observed, the alert can be sent to the administrator. An example of a NIDS is installing it on the
subnet where firewalls are located in order to see if someone is trying to crack the firewall.

NIDS looks for attack patterns within a network traffic, such as large collections of
related items that are of a certain type that could specify that a denial-of-service attack is
ongoing, or it looks for the exchange of a sequence of related packets in a certain pattern, which
could indicate that a port scan is in progress.

5
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

2. Host Based Intrusion Detection System

Fig 7.2: Host Based Intrusion Detection System

The above fig 7.2 of Host Based Intrusion Detection System (HIDS) is placed on a
particular computer or server, known as the host, and monitors activity only on that
system. Host based intrusion detection systems can be further divided into two categories:
signature-based (i.e. misuse detection) and anomaly based detection techniques. HIDS monitor
the status of key system files and detect when an intruder creates, modifies, or deletes the
monitored files. Then the HIDS triggers an alert when one of the following changes occurs: file
attributes are changed, new files are created, or existing files are deleted. The main difference
between NIDS and HIDS is that the NIDS can access information that is encrypted when
traveling through the network. A HIDS monitors the incoming and outgoing packets from the
device only and will alert the administrator if suspicious or malicious activity is detected.

6
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

VIII. DETECTION METHODS IN IDS SYSTEM

1. Signature Based Detection:

Fig 8.1 : Signature Based Detection

The above fig 8.1 of Signature-based IDS refers to the detection of attacks by looking for
specific patterns, such as byte sequences in network traffic, or known malicious instruction
sequences used by malware. The terminology is generated by anti- virus software, which refers
to these detected patterns as signatures. Even though signature-based IDS can easily detect
known attacks, it is impossible to detect new attacks, for which no pattern is available.
Signature-based IDS detects the attacks on the basis of the specific patterns such as the
number of bytes or a number of 1s or the number of 0s in the network traffic. It also detects on
the basis of the already known malicious instruction sequence that is used by the malware. The
detected patterns in the IDS are known as signatures. Signature-based IDS can easily detect the
attacks whose pattern (signature) already exists in the system but it is quite difficult to detect
new malware attacks as their pattern (signature) is not known. Signature-based IDSs have a
database of known attack signatures and constantly compare network traffic or system activity
against this database. If the IDS detects activity that matches a known attack signature, it
generates an alert. The IDS can also be configured to take action automatically, such as blocking
traffic from a particular IP address or shutting down a particular service or port.

7
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

2: Anomaly Based Detection

Fig 8.2 : Anomaly Based Detection

The above flowchart of fig 8.2 shows Anomaly-based intrusion detection systems can
alert you to suspicious behaviour that is unknown. Instead of searching for known threats, an
anomaly-based detection system utilizes machine learning to train the detection system to
recognize a normalized baseline. The baseline represents how the system normally behaves, and
then all network activity is compared to that baseline. Rather than searching for known IOCs,
anomaly-based IDS simply identifies any out-of-the-ordinary behaviour to trigger alerts.

8
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

With an anomaly-based IDS, anything that does not align with the existing normalized
baseline such as a user trying to log in outside of standard business hours, new devices being
added to a network without authorization, or a flood of new IP addresses trying to establish a
connection with a network—will raise a potential flag for concern. The disadvantage here is that
many non-malicious behaviours will get flagged simply for being atypical. The increased
likelihood for false positives with anomaly-based intrusion detection can require additional time
and resources to investigate all the alerts to potential threats.

Anomaly-based detection is a type of intrusion detection system that identifies suspicious

activities or events by comparing them to a baseline of normal behavior. The system typically
uses statistical analysis or machine learning algorithms to detect deviations from the normal
pattern.Anomaly-based detection is based on the premise that unusual activities are likely to be
indicative of a security threat, and that attackers will behave differently from legitimate users. By
comparing activities to the normal pattern, the system can detect unusual behavior that may
indicate an attack, such as a sudden spike in traffic or an unauthorized access attempt.

Anomaly-based detection systems are used in a variety of settings, including network

security, fraud detection, and cyber security. They are particularly useful in detecting new or
unknown attacks that may not be detected by signature-based detection systems, which rely on
pre-defined patterns of known attacks. However, anomaly-based detection systems can also
generate false positives, where legitimate activity is flagged as suspicious, and require regular
updates to adjust to changes in the normal pattern of behavior.

9
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

IX. APPLICATIONS

Intrusion detection systems (IDS) are used to identify and respond to security breaches in
computer networks or systems. Here are some common applications of intrusion detection
systems:

1. Network Security: IDS can be used to monitor network traffic and detect suspicious
activity, such as attempts to exploit known vulnerabilities, port scanning, or denial-of-
service attacks.
2. Incident Response: IDS can help identify the source and extent of an attack, providing
valuable information for incident response teams to contain and mitigate the damage.
3. Compliance: IDS can assist organizations in meeting regulatory requirements for security
monitoring, such as HIPAA, PCI-DSS, or GDPR.
4. Fraud Detection: IDS can be used to detect fraudulent activity in financial transactions or
e-commerce, such as credit card fraud, identity theft, or money laundering.
5. Insider Threat Detection: IDS can identify insider threats, such as unauthorized access or
data theft by employees or contractors.
6. Vulnerability Assessment: IDS can be used to identify vulnerabilities in a network or
system by monitoring for attempts to exploit known weaknesses.
7. Advanced Threat Detection: IDS can detect advanced threats that bypass traditional
security measures, such as zero-day exploits or advanced persistent threats (APTs).

