Article Preview
TopIntroduction
Information and communication technology (ICT) systems have played a major role in most of the organizations, business, and so on. Human activities highly depend on this system. Alongside, the cyber-crimes to ICT systems are versatile in cyberspace and it has been exists since the birth of the computers. As ICT systems continues to evolve, cyber-crimes change accordingly. The taxonomy of cybercrimes, issues and methods is discussed in detail by (Lallement, 2013). The various attacks and its techniques used for cyber-crime are briefly reported by (Vaidya, 2015). To attack these cyber-crime activities and forensic investigation require a glaring need of comprehensive research study of an appropriate solutions system. One commonly studied critical area by industries and organization for the past several years is intrusion detection (ID). It is an important approach in network security. Many concepts and approaches of machine learning are transferred to ID with the aim to enhance the performance in distinguishing between the abnormal behaviors on the system from the normal network behavior. (Anderson, 1980) is an initial contributor towards the work in ID through a paper “Computer Security threat monitoring and surveillance” published in 1931. Fundamentally, the IDSs are categorized into two types based on the network type and its behaviors such as (1) network basis IDS (N-IDS): depend as far as the data prior to packets in network traffic to identify the malicious activities (2) host basis IDS: rely on the contents as far as the log files such as software logs, system logs, sensors, file systems, disk resources of particular host or a system. An organization uses the intercross as far as network and host-based system to effectively attack the malicious activities in real time environment. This has become an indispensable part of ICT systems and networks. However, the performances of detecting the unforeseen attacks are not acceptable with the existing traditional approaches in N-IDS.
Anomaly detection, state full protocol analysis and misuse detection are main significant methods used for network traffic data classification. Misuse detection is also termed as signature detection that depends on the predefined signatures and filters to efficiently determine the familiar intrusions. For anonymous intrusions, the performance is unacceptable, which may be due to the fact that signature detection relies on human task to constantly update the corpus of signatures with the aim to maintain the signature of new attacks. Anomaly detection aims at detecting the unknown intrusions based on heuristic approaches. Anomaly detection is not a reliable method for unknown intrusions mainly due to results in high false positive rate. Most of the commercial tools that exists in the market have used the hybrids of misuse detections and anomaly detections. A most commonly used powerful approach is state full protocol analysis. State full protocol analysis uses features that proprietarily designed by the software vendor to determine the divergence of specific conventions and applications.
The commercial tools prevailing in market are based on threshold computing approaches or statistical measures that utilize parameters for trafficking such as flow size, inter-arrival time, packet length and so on as features to learn the trafficking patterns for the network in a particular time window. The commercial system may limit the performance in detecting the complex attacks mainly due to the measures computed statistically based on packet header and packet length.