intrusion detection systems: the next generation 11/2014
DESCRIPTION
AbstractMany security experts believe that intrusions are inevitable. This can be attributed to the growing sophistication of advanced threats– threats that use multiple phases to break into a network, to perform surveillance over time while avoiding detection, then harvesting valuable information or initiating an attack. Intrusion prevention has its merits, but it may not be the ultimate goal in some environments. In fact, intrusion detection affords more knowledge about the type of attack, the source, and the damage it can cause. Because intrusions are believed to be inevitable, a major focus and trend is on detection and remediation. The purpose of this paper is to prove that advances in the intrusion detection technology as we near the release of the third generation of intrusion detection systems (IDSs) known as adaptive intrusion detection, will be able to combat the ever-increasing sophistication of cyber attackers and their constantly evolving new threats. The paper explores the evolution of intrusion detection through its history and two generations, types of intrusions, types of systems, components, methods, and approaches. It concludes with the current status of research for the third generation--its strengths, weaknesses and challenges.TRANSCRIPT
Intrusion Detection: The Next Generation
Running Head: INTRUSION DETECTION SYSTEMS: THE NEXT GENERATION 1
Intrusion Detection Systems: The Next Generation
Trisha A. FuselierUniversity of Maryland University College
Abstract
Many security experts believe that intrusions are inevitable. This can be attributed to the growing sophistication of advanced threats threats that use multiple phases to break into a network, to perform surveillance over time while avoiding detection, then harvesting valuable information or initiating an attack. Intrusion prevention has its merits, but it may not be the ultimate goal in some environments. In fact, intrusion detection affords more knowledge about the type of attack, the source, and the damage it can cause. Because intrusions are believed to be inevitable, a major focus and trend is on detection and remediation. The purpose of this paper is to prove that advances in the intrusion detection technology as we near the release of the third generation of intrusion detection systems (IDSs) known as adaptive intrusion detection, will be able to combat the ever-increasing sophistication of cyber attackers and their constantly evolving new threats. The paper explores the evolution of intrusion detection through its history and two generations, types of intrusions, types of systems, components, methods, and approaches. It concludes with the current status of research for the third generation--its strengths, weaknesses and challenges.
Intrusion Detection Systems: The Next Generation
Common sense would have one believe that intrusion prevention would be a priority over intrusion detection. But, security experts tend to agree that intrusions are inevitable. It is no longer a matter of if one will experience a cyber attack or intrusion, but rather when it will occur. The problem with prevention is in the architecture itself-- the openness of the internet and the systems connecting to it make it, by design, difficult to secure. Another challenge is the growing sophistication of advanced threats that use multiple phases to break into a network to perform surveillance over time while avoiding detection, then harvesting valuable information or initiating an attack (Advanced persistent threats, n.d.). Anti-virus solutions, firewalls and intrusion preventions systems (IPSs) are not typically effective solutions on their own to combat such threats. And even if they were, preventing the attack is not always the goal. Honeypots are being used to lure attackers into a simulated network or host so that more information can be gleaned about the type of attack, source, damage, etc. In fact, there is a recommendation to shift some resources away from prevention and apply it to rapid threat detection and remediation that prevents loss or damage to the organization (RSA Technical Brief, 2014). Intrusion detections purpose then is to first identify the intrusion activities, then determine the type, source and risk (Xufei, Yonghui, Yanhui, & Jing, 2013) and generally guide the response which could include reporting it to a security administrator or by recommending or responding with defensive measures that would prevent the intrusion or lessen its impact (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Interestingly, one paper proposed the use of two intrusion detection systems (IDSs) that would work in conjunction with other security solutions (Elfeshawy & Faragallah, 2013). The suggested architecture is depicted in Figure 1.Figure 1. IDS in front of the firewall. From Divided Two-part Adaptive Intrusion Detection System, by N. A. Elfeshawy and O. S. Faragallah, 2013, Wireless Networks (10220038), 19(3), p. 309.