10
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

X. LEARNING

From this technical seminar I have learnt the following:

1. Providing data privacy, integrity and confidentiality to the stored data using Cyber
Security.
2. Cyber Security process of working.
3. Significance of Cyber Security and Intrusion Detection System in preventing the Cyber
Attacks and securing the database.
4. Process of Network and Host based IDS system.
5. Detection methods like signature and anomaly based detection.
6. Implementation of Intrusion Detection System using Cisco packet tracer.
7. The system which consists of Intrusion detection system can detects the abnormal
activities or any malicious activities and sends an alert immediately to the administrator
this can helps the system from cyber attacks .
8. Intrusion detection systems (IDS) can use various learning techniques to detect malicious
activity and protect computer networks from cyber attacks.

11
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

XI. IMPLEMENTATIN DETAILS

Configure IOS Intrusion Detection and Prevention System Using the CLI.

1. Topology

Fig 11.1 : IDS System Topology

The above fig 11.1 shows the topology of configuration of IOS intrusion detection and
prevention system using Cisco Packet trace with CLI configuration. In this topology there are to
switches are used (2960 24TT switch), three routers are used (1941 router), one server is used for
syslog configuration, and some PC’s connect to switches and switches are intern connected to
routers. Here IDS is installed in router 0 (IP address 10.1.1.1), the router which is configured
should not allow the unknown packets to enter into the network. This is IDS works. PC’s within
the network are connected but PC’s of different network are not connected with each other.

2. Objectives
 To Enable IDS system in the routers.

 To Configure the logging into routers.

 To modify an IDS signature.

 To Verify IDS which is get installed in routers.

12
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

3. Working
 The first task is to enable IDS on router (router 0 ) to scan traffic entering into the
network.
 The server labeled Syslog is used to track all activities.
 Then configure the router to identify the syslog server to track all abnormal
activities.
 Finally, enable IDS to produce an alert.
 The server and PCs have been preconfigured.

Part 1: Enable IOS IPS Note

Step 1: Enable the Security Technology package.

 On R1, issue the show version command to view the Technology Package license
information.
 If the Security Technology package has not been enabled, use the following
command to enable the package. R1(config)# license boot module c1900
technology-package securityk9
 Accept the end user license agreement.
 Save the running-config and reload the router to enable the security license.
 Verify that the Security Technology package has been enabled by using the show
version command.

Step 2: Verify network connectivity.

 Ping from PC-C to PC-A. The ping should be successful.

 Ping from PC-A to PC-C. The ping should be successful.

Step 3: Create an IOS IPS configuration directory in flash.

 On R1, create a directory in flash using the mkdir command.

 Name the directory ipsdir. R1# mkdir ipsdir Create directory filename [ipsdir]?
Created dir flash:ipsdir .

13
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

Step 4: Configure the IPS signature storage location.

 On R1, configure the IPS signature storage location to be the directory you just
created. R1(config)# ip ips config location flash:ipsdir

Step 5: Create an IPS rule.

 On R1, create an IPS rule name using the ip ips name name command in global
configuration mode. Name the IPS rule iosips. R1(config)# ip ips name iosips

Step 6: Enable logging.

 IOS IPS supports the use of syslog to send event notification. Syslog notification
is enabled by default. If logging console is enabled, IPS syslog messages display.
 Enable syslog if it is not enabled.
 R1(config)# ip ips notify log
 If necessary, use the clock set command from privileged EXEC mode to reset the
clock.
 R1# clock set 10:20:00
 Verify that the timestamp service for logging is enabled on the router using the
show run command. Enable the timestamp service if it is not enabled.
 R1(config)# service timestamps log datetime msec

Step 7: Configure IOS IPS to use the signature categories.

 Retire the all signature category with the retired true command (all signatures
within the signature release).
 Unretire the IOS_IPS Basic category with the retired false command.
 R1(config)# ip ips signaturecategory
 R1(config-ips-category)# category all
 R1(config-ips-category-action)# retired true
 R1(config-ips-category-action)# exit
 R1(config-ips-category)# category ios_ips basic
 R1(config-ips-category-action)# retired false
 R1(config-ips-category-action)# exit

14
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

 R1(config-ips-cateogry)# exit
 Do you want to accept these changes? [confirm]

Step 8: Apply the IPS rule to an interface.

 Apply the IPS rule to an interface with the ip ips name direction command in
interface configuration mode.
 Apply the rule outbound on the G0/1 interface of R1.
 After you enable IPS, some log messages will be sent to the console line
indicating that the IPS engines are being initialized.

Note: The direction in means that IPS inspects only traffic going into the interface. Similarly, out
means that IPS inspects only traffic going out of the interface.

