{"id":101548,"date":"2025-08-27T03:54:35","date_gmt":"2025-08-27T03:54:35","guid":{"rendered":"https:\/\/essays.homeworkacetutors.com\/computer-intrusion-and-intrusion-detection-systems\/"},"modified":"2025-08-27T03:54:35","modified_gmt":"2025-08-27T03:54:35","slug":"computer-intrusion-and-intrusion-detection-systems","status":"publish","type":"post","link":"https:\/\/www.colapapers.com\/us\/computer-intrusion-and-intrusion-detection-systems\/","title":{"rendered":"Computer Intrusion and Intrusion Detection Systems"},"content":{"rendered":"
\n
\n

CHAPTER ONE <\/strong><\/p>\n

LITERATURE REVIEW<\/strong><\/p>\n

\u00a0<\/strong><\/p>\n

    \n
  1. Computer Intrusion and Intrusion Detection Systems<\/li>\n<\/ol>\n

    Computer intrusion which is a process of illegitimately obtaining unauthorized access to a computer system is a huge problem in the current day and age. Numerous examples of major loss due to computer intrusion are published on a regular basis. This has over the years led to computer intrusion being one of the key research areas in the aspect of computer security and computer science in general. Intruders may exist in one of two ways ; internal intruders and external intruders. Internal intruders [32] are users who legitimately have access to the system or network and are trying to illegitimately increase their privileges in other to gain access to privileges they are not authorized to. When this happens, it is known as an \u2018insider attack\u2019. External intruders on the other hand are outside the network and have no privileges or user roles whatsoever but try to gain illegitimate unauthorized access to the computer network or system from outside the network.<\/p>\n

    The Ashley Madison hack[1] was one of the biggest cases of cyber intrusion that happened in 2015.\u00a0 About 9.7GB containing personal data and bank card information records of over 37 million people were exposed and dumped on the internet by a group of cyber criminals known as \u2018Impact team\u2019. This attack could approximately cost Ashley Madison about \u00a31.2 billion in compensation in the U.K. alone. Between 2013 and 2015, an unknown group of cyber criminals attacked various cash machines across about 30 different countries and were able to get away with approximately $1billion.\u00a0 This was reported as the biggest bank robbery of 2015 by the UK business insider.\u00a0 Many other cases of intrusion were reported in 2015 including the breach of system of Anthem; a health insurer, exposing about 80 million personal records and some others as shown in Table 1.<\/p>\n

    In 2015 alone, the amount of computer related crime that occurred led to a loss of over $3 billion approximately and a leak of over 300 million\u00a0 data records.<\/p>\n\n\n\n\n\n\n\n\n\n\n
    S\/N<\/td>\nTarget<\/td>\nEffect<\/td>\n<\/tr>\n
    1.<\/td>\nAshley Madison<\/td>\nPersonal information and bank details of about 37\u00a0 million people got exposed.<\/td>\n<\/tr>\n
    2.<\/td>\nCash Machines<\/td>\nAbout $1 billion of cash stolen from over 100 banks in over 30 countries.<\/td>\n<\/tr>\n
    3.<\/td>\nAnthem Insurer<\/td>\nNearly 80 million personal records were exposed<\/td>\n<\/tr>\n
    4.<\/td>\nThe White House<\/td>\nIntrusion into white house systems let to the access to unclassified white house documents and state department emails. Q<\/td>\n<\/tr>\n
    5.<\/td>\nExperian<\/td>\nInformation of about 15 million T-Mobile customers were stolen.<\/td>\n<\/tr>\n
    6.<\/td>\nCIA Director John Brenan<\/td>\nPersonal email hacked. Led to the leak of very sensitive documents.<\/td>\n<\/tr>\n
    7.<\/td>\nVTech<\/td>\nLeak of records on about 4.8 million parents and over 6.8 million kids<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Table 1.1: Major attacks in 2015 [1]<\/p>\n

    While in this current day and age, it is quite a challenge to protect computer systems and data and provide secure information systems. Apart from computer hackers, there are also computer worms, computer\u00a0 viruses and Trojans which can be used in the implementation of covert channels and other type of means by which data can be stolen pose even as much security risks as computer hackers.<\/p>\n