This configuration allows for IDS1 to report on each attack detected allowing the network administrator to monitor the network. Next, the firewalls responsibility is to prevent attacks. However, if the firewall was positioned as the first line of defense, the network would not be aware of these attacks. Introducing IDS1 in front of the firewall allows for the reporting then the firewall can go about the task of preventing some attacks. After that, IDS2 would only deal with packets that make it through the firewall and this would result in fewer alarms and less overload on this core IDS. IDS2s main responsibility is to inform the IPS of any attacks so that those remaining attacks can be prevented. The IDS and IPS could and should work together. In fact, some devices combine these two solutions into one physical or virtual appliance. Some vendors include IDS functionality in the IPS and vice versa. Either way, it is generally agreed that a defense in depth strategy is always better than a single solution. The two are gaining usefulness because of the sophistication of the types of security threats and because of increasing government pressure for security compliance, regulations and accountability (Intrusion detection system/intrusion prevention system (IDS/IPS) market, 2014). While both of these solutions are important for overall security IDS for visibility and IPS for control-- the focus of this paper is on intrusion detections systems, its evolution, where it is today, where it is headed, its challenges and successes, and more importantly the paper aims to prove that advances in this technology will be able to combat the ever-increasing sophistication of cyber attackers and their constantly evolving new threats. IDS EvolutionHistoryIn 1980, James Anderson introduced the concept of intrusion detection in his report entitled, Computer Security Threat Monitoring and Surveillance, (Anderson, 1980). He stated that it was possible to determine normal use of a computer system by using the records, called audit trials, of the users habitual use. By doing so, abusive use, privilege abuse and excessive use can also be determined, which would in turn uncover attacks underway or past attacks. In 1986, Dorothy Denning, who is currently a Distinguished Professor at the Naval Postgraduate School in the Department of Defense Analysis, took this theory to the next level by developing a prototype called the Intrusion Detection Expert System (IDES) for Stanford Research Institute (Bensefia, & Ghoualmi-Zine, 2014, Chapter 14). The final system was to be used on government computers as they were the providers of the research grants. Not only was it the first intrusion detection system (IDS) it was the first model that contained the necessary knowledge to conduct intrusion detection (Bensefia, & Ghoualmi-Zine, 2014, Chapter 14). A new research area and technology was born. Types of intrusions
In order to understand the intrusion detection technology it is important to first understand the types of intrusions, the types of systems and components, methods, and approaches used both past and present. The four main categories of intrusions followed by some of the more well-known attack names are depicted in Table 1.
Table 1
Types of Intrusions and Some of the More Well-known Attack Names
Types of IntrusionsName of the Attack
Denial of Service: prevents legitimate users from using the service or resources
Back, Land, Neptune, Pod, Smurf,Teardrop
Probes: also known as surveillance, this attack tends to be carried out over a long period of time and the actual attack is delayed until surveillance has taken place. It finds available, legitimate IP addressesSatan, IPsweep, Nmap, Port, Sweep
Remote to Local (R2L): this attack occurs when the attacker does not have an account on the computer but gains access and modifies dataFTP_write, Imap, Guess_passwd, Phf, Spy, Warezclient, Multihop, Warezmaster
User to Root (U2R): in this type of attack a legitimate user gains access to privileges usually reserved for root users.
