Challenges on the Way to Automatic Network Intrusion Detection

CARLOS A. CATANIA; CARLOS GARCIA GARINO

''Automation Systems of the 21st Century: New Technologies, Applications and Impacts on the Environment & Industrial Processes''

Nova Publishing

Año: 2013; p. 143 - 194

he use of Network Intrusion Detection Systems (NIDS) emerges as a tool aimed at helping system administrators to monitor and identify computer attacks. A NIDS monitors network segments and performs analysis at different network protocol layers to identify suspicious activities. In the present chapter we survey the most relevant works in the field of automatic network intrusion detection in the last 15 years. Our goal is to analyze the intrusion detection problem from a wider perspective, which can help to identify the causes behind the lack of acceptance of novel approaches by system administrators as well as provide new lines of work to the intrusion detection research community. In contrast to previous surveys, we consider other issues than just the embedded classification problem. Features such as traffic model acquisition scheme, usage frequency and adaptability are analyzed in two different stages of intrusion detection. In particular, we considered the initial traffic model generation and the further traffic model adjustment stages. Our research has shown that the level of human interaction is still high during both intrusion detection stages. This situation responds to the fact that some of the assumptions in which these approaches rely on, do not always hold. The availability of network traffic labeled as intrusive or normal, or the presence of attack-free network traffic, are two usual assumptions followed by many alternative techniques. Unfortunately, ensuring such assumptions demands a lot of work from security experts which is precisely what is wanted to avoid