    1.1.1 Intrusion Detection Systems <\/strong><\/p>\n

    Intrusion Detection Systems are security tools that like other measures such as antivirus software, firewalls and access control schemes are intended to strengthen the security of information and communication systems. More specifically, intrusion detection systems aim at detecting attacks against computer systems and networks or in general, against information systems.\u00a0 While it is rather almost impossible to assure the 100% confidentiality and protection of systems, networks and data probably due to legacy or operational constraints, intrusion detection systems have the duty of monitoring the usage of systems to detect any apparition of insecure states.\u00a0 They detect attempts and misuse of legitimate user privileges in information systems or external parties to abuse privileges or exploit vulnerabilities.\u00a0 In general, a typical IDS comprises of sensors , an analysis engine and a reporting system. The task of the sensors is to collect data either from the network or host, depending on where the IDS is being deployed, such as traffic statistics, file-system changes, service requests, operating system calls and various other types of logs depending on the use of the system and configuration of the IDS. The analysis engine then receives the collected data from the sensors and analyses it to detect possible intrusions. If any intrusion is detected by the analysis engine, an alert is generated by the reporting system for the network or system administrator [33].<\/p>\n

    As shown by Khan and Jain and Suruna et al. <\/em>\u00a0in [18], [19] respectively,\u00a0 very many approaches of Intrusion detection systems have been proposed for various computing systems and networks. Morshedur [14] proposed an advanced hybrid intrusion detection system to detect malicious nodes in wireless sensor networks using fuzzy logic. In the paper, AHIDS makes utilization of cluster-based engineering with improved LEACH convention that plans to lessen the level of vitality utilization by the sensor nodes. AHIDS utilizes anomaly discovery and privilege abuse recognition in view of fuzzy control sets alongside the Multilayer Perception Neural Network. The Feed Forward Neural Network alongside the Backpropagation Neural Network are used to coordinate the detection results and show the diverse sorts of attackers. While this is an advancement in the field of detecting intrusion in wireless sensor networks, the method was only designed for and tested to work against hello flooding, wormhole and Sybil attacks in wireless network sensors.<\/p>\n

    Wenchao in [16] uses the K-nearest neighbour (KNN) classification algorithm for Wireless sensor networks. In this approach, the framework can separate strange or abnormal nodes from typical nodes by watching their unusual practices after which they examine parameter determination and blunder rate of the interruption discovery framework. The paper expounds on the plan and usage of the discovery framework. This framework achieved proficient, fast intrusion\u00a0 detection by enhancing the wireless, specially appointed on-request distance vector routing protocol (Ad hoc On-Demand Distance the Vector Routing, AODV).<\/p>\n

    While some researchers have attempted to utilize Bayesian strategy to take care of the interruption location issue. The primary thought behind this approach is the novel component of the Bayesian philosophy. For a given outcome, utilizing the likelihood calculations, Bayesian strategy can move back in time and discover the reason for the events. This element is appropriate for finding the purpose behind a specific anomaly in a system behaviour. Utilizing Bayesian calculation, frameworks can by one means or another move back in time and discover the reason for the events. The Bayesian algorithm is in some cases also utilized clustering purposes. [6, 7,8] are examples of this method.<\/p>\n

    More advanced work has been carried out on intrusion detection using various methods over the years. Other notable systems proposed also include [14, 15, 4,5] and very many others.<\/p>\n

      \n
    1. \u00a0\u00a0 Description and Architecture of Intrusion Detection Systems<\/li>\n<\/ol>\n

      The initial step to securing a network or information system is to have the capacity to identify an attack. An attack can be characterized as a succession or sequence of operations, events or occurrences that puts the security of a framework or system at risk. Regardless of the possibility that the detection framework can\u2019t keep the attacker from getting into the framework, seeing the interruption will give the security officer or anyone in charge significant data. The intrusion discovery can be viewed as the main line of safeguard for any security framework. An intrusion detection system gets data about an information system or network on which it is deployed to play out a finding on the security status of the information system or network, as the case may be. The objective is to find ruptures of security, endeavoured breaks, or open vulnerabilities that can prompt potential security. The major functions of an IDS are:<\/p>\n

