THE rapid
development and expansion of World Wide Web and local network systems have
changed the computing world in the last decade. The highly connected computing
world has also equipped the intruders and hackers with new facilities for their
destructive purposes. The costs of
temporary or permanent damages caused by unauthorized access of the intruders
to computer systems have urged different organizations to increasingly
implement various systems to monitor data flow in their networks These systems
are generally referred to as Intrusion Detection Systems (IDSs).
Network security is becoming an
issue of paramount importance in the information technology era The survey
conducted in Australia reveals that while 98% of organizations experienced some
form of broader computer crime or abuse, 67% suffered a computer security
incident National and international infrastructure is heavily network based
across all sectors. As we increasingly rely on information infrastructures to
support critical operations in defense, banking, telecommunication,
transportation, electric power, e-governance, and many other systems, intrusions
into information systems have become a significant threat to our society with potentially
severe consequences .
An intrusion compromises the security (e.g. availability,
integrity, and confidentiality) of an information system through various means.
Computer systems have become so large, complex, and have assumed many important
tasks that when things go wrong, it is extremely difficult to implement fixes
fast enough to avoid mission critical problems. The fast growing data transfer
rate, proliferation of networks, and the Internet’s unpredictability have added
even more problems. Researchers are working hard to develop more efficient,
reliable and self-monitoring systems, which detect problems and continue to
operate fixing without human interaction. This type of approach tries to reduce
catastrophic failures of sensitive systems.
There are
two main approaches to the design of IDSs. In a misuse detection based IDS,
intrusions are detected by looking for activities that correspond to known
signatures of intrusions or vulnerabilities. On the other hand, an anomaly
detection based IDS detects intrusions by searching for abnormal network
traffic. The abnormal traffic pattern
can be defined either as the violation of accepted thresholds for frequency of
events in a connection or as a user’s violation of the legitimate profile
developed for his/her normal behavior. One of the most commonly used approaches
in expert system based intrusion detection systems is rule-based analysis using
profile model. Rule-based
analysis relies on sets of
predefined rules that are provided by an administrator or created by the
system. Unfortunately, expert systems require frequent updates to remain
current. This design approach usually results in an inflexible detection system
that is unable to detect an attack if the sequence of events is even slightly
different from the predefined profile. The problem may lie in the fact that the
intruder is an intelligent and flexible agent while the rulebased IDSs obey
fixed rules. This problem can be tackled by the application of soft computing
techniques in IDSs. Soft computing is a general term for describing a set of optimization
and processing techniques that are tolerant of imprecision and uncertainty. The
principal constituents of soft computing techniques are Fuzzy Logic (FL),
Artificial Neural Networks (ANNs), Probabilistic Reasoning (PR), and Genetic
Algorithms (GAs).
There are
two general categories of attacks which intrusion detection technologies
attempt to identify - anomaly detection and misuse detection. Anomaly detection
identifies activities that vary from established patterns for users, or groups
of users. Anomaly detection typically involves the creation of knowledge bases
that contain the profiles of the monitored activities. The second general
approach to intrusion detection is misuse detection. This technique involves
the comparison of a user's activities with the known behaviors of attackers
attempting to penetrate a system. While anomaly detection typically utilizes
threshold monitoring to indicate when a certain established metric has been
reached, misuse detection techniques frequently utilize a rule-based approach.
When applied to misuse detection, the rules become scenarios for network
attacks. The intrusion detection mechanism identifies a potential attack if a
user's activities are found to be consistent with the established rules. The
use of comprehensive rules is critical in the application of expert systems for
intrusion detection.
There are four
major categories of networking attacks. Every attack on a network can be placed
into one of these groupings.