Buffer_overflow, Load module, Perl, Root kit
Adapted from An Enhanced Rule Approach for Network Intrusion Detection Using Efficient Data Adapted Decision Tree Algorithm, by G.V. Nadiammai and M. M. Hemalatha, 2013, Journal Of Theoretical & Applied Information Technology, 47(2), p. 427. Types of Systems
Intrusion detection serves to monitor and analyze system events in order to find and provide real-time or near-real-time warning of or attempts of unauthorized access (Stallings & Case, 2013). An intrusion detection system is one that protects the data integrity, confidentiality and system availability from attacks (Nadiammai & Hemalatha, 2013). According to Araar and Bouslama (2014) it can be software or a device that monitors a system or network for malicious activities and policy violations then produces reports on these activities to a management console. Hodge and Austin (as cited in Hongzia, 2014) state there are three predominant categories of intrusion detection systems: 1. Host-based (HIDs): The analysis of the detection occurs on the computer system by analyzing operating system event logs, integrity of system files, system processes and applications, all incoming and outgoing (host) traffic, user behavior including access to files and folders, privilege services or attempts to install software (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). 2. Network-based (NIDs): Analyzes packets on the network using sensors to capture the traffic and a control and an engine to perform the analysis (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). 3. Hybrid: Combines the analysis and advantages of host-based and network-based detection systems. Strategically employing both a HIDs and NIDs on the right machines and network segments according to the attack types to detect can result in significant security realizations (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). More recently, a fourth type of system has been added in keeping with the current network environmentsa wireless based intrusion detection system.Components. Intrusion detection systems contain the following logical components (Stallings & Case, 2013): Sensors: Sensors gather data from any part of the system. Examples are packets, log files, and system call traces. Analyzers: Analyzers are the recipient of the sensor data or it could be data from other analyzers. It processes the information and determines if an intrusion has taken place. The output in and of itself is an indication that an intrusion has taken place and it may contain the evidence supporting that conclusion, as well as, guide the next steps i.e. prevention, remediation, and mitigation. User Interface: This functionality allows the security administrator to interact with the output and configure the system. Methods
The IDS is meant to detect both internal misuse of the computer and network resources, the information residing on those resources, and external attacks. (Elfeshawy & Faragallah, 2013). Depren, Topallar, Anarim, and Ciliz (as cited in Xufei et al., 2013) state intrusion detections can be categorized into two methods: Anomaly-Detection and Misuse-Detection.Anomaly-Detection. According to Lazarevic et al. (as cited in Bensefia & Ghoualmi-Zine, 2014) the anomaly detection method is characterized by two phases the training phase and the recognition phase. The training phase starts with the creation of a normal baseline i.e. normal use of the computer over a specified period of time. This could include user login, logout, number of files accessed in a period of time, usage of disk space, memory, etc. (Elfeshawy & Faragallah, 2013). Then as activities are monitored that differ from the established patterns of users, a warning is generated. This is the recognition phase. At times the warnings are false alarms with the two types being false positives which are basically false alarms and false negatives, which are attacks that should have been flagged (Nadiammai & Hemalatha, 2013). A goal of the IDS is to keep the number of both alarms as low as possible and result only in true positives and true negatives. Benefits of this method include the detection of new attacks without any prior knowledge of the attack and it can detect privilege abuse by legitimate users (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). But, creating and understanding a baseline involves the expertise and intuition of a security professional and therefore it is not fully automated (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Another problem with this method is the fact that the baseline could contain an undetected intrusion, or the attacker could train the system by gradually initiating the attack and therefore go undetected because it is seen as normal behavior (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). The challenge with this method is ensuring that deviations from normal behavior are detected, but at the same time allowing the inevitable changing of the system over time as applications are added, etc. (Elfeshawy & Faragallah, 2013). In other words, a normal baseline is a moving target and the IDS must be able to detect abnormal behavior but also allow adaptations. Fortunately, some IDSs can be informed of some changes and the normal baseline can be updated at regular intervals, but again, at least in the current generation, this is not completely and successfully automated. Also, this method tends to result in a high number of false positives due to a dynamic changing host or network or even job responsibilities and related tasks (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). And finally, because this method does not have any prior knowledge about attacks it cannot predict the attack type or type of intrusion, or the classification and sub classification within that type, which is needed in order to employ the correct response (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Misuse-Detection. Signature-based detection, on the other hand, compares current activity with a rule-based expert system a list of known attacks that have been recorded as signatures (Elfeshawy & Faragallah, 2013). This process is similar to how anti-virus software scans files and memory looking for patterns indicative