        \n
      • Data collection<\/li>\n
      • Data Analysis<\/li>\n<\/ul>\n

        Data collection in this sense might refer to data or system logs, network traffic, etc. and its analysis might be in form of pattern matching, information mining, measurable statistical investigation or analysis, etc. An IDS can be depicted at an extremely plainly visible level as a detector that processes data originating from the information system to be ensured. This detector can likewise dispatch tests to trigger an audit procedure. It utilizes three sorts of data: long-term data identified with the strategy used to identify intrusions, configuration information about the present condition of the information system and audit information depicting the events that are occurring on the system.<\/p>\n

        In 1998, the Defence Advanced Research Projects Agency (DARPA); an agency of the United States of America Department of Defence responsible for the development of new technology for the military created a working group; \u201cCommon Intrusion Detection Framework\u201d (CIDF) whose main objective was to create a common framework for the intrusion detection system (IDS) field. In 2000, the group now named \u201cIntrusion Detection Working Group\u201d (IDWG) characterized a general IDS engineering considering four sorts of practical modules (also shown in Figure 1):<\/p>\n

          \n
        • E blocks (\u201cEvent-boxes\u201d): This sort of block is made up of sensor components that screen the target system, therefore procuring information events or occurrences to be examined by other blocks.<\/li>\n
        • D blocks (\u201cDatabase-boxes\u201d): These are components planned to store information from E-blocks for future processing by A boxes and R boxes.<\/li>\n
        • A blocks (\u201cAnalysis-boxes\u201d): Preparing modules for analysing events and identifying potential abnormal behaviour, so that some sort of alert will be generated if necessary.<\/li>\n
        • R blocks (\u201cResponsive-boxes\u201d): The primary job of this kind of block is the execution. If any intrusion happens, its work is to prevent the intruder from successfully achieving it\u2019s aim.<\/li>\n<\/ul>\n

          Depending on the type of information system source i.e the E-boxes, an intrusion detection system may either be host based or network based. A host based intrusion detection system<\/p>\n

          investigates events basicly in relation to the Operating System information for example, system calls and process information. A network based intrusion detection system on the other hand investigates events related to the network say for example, IP addresses, protocol usage, etc.\u00a0 Depending on what type of analysis is carried out by the analysis block, intrusion detection systems can be classified as \u2018signature-based\u2019, \u2018anomaly-based\u2019 or \u2018specification-based\u2019.<\/p>\n

          \"\/Users\/Joel\/Desktop\/Blocks.png\"<\/p>\n

          Figure 1: CIDF framework for IDS Systems (Garcia-Teodoro,[66])<\/p>\n

            \n
          1. \u00a0\u00a0 Signature Based , Anomaly Based and Specification Intrusion Detection System:<\/li>\n<\/ol>\n

            Signature based intrusion detection systems (also called misuse based) look for characterized examples or marks, inside the investigated information. As soon as a novel attack is propelled, the attack pattern is deliberately considered and studied, and a signature is characterized for it. The signature can be a name inside the body of the attack code, the resources targeted by the attack or the way in which these resources are attacked. By examining the attack patterns, security authorities can outline a barrier against it. Later on, utilizing the proposed defence technique, the IDS is refreshed as needs be to perceive the new attack patterns\u00a0 and to react to them. They apply the information amassed about particular attacks and system vulnerabilities. This sort of IDS contains data about these vulnerabilities and searches for endeavours to exploit them. At the point when such is identified, an alarm is raised. As it were, any activity that is not unequivocally perceived as an intrusion or attack is viewed as adequate and acceptable. In this way, the accuracy; which is the proper detection of attacks and the absence of false alerts, of this sort of IDS is considered good. Notwithstanding, the property of the IDS to recognize any attacks relies on upon the general update of information about attacks.<\/p>\n

            Signature based IDS give great detection results for specific, well known attacks. Be that as it may, they are not fit for identifying new, new intrusions, regardless of the possibility that they are worked as least variants of definitely known attacks. Many researchers have used this method to carry out various experiments and propose solutions for various problems. Notable is [9] \u00a0<\/em>which used this method to propose a centralized control signature-based firewall and statistical-based network intrusion detection system (NIDS) in software Defined Networks (SDN).\u00a0 Signature based IDS is an effective and simple method to detail known attacks and they also detail contextual analysis.\u00a0 While more research has been made to improve the strength of signature based IDS by very many researchers, such as [10] and[11] , more work is still needed in that aspect as the overall development has not really changed much. Overall, This kind of identification is extremely compelling against known attacks, and it relies on upon the accepting of customary updates of examples and will be not able identify obscure past dangers or new discharges.<\/p>\n

