Artificial Intelligence and Data Mining Approaches in Security Frameworks. Группа авторов

Чтение книги онлайн.

СКАЧАТЬ 2.3 An overview of intrusion detection system (IDS).

      All the three components of an intrusion detection system can be integrated into a single device.

      2.5.1 Types of IDS

      Detection of an intrusion could be done either on a network or with an individual system and therefore we have three types of IDS, namely: Network Based, Host Based and Hybrid IDS.

       2.5.1.1 Network-Based IDS

Computer networks have been targeted by enemies and criminals because of their progressively dynamic roles in modern societies. It is very important to find the best possible solutions for the sake of protection of our systems. Various techniques of intrusion prevention like programming errors avoidance, protection of information using encryption techniques and biometrics or passwords (Zhan et al., 2005) can be used as a first line of security. By using intrusion prevention technique as the only protection measure, our system is not 100% safe from combat attacks. To provide an additional security for computer system, the above-mentioned techniques are used. Various resources like accounts of users, their file systems and the system kernels of a target system must be protected by an intrusion detection system. For network-based intrusion detection systems, data source is the network packets. To listen and analyse network traffic as the packets travel across the network, the network-based intrusion detection system (NIDS) makes use of a network adapter. A network-based intrusion detection system is used to generate alerts for the detection of an intrusion which is outside of the boundary of its enterprise.

      Advantages

      Following are the advantages of a Network-Based IDS:

      1 They can be made invisible to improve the security against attacks.

      2 Large size of networks can be monitored by network-based IDS.

      3 This IDS can give better output deprived of upsetting the usual working of a network.

      4 It is easy to fit in an IDS into an existing network.

      Limitations

      Limitations of Network-Based IDS are as follows:

      1 Virtual private networks encrypted information cannot be analysed with network-based IDS.

      2 Successful implementation of network-based IDS is based on the intermediate switches present in the network.

      3 Network-based IDS would be unstable and crash when the attackers splinter their packets and release them.

       2.5.1.2 Host-Based IDS

In this type of IDS, various logs can be screened with the help of sensors that are placed on network resources. These logs are generated by the host operating system or application programs. Certain events or actions which may occur at individual network resource are recorded by audit logs. These types of IDS can handle even those attacks that cannot be handled. Because of this, an attacker can misuse one of trusted insiders (Desale et al., 2005). Signature rule base that is derivative from security policy which is specific to a site is utilized by a host-based system. All the problems associated with a Network-based IDS can be overcome by host-based IDS as it can alert the security personnel with the location details of intrusion. Accordingly, the person can take instant action to stop the intrusion.

      Advantages

      Following are the advantages of Host-Based IDS:

      1 It can perceive even those attacks that are not detected by a Network-Based IDS.

      2 For the detection of attacks concerning software integrity breaches, it works on audit log trails of operating system.

      Disadvantages

      Disadvantages of Host-Based IDS are as follows:

      1 Various types of DoS (Denial of Service) attacks can disable the Host-Based IDs.

      2 Attacks that target the network cannot be detected by host-based IDS.

      3 To configure and manage every individual system is very difficult.

       2.5.1.3 Hybrid IDS

      It is a combination of network and host-based IDS to form a structure for next-generation intrusion detection systems. This arrangement is generally known as a fusion/hybrid intrusion detection system. By adding network based and host-based IDS, it would significantly improve resistance against few more attacks. Data mining techniques required for IDS are Pattern Matching, Classification and Feature Selection Pattern Matching.

2.6 Phishing Website Classification

      It is a kind of social engineering attack generally used to filch data of a user, like login credentials and credit card numbers. To cover up honest websites, forged websites are usually formed by fraudulent people. Due to phishing activities of attackers, users mistakenly lose their money. Therefore, a critical step must be taken for the protection of online trading. Goodness of the extracted features denotes the prediction and classification accuracy of a website. An anti-phishing tool is used by most of the internet users to feel safe against phishing attacks. Anti-phishing tool is required to predict accurate phishing. Content parts of phishing websites along with security indicators may have a set of clues within the browsers. Various methods have been proposed to handle the problem of phishing. For predicting phishing attacks, rule-based classification, which is a data mining technique, is used as a proficient method for prediction. If an attacker is sending an email to victims by requesting them to reveal their personal information, it is an indication of phishing. To create phishing websites with proper trick, a set of mutual features are used by phishers. We can distinguish between phishy and non-phishy websites on the basis of extracted features of that visited website.

      Identification of phishing sites can be done with the help of two approaches:

      1 i) Blacklist based: It includes comparative analysis of the URL, i.e., requested along with other URLs which are present in that list.

      2 ii) Heuristic based: Certain features from various websites are collected and labeled as either as phishy or genuine.

The main drawback of the blacklisted approach is that it cannot have all phishing websites because every second, a new malicious website is launched, while a heuristic-based approach can identify fake websites that are original. Heuristic-based methods depend on the feature’s selection and the manner in which they processed. Data mining is used to discover relations and pattern amongst features within a given dataset. The utmost job of data mining is to take decisions because these decisions are patterns and rules dependent which have been derived using the data mining algorithms. Though considerable progress has been made for the development of prevention techniques, still phishing is a threat because the techniques used for countermeasures are still based on blacklisting of reactive URL (Polychronakis, 2009). Because of the shorter lifetime of phishing websites, methods used in these sites are considered as ineffective. A new approach, associative classification (AC) was found more appropriate for these kinds of applications; it is a mixture of Association rule and Classification techniques of data mining.

      There СКАЧАТЬ