of known attacks in the vendors database. The benefit of this method is a low, false positive rate (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). The obvious challenge in this method is making sure the activities are compared using a quality, up-to-date list. Since the attack signatures must be pre-recorded, new attacks are difficult to detect using this method. And it is not effective at detecting privilege abuse since attack signatures are not used in such attacks (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). ApproachesThe two methods, anomaly and misuse, are used in a variety of intrusion detection approaches. Table 2 describes six approaches that are considered benchmarks in the development of intrusion detection systems (Elfeshawy & Faragallah, 2013). According to Base and Mell, Lacasse, Lazarevic et al., and M et al (as cited in Bensefia & Ghoualmi-Zine, 2014, Chapter 14) the use of both methods using various approaches are separate but complimentary in that each employ certain strengths that if combined reduce the others weaknesses. Table 2
Comparison between different Intrusion detection approaches
Detectionapproach
Detectionprinciple
Input for detection approach Detect knownattack
Detect unknownattack
Performanceof the detection approach
StatisticalAnomalyAudit data, user profiles and behaviors, quantitative and qualitative parameters; a favorite of first generation IDSYesYesModerate
RBF NeuralnetworkAnomalyAudit data, predicting next command based on previous behaviorYesYesModerate
Data miningAnomalyMisuseAudit records, knowledgebase YesYesModerate
Expert SystemMisuseAudit records, knowledgebase of known intrusions; uses a rule base for desired behavior or normal baseline. Also a favorite of first generation IDS.YesNoHigh
Pattern RecognitionMisuseAudit records, attack signaturesYesNoHigh
Machine learningMisuse; AnomalyAudit data, known attacks patterns expressed as abinary vectorYesNoLow
Adapted from Divided two-part adaptive intrusion detection system, by N. A. Elfeshawy and O. S. Faragallah. 2013, Wireless Networks (10220038), 19(3), p. 307. doi:10.1007/s11276-012-0467-7IDS Generations
First generation--the classical IDS. To date, there have been two generations of Intrusion Detection Systems. The first generation systems were manual in nature and passive in that they simply monitored information (Nadiammai & Hemalatha, 2013). They were typically designed for specific issues and therefore were not generalized or adaptable (Nadiammai & Hemalatha, 2013). In fact, they were customized for the specific environment and could not be easily adapted for use in other environments even those sharing a similar security policy (Bensefia, & Ghoualmi-Zine, 2014, Chapter 14). They required human expertise in audit data analysis, normal profile creation, and attack signature coding and analysis which was tedious and time-consuming and lacking automation (Bensefia, & Ghoualmi-Zine, 2014, Chapter 14). In addition, there was not a definitive way to define normal use. There was also a lack of capacity for handling a large amount of audit data (Bensefia, & Ghoualmi-Zine, 2014, Chapter 14). And as Kumar and Spafford pointed out (as cited in Bensefia & Ghoualmi-Zine, 2014, Chapter 14). there were no standards for experimentation and performance evaluation. Second generation. The limitations of the classical IDS led to research that integrated data mining approaches into the second generation of IDSs, also known as data mining based IDSs. Data mining is the process of finding correlations, associations, patterns, changes, and anomalies using a computerized process that would otherwise be difficult to find with the human eye (Phung, 2000). Its purpose in the intrusion detection arena was to remove some of the manual processes thus reducing the need for human expertise, reduce the ad hoc limitations and address the issues in processing large audit data sets (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Basically, the data mining approach combined the anomaly-based detection audit data that attempts to determine normal use patterns with misuse or signature-based detection audit data, then analyzes the combined volume through an automated process (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). However, the process requires an initial purification of the data set which remained a manual process in order to ensure the learning phase only included normal activities (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). After that, the data mining-based IDS can identify the data upon arrival and forecast it automatically giving it a more active approach (Nadiammai & Hemalatha, 2013). In addition, the signatures can be generalized in order to detect dynamically changing attack signatures i.e. variations of the attack signature which are used to evade detection (Jun, Song, Zhenyu, & Ming,2012). This generalization process has optimized the ability to detect new attacks over that which was possible in the first generation (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). However, generalization has its limits over time and becomes inefficient due to new attack methods which differ greatly from the already known attacks (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). The good news is that different data mining approaches can be used simultaneously and their results can be compared and correlated (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). This is known as an ensemble approach the benefit being if one approach fails to detect an attack another approach can detect it. Overall, the second generation of IDSs produces a lower false positive rate over the first generation and is generally more effective and more accurate (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). However, this generation is also more complex and still shares some of the same limitations of the first generation. Some manual processes remained or were added, ad hoc functionality continued, the deployments were costly because each environment needed its own trained data set and these needed to be updated regularly for the best performance (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). The third generation--the adaptive IDS. Despite