Combining Anomaly Based Ids And Signature Based Information Technology Essay

Intrusion Detection Systems (IDS) are defined as tools or devices which are used to monitor a system or a machine or a group of users. They try to detect attacks before they take place or after attacks have occurred. IDS collect information from various points in the network to determine of the network is still secure. IDS can be divided into mainly two types: Network Based & Host Based. As the name suggest the respective IDS is used for either a Network or an Individual Host. They both have their advantages and dis-advantages and hence are sometimes combined together to provide extra security (Innella, 2001).

Working of an IDS

An IDS basically can work in two ways:-

Which Citation Styles Can You Handle?

We get a lot of “Can you do MLA or APA?”—and yes, we can! Our writers ace every style—APA, MLA, Turabian, you name it. Tell us your preference, and we’ll format it flawlessly.

1. Anomaly Based

2. Signature Based

Anomaly Based IDS (A-IDS)

A-IDS can be defined as a system which monitor the activities in a system or network and raise alarms if anything anomalous i.e. other than normal behavior is detected. In any organization profiles are created for all users, wherein each user is given some rights to access some data or hardware. These rules and rights are fed to the A-IDS. If a user is using the computer in a time other than the one allotted to him, the A-IDS raises an alert (Carter, 2002).

Carter (2002) & Garcı´a-Teodoro (2009) have also listed some advantages and dis-advantages of A-IDS.

Are Writing Services Legal?

Totally! They’re a legit resource for sample papers to guide your work. Use them to learn structure, boost skills, and ace your grades—ethical and within the rules.

The Advantages are as below:-

1. Inside the network attacks are easily detected by A-IDS.

2. Any user actually abusing his privileges and accessing any other information is easily caught by A-IDS.

What’s the Price for a Paper?

Starts at $10/page for undergrad, up to $21 for pro-level. Deadlines (3 hours to 14 days) and add-ons like VIP support adjust the cost. Discounts kick in at $500+—save more with big orders!

3. Zero day attacks can be detected by A-IDS.

The Dis-Advantages are:-

1. Appropriate Training is required before it is set up in any environment.

2. It is very difficult to train the IDS in a Normal environment as a Normal Environment is very hard to get.

Is My Privacy Protected?

100%! We encrypt everything—your details stay secret. Papers are custom, original, and yours alone, so no one will ever know you used us.

3. It generates false positives.

4. If the suspicious activity is similar to the normal activity it will not be detected.

Signature Based IDS (S-IDS):

This type of IDS is also referred as Misuse Detection IDS. It works on the basis of signatures. Each time an attacker attacks a system, he/she tends to leave some footprints of that attack. Footprints can be failed attack logs, failed logins, etc… These are stored as signatures for IDS. It uses a knowledge base, which is a database which stores the previous details of attacks. Whenever it encounters something it matches it with the records in the knowledge base and if a signature matches it raises an alarm (Baumrucker, 2003).

Carter(2002) has listed some advantages and dis-advantages to these signature based IDS.

Is AI Involved in Writing?

Nope—all human, all the time. Our writers are pros with real degrees, crafting unique papers with expertise AI can’t replicate, checked for originality.

Advantages.

1. It can exactly determine the type of attack.

2. It does not produce false positives.

3. It provides an interface which is also easy for a normal user to monitor.

Why Are You the Best for Research?

Our writers are degree-holding pros who tackle any topic with skill. We ensure quality with top tools and offer revisions—perfect papers, even under pressure.

Dis-Advantages:-

1. We need to update the knowledge with each and every possible type of attack signature.

2. It is necessary to update the database daily.

3. It cannot detect Zero Day Attacks.

Who Writes My Assignments?

Experts with degrees—many rocking Master’s or higher—who’ve crushed our rigorous tests in their fields and academic writing. They’re student-savvy pros, ready to nail your essay with precision, blending teamwork with you to match your vision perfectly. Whether it’s a tricky topic or a tight deadline, they’ve got the skills to make it shine.

4. An Attack in a database, if they are slightly modified then it is difficult to detect.

Hybrid IDS.

Goeldenitz (2002) in his paper has written Hybrid IDS seems to be a logical approach for IDS as one IDS can cover the dis-advantages of another type of IDS. It would be achieved by using various IDS together and then can be placed at various points in the networks like gateways, server links, and various junctions. He also explains that this Hybrid IDS is basically installed on a host like a HIDS, but acts like a NIDS.

Depran et al (2005) have proposed a Hybrid IDS, which is using “KDD 99 dataset”. KDD 99 Dataset is a database which is used by researchers for IDS. The model proposed by them for the IDS is below:-

This model shows it is integrated with both The Anomaly Detection Module and the Signature (Misuse) Detection Module. It also includes a Decision Support System which will receive input from both the Detection Module and then will decide what to do next.

Will My Paper Be Unique?

Guaranteed—100%! We write every piece from scratch—no AI, no copying—just fresh, well-researched work with proper citations, crafted by real experts. You can grab a plagiarism report to see it’s 95%+ original, giving you total peace of mind it’s one-of-a-kind and ready to impress.

Working Rule:

The Rule states if an Attack is detected by any one or both the Detection Systems, then it is termed as an attack. It is termed as Classified Attack if either Signature Based IDS or both have detected the Attack. It is termed as Unclassified Attack if only Anomaly Based IDS has detected the attack.

Snort is a IDS which works on Signature Detection. It works on rules, which in turn are based on the signatures usually written by Intruders. (Rehman, 2003). (Aydin et al, 2009) have explained the pre-processor architecture of Snort and the way they have modified snort to reduce the number of false positives. They have used statistical methods such as PHAD & NETAD for implementing their anomaly based IDS. The main reasons for choosing PHAD is that rather than modelling behaviour, it models protocols. Also it uses a time-based model for the rapid changes in the network. If a series of same anomaly occur then PHAD flags off only the first anomaly, thus reducing the number of false positives.

They have basically combined PHAD & NETAD with the pre-processor of Snort. A Pre-processor is an engine which has the ability to read inside the packets and alert based on the content. A Pre-processor can also modify the content of a packet. This was achieved by Aydin et al (2009) by copying just two files “spp_phad.c” & “spp_netad.cpp” to the folder where “snort.c” lies, some code written and then the project was compiled to obtain a modified Snort as a Hybrid IDS. This snort was tried in various environments and Fig 3. is one of the graph showing the number of attacks detected by Snort + PHAD + NETAD on a daily basis. DARPA data sets were used to test this Hybrid Snort. It is also clear from the graph that the number of attacks detected by snort alone is way lower than the number of attacks detected by the Hybrid Snort. Hence (Aydin et al) also conclude that combining PHAD & NETAD which are Anomaly Based IDS and Siganture Based IDS has more positive results and has contributed successfully.

Future Work

Depren et al (2005) have proposed that different ways can be proposed to implement Anomalous Based IDS and Signature Based IDS. They have also proposed that for AIDS, it would be better to classify the attack based on the network services and then write better rules for analyzing them with less attributes. Also Endorf et al (2003) have written in their book, target detection which has proved to be one of the best reliable and robust methods for Intrusion Detection. They also say that attackers although may be able to evade a signature based IDS, but they cannot bypass target detection which uses strong cryptographic algorithms and uses strong authentication to access the target functions. Commercial tools such as Tripwire, Intruder Alert, ForixNT, etc,… are used by big companies, but are not so widely used by small companies due to price limitations. There are also chances that some Operating Systems might incorporate tools like these so one doesn’t have to depend on external tools.