Intrusion detection system
[1] Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system.
[4] Intrusion detection systems can also serve specific purposes by augmenting them with custom tools, such as using a honeypot to attract and characterize malicious traffic.
This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators.
[12] This system can average 99.9% detection and classification rate, based on research results of 24 network attacks, divided in four categories: DOS, Probe, Remote-to-Local, and user-to-root.
A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected.
Since these models can be trained according to the applications and hardware configurations, machine learning based method has a better generalized property in comparison to traditional signature-based IDS.
[20] In particular, NTA deals with malicious insiders as well as targeted external attacks that have compromised a user machine or account.
Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts.
[26] An IPS also can correct cyclic redundancy check (CRC) errors, defragment packet streams, mitigate TCP sequencing issues, and clean up unwanted transport and network layer options.
The IDS in this position also assists in decreasing the amount of time it takes to discover successful attacks against a network.
[34] Sometimes an IDS with more advanced features will be integrated with a firewall in order to be able to intercept sophisticated attacks entering the network.
Examples of advanced features would include multiple security contexts in the routing level and bridging mode.
[34] There are a number of techniques which attackers are using, the following are considered 'simple' measures which can be taken to evade IDS: The earliest preliminary IDS concept was delineated in 1980 by James Anderson at the National Security Agency and consisted of a set of tools intended to help administrators review audit trails.
[39] Dorothy E. Denning, assisted by Peter G. Neumann, published a model of an IDS in 1986 that formed the basis for many systems today.
The author of "IDES: An Intelligent System for Detecting Intruders", Teresa F. Lunt, proposed adding an artificial neural network as a third component.
[45] Wisdom & Sense (W&S) was a statistics-based anomaly detector developed in 1989 at the Los Alamos National Laboratory.
[47] The Network Security Monitor (NSM) performed masking on access matrices for anomaly detection on a Sun-3/50 workstation.
[48] The Information Security Officer's Assistant (ISOA) was a 1990 prototype that considered a variety of strategies including statistics, a profile checker, and an expert system.
[49] ComputerWatch at AT&T Bell Labs used statistics and rules for audit data reduction and intrusion detection.
The Lawrence Berkeley National Laboratory announced Bro in 1998, which used its own rule language for packet analysis from libpcap data.
The Audit Data Analysis and Mining (ADAM) IDS in 2001 used tcpdump to build profiles of rules for classifications.
[57] In 2015, Viegas and his colleagues [58] proposed an anomaly-based intrusion detection engine, aiming System-on-Chip (SoC) for applications in Internet of Things (IoT), for instance.
[59][60] In the literature, this was the first work that implement each classifier equivalently in software and hardware and measures its energy consumption on both.
Additionally, it was the first time that was measured the energy consumption for extracting each features used to make the network packet classification, implemented in software and hardware.