the advances, the major problem with both generations of intrusion detection systems remains the inability to fully protect against new attack patterns of attacks in a dynamic changing environment (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). This is further complicated by other issues with this technology, namely: a lack of unified standards; proprietary systems that cannot exchange information for greater coverage of threats detected from other sources; lack of a timely response; many solutions result in significant false positives and false negatives, and IDSs cannot easily detect encrypted data in the flow without performing some additional steps or measures (Hongxia, 2014). She discusses the following as possible solutions to the current IDS pitfalls some of which will be discussed in more detail.1. A unified, standard intrusion detection system2. Distributed intrusion detection capable of detecting a distributed network attack3. Application layer intrusion detection4. Intelligent intrusion detection with self-learning and adaptive capabilities5. Cooperation with other network systems and technologies in order to expand the scope of its securityIntelligent intrusion detection: Big data, adaptability and automation. The RSA Technical Brief (2014) states that greater security can be achieved by combining people, process and technology into one intelligence-driven security approach. This new approach would include big data and automation --collecting and analyzing data from internal sources such as PCs, mobile devices, servers, internal networks, as well as data from external sources such as threat intelligence about attacks on other organizations including the security response used. Intelligent intrusion detection includes an artificial intelligence technique. It begins with the anomaly method by storing the users stream of commands in a library and uses these as a reference for normal behavior as stated earlier (Elfeshawy & Faragallah, 2013). But it takes it a step further by allowing computers to learn from the input data sensor data or databases, for example. The focus and goal of this research is for computers to recognize complex patterns and be able to act autonomously based on that data (Elfeshawy & Faragallah, 2013). If the IDS could adjust to each change in the environment appropriately, it would be better able to detect new attack patterns thus improving performance (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). This is the next generation of IDSs known as adaptive intrusion detection. Bensefia and Ghoualmi-Zine (2014) define IDS adaptability as the the continuous automatic incremental learning of the intrusive and normal behaviors in a system. The detection process follows that of its predecessors but adds new, generalized attack signatures automatically once it confirms a new attack (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Likewise, rules generated from false positives will be automatically deleted once confirmed as a false positive, of course. It is where machine learning integrates with data mining. According to Elfeshawy and Faragallah (2013) machine learning occurs through the development and use of algorithms and some other techniques so that information can be derived from data automatically allowing it to reason and even make predictions based on that data (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). These new models are automatically built using these learning algorithms. Since they are general in nature they are easily adapted leading to coverage of new attack patterns that do not become inefficient over time omitting some manual processes like retraining the data (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). According to Lee & Stolfo (as cited in (Bensefia & Ghoualmi-Zine, 2014, Chapter 14) data mining is but one of a set of converging technologies including statistics, pattern recognition, machine learning and data bases. The interdependencies and advances in technology are closely connected. Cooperation with other network systems and technologies. One example of this would be to employ the services of a managed security service provider (MSSP) who compiles threat alerts from publicly available sources, as well as, conducts its own external research to constantly update databases for known attacks. Such providers utilize big data security tools which can then integrate large volumes of information from traditional (other organizations threat intelligence, for example) and non-traditional sources such as building entry and exit information logs. Regarding the latter, when key card scanners are used to enter or exit a building, the logs can be compared to remote logins to legitimizeor notthe logins (The RSA Technical Brief, 2014). These types of correlations, using big data, are valuable, new ways to detect intrusions.Big data is being used along with security analytics to roll-out what if capabilities (The RSA Technical Brief, 2014). This will have a huge impact on predicting future threats. And these same approaches can be applied to historical data gleaning even more threat information, as well as any damage that occurred. One of big datas major benefits is the datas processing power threat information data collection and analysis that use to take hours or longer; can now be done in minutes shrinking the exposure time to the organization (The RSA Technical Brief, 2014) thus providing true value for this new generation of intrusion detection systems. Approaches. Adaptive IDSs, like the previous generations, have different approaches being tested, however each approach, seems to come with a set of strengths and weaknesses, some of which are covered below (Bensefia & Ghoualmi-Zine, 2014, Chapter 14): The Cerebellar Model Articulation Controller (CMAC) neural network can detect known attacks, new patterns of attacks with continuous autonomous learning of the new patterns of attacks and it can adapt to environment changes, but it can only cover the main class of denial-of-service attacks and not subclasses (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). This is a limitation. The Learning Intrusion Detection System (LIDS) can detect the attacks, determine their