            The benefits of the signature based methodologies are that they have, in principle, low false-alert rates, and that the logical examination or better still, contextual analysis proposed by the IDS is point by point, making it less demanding for the security officer utilizing this IDS to understand the issue and to make preventive or remedial move. It is additionally the most straightforward yet exceptionally successful strategy to distinguish known attacks.<\/p>\n

            The downsides of the signature based IDS however include the trouble of collecting the required data about known attacks and staying up with the latest vulnerabilities and environments. Upkeep of the learning base of the IDS requires careful investigation of every vulnerability and is hence a tedious and time-consuming job. Signature-based methodologies likewise need to confront the speculation issue. Learning about attacks emphatically relies on upon the working framework, operating system, rendition and application. The subsequent IDS is consequently firmly attached to a given environment. Likewise, detection of insider attacks including an abuse of privileges is considered more difficult on the grounds that no vulnerability is really exploited by the malicious user. The signature based IDS also has little understanding to states and protocols. [28,29,30] show various implementations of signature based IDS in various ways.<\/p>\n

            Expert Systems [12] are essentially utilized by signature-based IDS methods. This framework contains an arrangement of standards and rules that portray attacks. Audit events are then converted into actualities conveying their semantic implication in the expert system, and the inference engine makes determinations and conclusions utilizing these rules. Rule-based languages [13] are a natural tool for modelling the information that specialists have gathered about attacks. This approach permits an efficient perusing of the audit trail, looking for proof of endeavours to take advantage of known vulnerabilities. They are additionally used to check the best possible utilization of the security approach of an organization. Others that fall in this category are description languages and the finite-state-machine (FSM)\u00a0<\/strong><\/p>\n

            An anomaly can be described as a deviation from a known pattern or behaviour. Defining it from the viewpoint of security however, it can be defined as a suspicious event.\u00a0 In anomaly based intrusion detection systems, intrusions are detected by observing the deviation from the normal behaviour of a user or system at runtime.\u00a0 The model of usual or normal conduct is generally gotten from reference data gathered by different means usually by machine learning; by observing standard activities, host or clients over a timeframe, etc. The IDS then compares this pattern with the current scenario or activity.\u00a0 One of the major pros of the anomaly based detection system is its ability to detect new vulnerability exploits. Apart from their less dependency on operating-system-specific-mechanisms, they can also detect insider attacks or privilege abuse that do not necessarily involve any vulnerability exploitation.\u00a0 .\u00a0 The advantage of anomaly based IDS is that they can detect new forms of intrusions and maliciousness since they do not look for anything specific. Anomaly based IDS are however very prone to high false positives. Hall et al. <\/em>in [26] researched an anomaly based method\u00a0 that turned out to with 100% false positives.<\/p>\n

            A lot of research work has been done in the area of intrusion detection using anomaly based methods basically because they are very flexible and they have the ability to adapt on their own. Chandola et al.<\/em>[27] is a survey of anomaly based intrusion detection that cut across several applications and areas. \u00a0<\/em>[20],[21],[22],[23],[24] also how several uses of different types of machine learning techniques in detecting various types of intrusions in several areas and aspects of life.<\/p>\n

            Specification Based intrusion detection systems are quite unique. As described by Brutch in [25], they look for unusual performances in system levels. This is quite different from anomaly based intrusion detection since anomaly based are more consigned with data flows and user profiles. One of the pros of this type is its very low false positives. Only incidences that deviate from what has been previously defined usually by a human expert as proper system behaviour will generate alerts. Another key advantage is that there is no training or profiling of any form required hence the system is effective immediately. Specification based IDS however requires a lot of effort in generating its formal specification.\u00a0 They are also not very useful in defending against external intrusions because their specifications are only application specific hence, they can be used to defend against only actions that can be taken by insiders. Puri in [31] presents atypical use of specification based IDS.<\/p>\n

              \n
            1. Role Based Access Control<\/li>\n<\/ol>\n

              Access control restricts what a user can do specifically, and in addition what programs executing for the user are permitted, by following laid down rules and configured settings. by doing this, access control aims at counteracting any action that could prompt a break of security [34]. There are three primary types of access control; Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC).<\/p>\n

