INTRODUCTION
Computer systems are vulnerable to intrusions. Intrusion is the act of intruding or gaining unauthorised access to a system, with the aim of compromising it by breaking its security (Schell, Martin 2006). The objective of the intruder is to gain access to a system and attempt to acquire confidential information. Intruders may also try to steal or modify information found on the system which they got unauthorised access to. Additionally, intruders also aim to compromise the availability, integrity and confidentiality of information on a system.
Behaviours of intruders are believed to be different from those of an authorised user. The difference in the behaviour between an authorised user and an intruder makes it possible to detect intruders through different techniques. According to (Kadam, Deshmukh 2007), intrusion detection is the act of detecting actions and behaviours that attempt to compromise the integrity, confidentiality, or availability of a computer resource. Intrusion detection is carried out by an Intrusion Detection System (IDS), which is the security system or software that detects actions and behaviours that are different from the “normal” behaviour that usually happens on a system.
An IDS is defined as “a security system that monitors computer systems and network traffic and analyses that traffic for possible hostile attacks originating from outside the organization and also for system misuse or attacks originating from inside the organization” (Sarmah 2019).
IDSs aims to detect intrusions in real time and respond to the intrusions accordingly before the intruder gets hold of confidential information or causes any harm to the system. Desirable characteristics of an IDS includes: minimum human supervision, ability to update itself by an automated process, high accuracy, where the number of false alarm rate should be low, ability to detect all the attacks and it should be able to give quick response (Choudhary, Swarup 2009; Richariya, Singh, Mishra 2012). An IDS is expected to have most of the desirable characteristics mentioned above.
There are several intrusion detection approaches that can be used to implement an IDS. These approaches include Statistical-Based Anomaly, Pattern Matching, Data Mining and Machine Learning approach. This paper provides an overview of the aforementioned approaches with their strengths and limitations. It will identify the best approach according to the desirable characteristics described above and an overview of the techniques used within the approach will be also presented.
METHODOLOGY
The methodology used in this literature review is based on the Guideline for conducting a Systematic Literature Review of Information Systems Research by (Okoli, Schabram 2012). A review of the existing literature regarding the use of different approaches to develop an IDS was carried out, as well as a review of machine learning techniques used to develop this type of system. The strengths and weaknesses of the different approaches and machine learning techniques used for developing IDSs are outlined as part of this research.
Searching for the literature
To search for the literature to be included in the study, the following electronic database resources were used: Institute of Electrical and Electronics Engineers (IEEE) Xplore Digital Library, Research Gate, Springerlink, Sciencedirect, Association for Computing Machinery (ACM) Digital Library and Google Scholar. The search terms used for finding studies regarding the approaches were: “Intrusion Detection Approaches”, “Approaches of Intrusion Detection System”, “Approaches for Intrusion Detection”, “Intrusion Detection Techniques”, Techniques of Intrusion Detection”, “Intrusion Detection using Statistical-Based Anomaly”, “Intrusion Detection using Pattern Matching”, “Intrusion Detection using Data Mining”, and “Intrusion Detection using Machine Learning”. Using the keywords mentioned above, more than 60 papers were retrieved.
For Machine Learning techniques, the search terms used are: “Machine Learning techniques”, “Intrusion Detection using Support vector machines”, “Intrusion Detection using Fuzzy logic”, “Intrusion Detection using Neural Network”, “Intrusion Detection using Decision Tree”, “Intrusion Detection using Genetic Algorithm”, “Intrusion Detection using Machine Learning” and “Review of Intrusion Detection using Machine Learning”. Using the keywords mentioned above to search for papers focusing on Machine Learning techniques for developing IDS, more than 50 papers were retrieved.
Practical screen
The studies considered for examination are those published in journals, conference proceedings and published between 2009 and 2018. All the papers selected for review are published in English. On the other hand, studies which are not published between 2009 and 2018 in English and those that do not focus explicitly on the IDS approaches and IDS using Machine Learning techniques were eliminated without further examination.
Quality appraisal
After the practical screen, certain criteria were used to judge articles if they are of quality to be reviewed in this study. The criteria involved if the article provided a performance analysis results or highlighted out certain strengths and limitations of IDS approaches or machine learning technique used for intrusion detection system. A total of 32 papers were considered for review as they met the criteria used to judge the quality of the articles.
Data extraction and synthesis of studies
After identifying the studies considered to be of quality, applicable information regarding IDS approaches or machine learning techniques for IDS was then systematically extracted from each study. The facts extracted from the studies were then combined.
