Artificial Intelligence and Data Mining Approaches in Security Frameworks

Advantages

Following are the advantages of a Network-Based IDS:

1 They can be made invisible to improve the security against attacks.

2 Large size of networks can be monitored by network-based IDS.

3 This IDS can give better output deprived of upsetting the usual working of a network.

4 It is easy to fit in an IDS into an existing network.

Limitations

Limitations of Network-Based IDS are as follows:

1 Virtual private networks encrypted information cannot be analysed with network-based IDS.

2 Successful implementation of network-based IDS is based on the intermediate switches present in the network.

3 Network-based IDS would be unstable and crash when the attackers splinter their packets and release them.

In this type of IDS, various logs can be screened with the help of sensors that are placed on network resources. These logs are generated by the host operating system or application programs. Certain events or actions which may occur at individual network resource are recorded by audit logs. These types of IDS can handle even those attacks that cannot be handled. Because of this, an attacker can misuse one of trusted insiders (Desale et al. , 2005). Signature rule base that is derivative from security policy which is specific to a site is utilized by a host-based system. All the problems associated with a Network-based IDS can be overcome by host-based IDS as it can alert the security personnel with the location details of intrusion. Accordingly, the person can take instant action to stop the intrusion.

Advantages

Following are the advantages of Host-Based IDS:

1 It can perceive even those attacks that are not detected by a Network-Based IDS.

2 For the detection of attacks concerning software integrity breaches, it works on audit log trails of operating system.

Disadvantages

Disadvantages of Host-Based IDS are as follows:

1 Various types of DoS (Denial of Service) attacks can disable the Host-Based IDs.

2 Attacks that target the network cannot be detected by host-based IDS.

3 To configure and manage every individual system is very difficult.

It is a combination of network and host-based IDS to form a structure for next-generation intrusion detection systems. This arrangement is generally known as a fusion/hybrid intrusion detection system. By adding network based and host-based IDS, it would significantly improve resistance against few more attacks. Data mining techniques required for IDS are Pattern Matching, Classification and Feature Selection Pattern Matching.

It is a kind of social engineering attack generally used to filch data of a user, like login credentials and credit card numbers. To cover up honest websites, forged websites are usually formed by fraudulent people. Due to phishing activities of attackers, users mistakenly lose their money. Therefore, a critical step must be taken for the protection of online trading. Goodness of the extracted features denotes the prediction and classification accuracy of a website. An anti-phishing tool is used by most of the internet users to feel safe against phishing attacks. Anti-phishing tool is required to predict accurate phishing. Content parts of phishing websites along with security indicators may have a set of clues within the browsers. Various methods have been proposed to handle the problem of phishing. For predicting phishing attacks, rule-based classification, which is a data mining technique, is used as a proficient method for prediction. If an attacker is sending an email to victims by requesting them to reveal their personal information, it is an indication of phishing. To create phishing websites with proper trick, a set of mutual features are used by phishers. We can distinguish between phishy and non-phishy websites on the basis of extracted features of that visited website.

Identification of phishing sites can be done with the help of two approaches:

1 i) Blacklist based: It includes comparative analysis of the URL, i.e., requested along with other URLs which are present in that list.

2 ii) Heuristic based: Certain features from various websites are collected and labeled as either as phishy or genuine.

The main drawback of the blacklisted approach is that it cannot have all phishing websites because every second, a new malicious website is launched, while a heuristic-based approach can identify fake websites that are original. Heuristic-based methods depend on the feature’s selection and the manner in which they processed. Data mining is used to discover relations and pattern amongst features within a given dataset. The utmost job of data mining is to take decisions because these decisions are patterns and rules dependent which have been derived using the data mining algorithms. Though considerable progress has been made for the development of prevention techniques, still phishing is a threat because the techniques used for countermeasures are still based on blacklisting of reactive URL (Polychronakis, 2009). Because of the shorter lifetime of phishing websites, methods used in these sites are considered as ineffective. A new approach, associative classification (AC) was found more appropriate for these kinds of applications; it is a mixture of Association rule and Classification techniques of data mining.

There are two stages in association classification (AC):

1 i) Training phase: It is used to induce hidden knowledge (rules) with the help of Association rule.

2 ii) Classification phase: It is used to build a classifier after cropping ineffective and superfluous rules.

It has been proved from many research studies that association classifier (AC) generally shows better classifiers in terms of error rate than decision tree and rule induction (standard classification approaches).

Code injection attack is a technique to write new machine code into the susceptible program’s memory. If there is a bug in the program, the control can be sent to the new code after manipulating it. W+X, the protection technique (Diwate, Sahu, 2014) alleviates the code injection attack by permitting one operation, i.e., either to write or execute operations but not both simultaneously (Mitchell, Chen, 2013).

Following are the types of code injection attacks:

1 i) SQL Injection

2 ii) HTML Script Injection

3 iii) Object Injection

4 iv) Remote File Injection

5 v) Code Reuse Attacks (CRAs).

1 SQL Injection: It can be defined as a technique by which SQL syntax can be used to input commands for reading, alteration or modification of a database.For example, there is a field on a web page regarding authentication for user password. Generally, we use script code for this. This script code will generate a SQL query so that matching password entered against the list of user names could be verified: SELECT User List. Username FROM User List WHERE User List. Password = ‘Password’

2 HTML Script Injection: Malicious code can be injected by an attacker with the help of tags. Thus, location property of the document would be changed by setting it to an injected script.

3 Object Injection: Hypertext pre-processor (PHP) is used for serialization and deserialization of objects. With the help of object injection, existing classes in the program can be modified and malicious attacks can be executed if an untrustworthy input is allowed into the deserialization function.

4 Remote File Injection: To cause the intended destruction, remote infected file name could be provided by attackers by alter the path command of the script file as the path.