effects, incrementally update the normal patterns and rules but, this approach is not clearly defined yet (p. 258). Furthermore, the early alerts could be false positives thus wasting the administrators time and the networks performance (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Yet, another issue with this approach is the potential for contradictory rules in the rule base (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). The Parallel Hierarchical Intrusion Detection System (PHIDS) combines anomaly and signature-based detections, which as was stated earlier, improves overall detection performance. It has a hierarchy of less complex processes allowing each process to fully contribute to the detection process, but it lacks the learning of new normal behavior patterns (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Principal Component Analysis Neural Network Intrusion Detection System (PCANN-IDS) provides the same benefits of PHIDS but the decomposition of the complex processes is more granular (than PHIDS) and it allows for main class and subclass classification (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). However, it is also missing the functionality to lean new patterns of normal behavior and the learning of new attacks is periodic not incremental and has a fixed threshold (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Adaptive Rule-based Intrusion Detection Architecture (ARIDA) integrates LCS Learning Classifier System (LCS) an approach for an adaptive system that interacts with a dynamically changing environment and it allows for the incremental learning of new attack patterns and new normal behavior patterns but it remains dependent on human expertise which can impact the response time and the performance of the IDS (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Design issues. The standard data sets that are used for research and evaluation, like DARPA 98, KDD-Cup 99 and NSL-KDD (DARPA being the original and the latter two are variations of the original data set) are older, simulated, designed to be used offline and the may contain redundant records that skew the results (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Using a more recent live data set would definitely be more representative of todays environments but it would likely result in some sort of security breach or privacy issues. For these reasons, the simulated training and testing data sets continue to be used but their ability to test for new emerging attacks is in question and creates challenges in design and testing of the approaches. Dependency issues. Lunt presented (as cited in Hongzia, 2014) the improvement of intrusion detection systems is dependent on the ongoing research that strengthens statistical analysis and other related technologies. It is not a stand-alone solution that can be researched and tested on its own merit; many dependencies exist. Another example, as with most technology tools, is that it will only be as effective as the people using them and the processes in place (The RSA Technical Brief, 2014). In fact, in addition to the intelligence driven security tools, a cross-disciplinary team with specialized skills in some or all of the areas of forensics, coding, managing threat intelligence, breach management, penetration testing, and data analysis may be needed (The RSA Technical Brief, 2014). These same security professionals will devise ways and assemble tools like tripwires and honeypots to lure the attackers into their environment and stalk them in order to compile information about the attack activities and damages, as well as the source of the attack. But, skill-sets are only part of the equation. The organization also needs operational guidelines supporting the appropriate use of the technology. It will require a blending of the skills, the processes and the technology to enable the greatest amount of effectiveness (The RSA Technical Brief, 2014). ConclusionClearly, many strides have been made in this field and research work on adaptable intrusion detection continues. To date, each approach has its strengths and weaknesses, but not one has successfully offered a continuous automatic learning capacity. This is likely due to the fact that the adaptive functionality is relatively new to intrusion detection. In fact, it was not included in the first two generations as it was not considered a priority by the research community or IDS leaders (Bensefia & Ghoualmi-Zine, 2014, Chapter 14). Until adaptability is integrated into intrusion detection as core functionality, combating advanced persistent threats will remain a challenge. More focused research is underway and should produce more efficient, more sustainable intrusion detection functionality with better performance in time. Even then, the technology is dependent on other related technologies such as statistical analysis, data mining, pattern recognition and artificial intelligence to name a few. Design issues continue contributable to the fact there is not a unified standard. This results in interoperability issues with other security tools and offerings thereby limiting scope. The evaluative process is limited, as well, by the use of older data sets that are not representative of todays environments. Manual processes continue as does the reliance on human expertise. Permanent coverage of new attack patterns cannot be obtained until many of these challenges are addressed. And so the arms race between malicious attackers and security professionals will continue into the foreseeable future. However, integrating an intrusion detection system as part of a defense in depth solution can be an integral part of a security strategy depending on the goals of the organization. It can provide much needed visibility into the attack, the source of the attack, the damage the attack can or has caused, as well as, guide the response to mitigate damages. It can also provide accountability for organizations who want to meet certain standards or who are bound by federal regulations. Intrusion detection technology is gaining speed and usefulness; it is a force in itself to be reckoned with, and one that in time with the right technology advances might outperform advanced persistent threats.