Literature Review
In this section, we first give an overview of the main type of attacks to an IDS. Then we describe the approaches and techniques that are being used to develop this kind of system, as well as metrics to evaluate the performance of the techniques.
An attack is a security threat that involves, but is not limited to, attempting to steal, obtaining and altering information without authorized access or gaining access to a network without permission. An attack can be anything that has characteristics that can compromise information or a network. The four major categories of attacks that exist are Denial of Service (DoS), User to Root (U2R), Remote to User (R2L) and Probing (Ahmed, Naser Mahmood, Hu 2016; Agrawal, Soni, Agrawal 2017). In the next sessions, these categories of attacks are described.
Denial of Service Attack
Denial of Service is a type of attack whereby the attacker aims to prevent the authorised user from using the computer services. DoS can be done by flooding the network and disrupting a connection or service. Examples of DoS attacks include Smurf, Land and Ping of Death (Pod) (Dias, Cerqueira, Assis, Almeida 2017).
User to Root Attack
The user to root attack is a type of attack whereby the attacker gets access to a normal user account and then exploits system vulnerabilities to gain root privileges. Examples of U2R attacks are Loadmodule, Rootkit and Buffer_overflow (Dias, Cerqueira, Assis, Almeida 2017).
Remote to User Attack
The remote to User attack is a type of attack whereby the attacker aims to get unauthorised access to a local machine to send packets over the network. An R2L attack allows the attacker to have privileges which a local user normally have when using that computer. Examples of U2L attacks are Ftp_write, Warezclient and Imap (Dias, Cerqueira, Assis, Almeida 2017).
Probing
A probe is a program that can be used to automatically scan and monitor the network activities or collect data from the network. The attacker collects information about the network and also finds vulnerabilities which can be used to attack the network. Examples of probing attacks are Ipsweep, Nmap and Portsweep (Dias, Cerqueira, Assis, Almeida 2017).
Performance metrics/variables
Various performance metrics can be used to evaluate and assess the performance of different techniques. Some of the performance metrics that have been used in several studies (Kumar 2014; Agrawal, Soni, Agrawal 2017) are described below.
Accuracy
Accuracy is how the IDS is able to detect intrusions and to give true alarms when an intrusion is truly present and detected. The Accuracy of the IDS is measured by the ratio between the correctly classified instances to the total number of samples present in the dataset (Agrawal, Soni, Agrawal 2017).
Timeliness
It is the average time taken by the IDS to detect or report an intrusion from the time it occurred. The IDS should be able to give a quick response regarding an intrusion (Agrawal, Soni, Agrawal 2017).
Efficiency
The use of resources allocated to the system in carrying out intrusion detections. The system is regarded to be efficient if it uses the resources to detect intrusions in a timely manner (Kumar 2014).
Effectiveness
Effectiveness is the ability of the system to distinguish between intrusion activities and non-intrusion activities (Kumar 2014). An IDS is effective if it has a low number of false alarm rate which is regarded as the ratio between incorrect instances of the total number of normal instances (Agrawal, Soni, Agrawal 2017).
Reliability
It is how well a detection approach performs its required functions in a particular time period under stated conditions or in the case of a failure (Kaur, Kumar, Bhandari 2017).
Implementation cost
Total cost needed for implementing a particular detection technique on the source-end, victim end or core-end network (Kaur, Kumar, Bhandari 2017).
Intrusion detection approaches
An intrusion detection system is a device or software application that monitors the network or system for malicious activities or policy violation (Agrawal, Soni, Agrawal 2017). Several approaches are used for creating intrusion detection systems. These approaches include Statistical-Based Anomaly, Pattern Matching, Data Mining and Machine Learning.
Statistical-Based Anomaly
The Statistical-Based Anomaly detection approach uses statistical analysis to assess the user or system behaviour by checking the values of various variables such as login session variables (Jose, Malathi, Reddy, Jayaseeli 2018). This approach uses statistical properties during anomaly detection to determine if a certain action is an intrusion or normal action to the system.
Pattern Matching
Pattern matching approach detects intrusions based on matching the existing patterns with the incoming traffic patterns (Agrawal, Soni, Agrawal 2017). Intrusions are detected by comparing the current pattern with the known patterns or attack signatures that are already known. This means that the attack signatures are updated frequently and the system will recognise the known attacks from the saved signatures.
Data Mining
The data mining approach is used to extract data from databases. It is also used to detect intrusions where the data set is very large to process (Agrawal, Soni, Agrawal 2017).