 R1(config)# interface g0/1

 R1(config-if)# ip ips iosips out

Part 2: Modify the Signature

Step 1: Change the event-action of a signature.

 R1(config)# ip ips signature-definition

 R1(config-sigdef)# signature
 R1(config-sigdef-sig)# status
 R1(config-sigdef-sig-status)# retired false
 R1(config-sigdef-sig-status)# enabled true
 R1(config-sigdef-sig-status)# exit
 R1(config-sigdef-sig)# engine
 R1(config-sigdef-sig-engine)# event-action produce-alert
 R1(config-sigdefsig-engine)# event-action deny-packet-inline
 R1(config-sigdef-sig-engine)# exit
 R1(config-sigdef-sig)# exit
 R1(config-sigdef)# exit
 Do you want to accept these changes? [confirm]

15
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

Step 2: Use show commands to verify IPS.

 Use the show ip ips all command to view the IPS configuration status summary. To
which interfaces and in which direction is the iosips rule applied?.

Step 3: Ping PCs within the network. The ping should be successful.

Step 4: Ping PCs of different network. The ping should not be successful.

Step 5: Check results. And completion percentage should be 100%.

16
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

4. Result

I] To ping PCs within the Network

Cisco Packet Tracer PC Command Line 1.0

C:\>ipconfig

FastEthernet0 Connection:(default port)

Connection-specific DNS Suffix..:

Link-local IPv6 Address.........: FE80::204:9AFF:FE11:328C
IPv6 Address....................: ::
IPv4 Address....................: 192.168.10.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: ::
0.0.0.0

Bluetooth Connection:

Connection-specific DNS Suffix..:

Link-local IPv6 Address.........: ::
IPv6 Address....................: ::
IPv4 Address....................: 0.0.0.0
Subnet Mask.....................: 0.0.0.0
Default Gateway.................: ::
0.0.0.0

C:\>ping 192.168.10.1

Pinging 192.168.10.1 with 32 bytes of data:

Reply from 192.168.10.1: bytes=32 time=15ms TTL=128

Reply from 192.168.10.1: bytes=32 time<1ms TTL=128
Reply from 192.168.10.1: bytes=32 time<1ms TTL=128
Reply from 192.168.10.1: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.10.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 15ms, Average = 3ms

17
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

II] To ping PCs of Different Networks

Cisco Packet Tracer PC Command Line 1.0

C:\>ipconfig

FastEthernet0 Connection:(default port)

Connection-specific DNS Suffix..:

Link-local IPv6 Address.........: FE80::203:E4FF:FED7:33C0
IPv6 Address....................: ::
IPv4 Address....................: 192.168.10.7
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: ::
0.0.0.0

Bluetooth Connection:

Connection-specific DNS Suffix..:

Link-local IPv6 Address.........: ::
IPv6 Address....................: ::
IPv4 Address....................: 0.0.0.0
Subnet Mask.....................: 0.0.0.0
Default Gateway.................: ::
0.0.0.0

C:\>ping 192.168.10.3

Pinging 192.168.10.3 with 32 bytes of data:

Request timed out.

Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.10.3:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

18
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

XII. CONCLUSION

Cyber security is one of the collective methods, technologies, and

processes to help protect the confidentiality, integrity, and availability of
computer systems, networks and data, against cyber-attacks or unauthorized
access. An intrusion detection system is one of the most effective tools
available for detecting potential security threats and minimizing the damage
caused by an attack. And IDS is an essential component of security toolkit
for running a small home network or a large corporate infrastructure, and
IDS is an essential component of your security toolkit.

19
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot
 Intrusion Detection System in Cyber Security

REFERENCE

1. M. H. Ali, B. A. D. Al Mohammed, A. Ismail and M. F. Zolkipli, "A new intrusion

detection system based on fast learning network and particle swarm optimization", IEEE
Access, vol. 6, pp. 20255-20261, 2018.

2. W. Wang, Y. Sheng, J. Wang, X. Zeng, X. Ye, Y. Huang, et al., "HAST-IDS: Learning

hierarchical spatial-temporal features using deep neural networks to improve intrusion
detection", IEEE Access, vol. 6, pp. 1792-1806, 2018.

3. C. Yin, Y. Zhu, J. Fei and X. He, "A deep learning approach for intrusion detection using
recurrent neural networks", IEEE Access, vol. 5, pp. 21954-21961, 2017

4. I. M. Iqbal and R. A. Calix, "Analysis of a payload-based network intrusion detection

system using pattern recognition processors", Proc. Int. Conf. Collaboration Technol.
Syst. (CTS), pp. 398-403, Oct. 2016.

5. F. Iglesias and T. Zseby, "Analysis of network traffic features for anomaly detection" in
Machine Learning, Cham, Switzerland:Springer, vol. 101, no. 1, pp. 59-84, 2015.

6. K. Kato and V. Klyuev, "Large-scale network packet analysis for intelligent DDoS attack
detection development", Proc. 9th Int. Conf. for Internet Technol. Secured Trans.
(ICITST), pp. 360-365, Dec. 2014.

20
Department of Electronics and Communication Engineering
Basaveshwar Engineering College , Bagalkot