Network security and related information security are nowadays major concerns due to the considerable increase in the number and extent of various communication networks during the past two decades with practically imperative reference to the global Internet, for example. Network intrusions may cause significant damage to corporations, governments, and private users all alike. Unauthorized access to one or more network nodes may result in information breaches, information losses, or just annoyance depending of the original motivation and skills of the intruder.
Therefore, an intrusion detection system (IDS) plays a considerable role in providing network or system security and integrity. An entity called NIDS (Network IDS) may be connected to a network node such as a switch, for example, to seek for malicious network traffic. The NIDS is typically configured to trace suspicious activities, such as denial of service or port scanning attacks, by monitoring network activities. Analysis of the traffic and identification of intrusions is performed and in case an attack is detected, the network administrator may be alerted.
Intrusion detection can be generally executed in two different ways: either using misuse detection approach or by anomaly detection approach.
Anomaly detection is based on recognizing network traffic that differs from the predetermined normal activity. If the incoming traffic pattern deviates from the normal traffic patterns, anomalous network activity is revealed. Accordingly, the anomaly detection approach can in theory detect novel intrusions. However, this particular approach often suffers from high false alarm rate.
By contrast, in misuse detection the signatures, i.e. characteristic features, of known attacks are exploited for detecting an intrusion or an attack. The misuse detection is a relatively straightforward approach for detecting intrusions, but obviously novel intrusions cannot be detected.