Machine Learning
Machine learning is an approach whereby a system learns and keeps improving its learning capabilities. Machine learning is used when new attacks need to be recognised frequently (Agrawal, Soni, Agrawal 2017). Machine Learning techniques include Neural Networks, Fuzzy Logic and Support Vector Machine techniques. Table 1 outlines the aforementioned approaches with their main strengths and limitations.
Partial conclusions
Statistical-Based Anomaly approach and the data mining approach generates high numbers of false alarms. This shows that these approaches can be considered to be less accurate as the number of false alarm rate should be low for the IDS to have high accuracy. With regards to accuracy, the Statistical-Based Anomaly approach is further not recommended for anomaly detection systems that need to be accurate as it does not provide high accuracy.
Data Mining Approach is known to be not suitable to be applied to real-time detection environments. This is a limitation as intrusion detection needs to be detected early, requiring the IDS to perform tasks in real time.
Intrusion detection systems are developed using different approaches. Ideally, the IDS should be able to detect intrusions, especially the four major categories of attacks (DoS, U2R, R2L and Probing).
Different intrusion detection approaches have their strengths and limitations. The machine learning approach is an automated process which hardly needs human intervention. The ability of the IDS to run continually with minimal or no human supervision is emphasised to be a desirable characteristic of an IDS. Therefore, the machine learning approach meets the desirable characteristic of IDS of minimal human supervision and automation.
Intrusion detection approaches can be used according to the needs and requirements of the IDS. However, with the strong characteristics of the machine learning approach described, this study recommends the use of the machine learning approach to implement an IDS that needs to be running all the time with no (or very small) human supervision.
Machine learning techniques
Bellow, we examine different machine learning techniques that can be used to develop an IDS.
Support Vector Machine
Support vector machines (SVM) is a type of machine learning technique which performs different classification tasks, analyse data and recognise patterns (Chowdhury, Ferens, Ferens 2016). SVMs are used to implement IDS which are able to provide real-time detection of intrusions (Shah, Hayat, Awan 2015).
Fuzzy Logic
Fuzzy logic can be used in anomaly IDS as it deals with decision making and reasoning (Shah, Hayat, Awan 2015). Additionally, fuzzy logic techniques are used for anomaly detection as they allow an object to belong to different classes at the same time, making it useful for detecting intrusions (Singh, Nene 2013).
Artificial Neural Network
Artificial Neural Network (ANN) is a mathematical model that can be used for classification (Shah, Hayat, Awan 2015). It estimate if the input data matches the characteristics that it has been trained to recognize (Jha, Ragha 2013). (Patel, Jhaveri 2015) points out that the main objective of using neural network approach for intrusion detection is to learn the behaviour of different actors in the system. IDSs can be developed using Deep Learning which is defined by (Chollet 2017) as “a subfield of machine learning: a new take on learning representations from data that puts an emphasis on learning successive layers of increasingly meaningful representations”. According to (Ponkarthika, Dr, Saraswathy 2018), Deep Learning achieves a high level abstractions in data by using a complex architecture which causes the IDS to have a high detection rate. Currently, Convolutional Neural Networks (CNN) and the Recurrent Neural Networks (RNN) are the two Deep Learning architectures that can be used to build IDSs.
CNNs are an extension to traditional feed forward networks, which according to, improves the accuracy of intrusion detection for threat classification by using enhanced behaviour features. Several studies (LIU, LIU, ZHAO 2017; Vinayakumar, Soman, Poornachandran 2017; Mohammadpour, Ling, Liew, Chong 2018) have indicated that CNNs for IDSs needs future work such as improving false alarm rate, improving normal data learning quantity to reduce false alarm rate and provide real data for learning and testing.
RNNs can be used for supervised classification learning and has the ability to generalise the knowledge that can be used to identify seen and unseen threats in IDSs (Mohammadpour, Ling, Liew, Chong 2018). Additionally, RNNs also has a strong modelling capabilities for intrusion detection with high accuracy and detection rate and a low false positive rate, especially when it comes to classification of the NSL-KDD dataset (Lin, Lin, Wang, Wu, Tsai 2018). In detecting intrusions, RNNs tend to outperform other models such as CNN with high accuracy percentages since CNNs are designed for image processing applications (Vani 2007).
Decision Trees
Decision Trees constitute a powerful model (Shah, Hayat, Awan 2015) used for classification problems (Singh, Nene 2013). (Rai, Devi, Guleria 2016), describes Decision Trees as a tree-like graph consisting of internal nodes which represent a test on an attribute, branches which are the outcome of the test and leaf nodes which is a class label. Since decision trees are powerful for classification, they used to implement IDSs which are able to classify intrusions and be able to detect them.