              In the Discretionary Access control, the owner of an object in the system (for example a file) has complete authority over who my gain access to it. As evident in\u00a0 Loscocco [35] these kinds of systems are nearly impossible to secure. Systems with discretionary access control are open to various forms of abuse and misconfigurations.\u00a0 A perfect example of this system is the Access Control Lists [36].<\/p>\n

              In Mandatory Access control, owners of an object are not permitted to have a say in who or what processes have access to it. The rights to access an object is left to the operating system and can not be adjusted by\u00a0 any user.\u00a0 It typically groups all users and assigns them labels which establish security guidelines and then permit them to gain access to it depending on what clearances are stated on their labels. It is a way by which access to objects are restricted based on sensitivity.\u00a0 Loscocco\u2019s argument in [35] is that since the mandatory access control is implemented in the operating system level, it is impossible to tamper with or change, hence it provides better security.<\/p>\n

              Role Based Access control(RBAC) which is also called non-discretionary access control [37], [38] are one of the best, most secure and successful technologies in access control. This is in short, confirmed by [39].\u00a0 RBAC is basically an extension of mandatory access control but is not based on any multi-level security requirement unlike the MAC.\u00a0 In most organizations where security is taken seriously, control and access to different parts of the entire system is often based on employee functions. Decisions about access control are frequently controlled by the roles users\u00a0 are employed for in an organization. This incorporates the detail of obligations, duties and capabilities in making its decision.<\/p>\n

              A role can be described as a group of transactions that a particular user or set of users are given permission to perform within an organization. These transactions are allotted to roles only by the system administrator which itself is a role. For instance, the roles an individual related with a university can be assumed to include lecturer, head of department, dean, vice chancelor, student, registrar, Liberian, IT administrator. Roles can likewise apply to hospitals such as doctors, nurses, pharmacist, accountant. A RBAC policy constructs access control decisions based on what functions\u00a0 a user is permitted to perform inside an organisation. The users can\u2019t pass access permissions on to other users at their discretion. This is the fundermental distinction amongst RBAC and DAC. It should be noted however, that a role is not given simply at the discretion of an Administrator but solely determined by the user\u2019s function in an organization.<\/p>\n

              In several applications of it\u2019s use, RBAC is connected to function\u2019s access. An is\u00a0 [41].\u00a0 In a RBAC, the basic aim is to protect the integrity of information: \u201cWho can perform what on information\u201d.<\/p>\n

              RBAC is widely used in but not limited to commercial and military systems.\u00a0 Schaad et al. <\/em>[40] describes a role based access control system for a European bank. Hansen and Oleshuhk [42] also discuss the application of role-based access control in wireless healthcare information systems. Silva et al. <\/em>\u00a0[43] also proposes a self-adaptive role based access control for business process.<\/p>\n

              \u00a0<\/strong><\/p>\n

                \n
              1. \u00a0\u00a0\u00a0\u00a0 Formal Description of RBAC<\/li>\n<\/ol>\n

                The original formal description of RBAC given by Ferraiolo and Kuhn [44] is presented as follows in Table 1.2:<\/p>\n\n\n\n
                For each subject, the active role is one that the subject is currently using:<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

                CHAPTER ONE LITERATURE REVIEW \u00a0 Computer Intrusion and Intrusion Detection Systems Computer intrusion which is a process of illegitimately obtaining unauthorized access to a computer system is a huge problem in the current day and age. Numerous examples of major loss due to computer intrusion are published on a regular basis. This has over the […]<\/p>\n","protected":false},"author":8,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5847],"tags":[13869,13872,13882,13883,13880,13881,13870,13871],"class_list":["post-101548","post","type-post","status-publish","format-standard","hentry","category-full-dissertations","tag-best-rated-professor-essay-writing-services-online","tag-custom-written-essay-hub-for-fast-assignments","tag-help-with-writing-discussion-post-responses","tag-i-need-help-to-ace-my-homework-in-5-hours","tag-pay-someone-to-write-my-essay-in-hours","tag-phd-thesis-writing-and-editing-service-australia","tag-usa-academic-writing-help-for-college-students","tag-write-harbor-research-paper-assistance-for-graduates"],"_links":{"self":[{"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/posts\/101548","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/comments?post=101548"}],"version-history":[{"count":0,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/posts\/101548\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/media?parent=101548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/categories?post=101548"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.colapapers.com\/us\/wp-json\/wp\/v2\/tags?post=101548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}