ReferencesAnderson, J.P. (1980, February 26 [revised April 14]). Computer security threat monitoring and surveillance (Contract 79F296400). NIST. Retrieved on November 15, 2014 from http://csrc.nist.gov/ publications/history/ande80.pdf
Advanced persistent threats: How they work. (n.d.). Symantec. Retrieved on October 13, 2014 from http://www.symantec.com/theme.jsp?themeid=apt-infographic-1Araar, A., & Bouslama, R. (2014). A comparative study of classification models for detection in IP network intrusions. Journal Of Theoretical & Applied Information Technology, 64(1), 107-114.
Bensefia, H. & Ghoualmi-Zine, N. (2014). Adaptive intrusion detection systems: The next generation of IDSs. In A. Amine, O. Mohamed, & B. Benatallah (Eds.), Network security technologies: Design and applications (pp. 239-269). doi:10.4018/978-1-4666-4789-3.ch014Elfeshawy, N. A. & Faragallah, O. S. (2013). Divided two-part adaptive intrusion detection system. Wireless Networks (10220038), 19(3), 301-321. doi:10.1007/s11276-012-0467-7Hongxia, S. (2014). Adaptive packet context-constrained KL-divergence model for intrusion detection. Journal Of Networks, 9(8), 2045-2050. doi:10.4304/jnw.9.8.2045-2050Intrusion detection system/intrusion prevention system (IDS/IPS) market global advancements forecasts & analysis (2014-2019) [Abstract]. (2014, April 10). Fast Market Research. Retrieved on November 8, 2014 from http://www.fastmr.com/prod/ 810691_ intrusion_detection_ systemintrusion_prevention.aspxJun, W., Song, L., Zhenyu, Z., & Ming, Z. (2012). Toward intelligent intrusion prediction for wireless sensor networks using three-layer brain-like learning. International Journal Of Distributed Sensor Networks, 1-14. doi:10.1155/2012/243841Nadiammai, G. V., & Hemalatha, M. M. (2013). An enhanced rule approach for network intrusion detection using efficient data adapted decision tree algorithm. Journal Of Theoretical & Applied Information Technology, 47(2), 426-433. Phung, M. (2000, October 24). Intrusion detection FAQ: Data mining in intrusion detection. SANS. Retrieved on November 12, 2014 from http://www.sans.org/security-resources/idfaq/ data_mining.phpStallings, W., & Case, T. (2013). Business data communications: Infrastructure, networking and security (7th ed.). Boston: Pearson.The RSA technical brief: Building an intelligence-driven security operations center. (2014, June). EMC2 Corporation. Retrieved on October 10 from http://www.emc.com/ collateral/technical-documentation/h11533-intelligence-driven-security-ops-center.pdfXufei, Z., Yonghui, F., Yanhui, Z., & Jing, Z. (2013). A novel multi-layered immune network intrusion detection defense model: MINID. Journal Of Networks, 8(3), 636-644. doi:10.4304/jnw.8.3.636-644