Genetic Algorithm
Genetic Algorithms (GA) conform a search method or optimization technique that is based on genetic principle and natural selection (Wang, Yang, Ren 2009). According to (Sharma, Nema 2013), GA has been recently used to support IDSs, by creating new rules from available rules and GAs also allows an IDS solution to be of high quality as the GA uses the principle of selection and evolution.
Naïve Bayesian Networks
Naïve Bayesian networks are one of the most widely used graphical models to represent and handle uncertain information (Amor, Benferhat, Elouedi 2003). A study have shown that Naïve Bayes with it’s simple structure and strong assumption is able to provide competitive results when it comes to detecting intrusions. also suport that the Naïve Bayesian Network has certain properties that makes them useful and accurate, which are desired characteristics of an IDS (Amor, Benferhat, Elouedi 2003)
Table 2 Outlines the aforementioned Machine Learning techniques, together with their strengths and limitations.
DISCUSSION
Intrusion detection systems are developed using different approaches. Ideally, the IDS should be able to detect intrusions, especially the four major categories of attacks (DoS, U2R, R2L and Probing). Different intrusion detection approaches have their strengths and limitations. The machine learning approach is an automated process which hardly needs human intervention.
Statistical-Based Anomaly approach and the Data Mining approach generates high numbers of false alarms. This shows that these approaches can be considered to be less accurate as the number of false alarm rate should be low for the IDS to have high accuracy. With regards to accuracy, the Statistical-Based Anomaly approach is further not recommended for anomaly detection systems that need to be accurate as it does not provide high accuracy. Data Mining Approach is known to be not suitable to be applied to real-time detection environments. This is a limitation as intrusion detection needs to be detected early, requiring the IDS to perform tasks in real time.
The ability of the IDS to run continually with minimal or no human supervision is emphasised to be a desirable characteristic of an IDS, therefore, the machine learning approach meets the desirable characteristic of IDS of minimal human supervision and automation.
Intrusion detection approaches can be used according to the needs and requirements of the IDS. However, with the strong characteristics of the machine learning approach described, this study recommends the use of the machine learning approach in implementing an IDS that needs to be running all the time with no (or very small) human supervision.
Different Machine Learning techniques used for intrusion detection have their strengths and limitations.
Bayesian Networks technique can incorporate prior knowledge in detecting intrusions. The lack of good classifiers can cause the IDS to not perform with high accuracy as expected.
Fuzzy Logic is known to be effective in detecting probes, unfortunately it involves high resource consumption in detecting the intrusions.
Genetic algorithm cannot assure constant optimization response times which is not suitable for IDS as they require an optimised response time to detect intrusions.
Decision Tree works well when detecting intrusions from huge data sets, providing high detection accuracy. Additionally, Decision Tree also work well in real-time intrusion detection where they give the highest detection performance. However, the classification accuracy of Decision Tree can be significantly reduced due to many categories.
Support Vector Machine technique provides real-time detection capability and, the ability to update the training patterns dynamically whenever there is a new pattern during classification. On the other hand, the raw features required by SVM for classification increases the architecture complexity, decreasing the accuracy of detecting intrusion.
Neural Networks have the ability to make decisions quickly and detect intrusions in real time, providing high accuracy. This is a strong characteristic of Neural Networks in detecting intrusions as intrusions are expected to be detected in real time to prevent attackers from causing harm to the system. Neural network also does not need expert knowledge, meaning it needs minimum human intervention in order to detect intrusions. Recurrent Neural networks specifically offers a higher accuracy and detection rate, together with low false positive rate and therefore can be considered ideal for building.
CONCLUSIONS
This study provided an overview of the different intrusion detection approaches used in implementing IDS. The results show that different intrusion detection approaches have their strengths and limitations which could be improved to make the approaches better. It is concluded that the Machine Learning approach is suitable for implementing IDS solutions in real time with no (or little) human supervision because of its ability to work as an automated process which hardly needs human intervention. The study, therefore, recommends the use of Machine Learning approach to implementing an IDS.
This study also provided an overview of the Machine Learning techniques used in implementing IDSs. The results show that the Machine Learning techniques have different strengths and limitations. It is concluded that the Neural Network is suitable for implementing IDS solutions in real time as they have the ability to make decisions quickly. Neural Networks also needs minimum human intervention in order to detect intrusions. The study specifically found the Recurrent Neural Networks to be ideal for building IDS as they provide a high accuracy and detection rate, together with low false positive rate. The study, therefore, recommends the use of Neural Networks to implement effective IDSs that needs minimum human intervention and detect intrusions in real time.