Literature survey: CANN paper
Development in the field of Computer science and Technology has made the access to Internet an important activity in our daily life. In addition to this, there is an exponential growth in users who access the Internet for various activities and this has led to privacy and security problems. There are many techniques used to protect the computer security like firewall, user authentication, etc. However, there are few types of intrusions (malicious activity), which bypass these conventional security techniques and infect the system. In order to identify those intrusions, which cannot be detected by a conventional firewall, Intrusion Detection Systems (IDS) were developed.
Intrusion Detection Systems (IDS) use specific analytical techniques to detect the malicious attacks, identify their sources and report it to either the network administrator or Security Information and Event Management (SIEM) system. Intrusion Detection Systems (IDS) also monitors the systems for policy violations. There are two types of detection methods in Intrusion Detection Systems (IDS), Signature based and Anomaly based methods. In Signature based IDS, byte sequence in network traffic, audit logs etc., are scanned to look for commands or events that were previously determined as an indicative of attacks. But the main drawback of Signature IDS is that they suffer from high false alarm rates. However, Anomaly based IDS were introduced to detect unknown attacks due to rapid development of malware. Anomaly IDS use behavioral patterns that could indicate malicious activities. They also analyze past activities to detect if the observed behaviors are normal.
In order to identify the attacks or anomalies correctly, the system must be taught to recognize normal system activity. This can be achieved by using two phases of anomaly detection, i.e. training phase and testing phase. In training phase, a profile of normal behavior is built based on certain rules or heuristics. Once the system learns about normal system activity, comparison of the current traffic with that of training phase happens in the testing phase. To improve the detection results, Anomaly detection techniques are usually integrated with artificial intelligence techniques.