Intrusion detection and prevention systems

(IDS/IPS) for OS protection

Samhitha Madala Kripa Joshi Anish Doulagar

Department of Computer Science Department of Computer Science Department of Computer Science
and Engineering, and Engineering, and Engineering,
Lovely Professional University, Lovely Professional University, Lovely Professional University,
Kapurthala, Punjab, India Kapurthala, Punjab, India Kapurthala, Punjab, India
Samhithamadala74@gmail.com kripajoshi2612@gmail.com anishdoulagar@gmail.com

accurate alerts; Features such as event filtering allow IP

addresses to be filtered to protect against access denial.[6]
Abstract—Intrusion Detection and Prevention Systems
(IDS/IPS) play a vital role in ensuring the security of
Intrusion detection systems (IDS) monitor network traffic
Operating Systems (OS). With the increasing complexity of
24/7 to detect and report threats; Intrusion Prevention Systems
cyber-attacks, IDS/IPS have evolved to detect and prevent
(IPS) not only detect malicious activity, but fog can also
sophisticated attacks that can compromise the
anticipate and block attacks in real-time to prevent attacks in
confidentiality, integrity, and availability of OS. This paper
progress.[7]
provides a comprehensive review of IDS/IPS for OS
Intrusion detection systems (IDS) are an essential part of an e-
protection, including the literature survey, problem
commerce security organization and alert managers about
statement, comparison of different techniques, and future
threats. This study evaluates two open-source IDSs (Snort and
scope.
Suricata) to choose the right solution.[8]
I. INTRODUCTION Ever-growing networks demand robust security. The Attorney
General's Office network lacks monitoring, exposing it to
In today's cybersecurity landscape, Intrusion Detection attacks. This research proposes an Intrusion Detection and
and Prevention Systems (IDPS) play a crucial role in Prevention System (IDPS) using Snort and IPTables to
safeguarding digital assets against evolving threats. This safeguard the network from internal and external threats,
research explores the capabilities and integration imperatives
ensuring its smooth operation.[9]
of IDPS to enhance cybersecurity practices.[1]
The exponential growth of network usage makes ensuring Overview of intelligence detection and prevention systems
network security and reliability a top priority. Organizations (IDPS), and discussion of their classification and use. A new
depend on seamless network connectivity for critical signature-based IDPS architecture called HawkEye
transactions and data exchange. Due to the rise of Solutions, designed to increase network security against
cyberattacks, traditional security measures like firewalls and threats is introduced.[10] Importance of intrusion
antivirus are insufficient. Intrusion Detection and Prevention detection/prevention systems (IDPS) in real-time
Systems (IDPS) are crucial for protecting systems against a investigation of network connections, highlighting their role
wide range of threats and safeguarding sensitive in identifying and mitigating attacks to protect computer,
information.[2] network, and data assets. The move from edge solutions to
Data security is becoming increasingly important as cyber systems embedded in an organization’s network effectively
threats evolve. While traditional security methods such as combats insider threats and viruses. In addition, it
firewalls and IDS have their limitations, intrusion prevention demonstrates the key metrics and capabilities required to
systems (IPS) provide effective real-time protection through a evaluate the effectiveness of IDPS to provide information on
combination of firewall and IDS technologies.[3] the detection of attacks, response time and body strength
As technology continues to evolve, organizations' critical through comparative analysis of different solutions.[11]
information faces increasing threats. Intrusion detection and Intrusion detection and prevention systems (IDS/IPS) face
prevention systems (IDPS) are important to prevent these the problem of vulnerabilities, encouraging developers to
attacks through firewalls and antivirus software.[4] develop new algorithms and architectures. However, lack of
While firewalls provide a strong first line of defence, Intrusion valid tests often prevents the evaluation of these security
Detection Systems (IDS) offer a deeper layer of security by tools, causing problems even without research and
identifying malicious network activity and unauthorized development.[12]
system access. This paper explores the composition of an IDS, Intrusion detection involves monitoring and identifying
its various detection methods, and its applications in security events, while intrusion prevention focuses on event
safeguarding critical systems across diverse fields.[5] detection. IDPS technology, which provides incident
Intrusion detection and prevention systems (IDPS) monitor recording, alerting, and response, is essential to your
and protect networks by detecting and blocking malicious and organization. However, the competition between good and
malicious activity. IDPS integrates with SIEM software to evil is important and highlights the need for good ways to
increase security by communicating events and providing evaluate and improve these security tools.[13]
 Intrusion detection and prevention systems (IDPS) are Case studies examine intrusion detection systems (IDS) and
essential to protecting your network from evolving threats. intrusion prevention systems (IPS) that protect computer
As the system’s complexity increases, the goal becomes to systems. Divides IDS into theft detection and signature
identify and respond to malicious activity and reduce risks detection and describes its functions. The article highlights
associated with unauthorized access and data deletion. problems such as IDS vulnerabilities and proposes solutions
Netwok administrators are prioritizing the use of IDPS and such as decentralized IDS and new string matching
are continuously researching classifications and standards to techniques. Tools such as SNORT and techniques such as
improve security processes.[14] using virtual machines to increase security are also
explored.[4]
Honeypots are fraudulent tools used on the Internet to trick Intrusion Detection Systems (IDS) serve as critical
attackers and monitor and record malicious activity targeting safeguards against unauthorized and malicious use of
legitimate services. Although they are not always considered computer systems, offering a range of configurations and
security solutions, they can work especially well for small types, including host-based IDS (HIDS), network-based IDS
businesses. This article presents a new framework designed (NIDS), and application-based IDS (AIDS). Researchers
for Windows 64-bit systems that combines system have thoroughly investigated IDS technologies through
intelligence (IDS) and intrusion prevention (IPS) features to visual analysis and theoretical explanations to enhance their
improve security.[15] effectiveness, exploring techniques like vulnerability
detection and signature-based detection to bolster security
measures. Emphasizing the significance of monitoring,
II. LITERATURE SURVEY analyzing, and collecting robust data for early threat
detection, integration with other security systems such as
This article provides a comprehensive literature survey on firewalls and intrusion prevention systems (IPS) is essential
Intrusion Detection and Prevention Systems (IDPS), for comprehensive protection, particularly in complex
elucidating their capabilities, methodologies, and integration networks. Current trends in IDS research encompass
imperatives for effective security enhancement. Emphasizing advancements in machine learning and artificial intelligence,
the pivotal role of Intrusion Prevention Systems (IPS) in integration of cloud-based solutions, and adoption of hybrid
thwarting security breaches, it discusses various detection architectures combining various detection technologies, with
methods, including signature-based, anomaly-based, and a focus on developing defense strategies against sophisticated
state-based analysis, underscoring the necessity of employing cyber attacks. Notable information within the IDS literature
multiple methods for comprehensive threat detection. ranges from foundational concepts to cutting-edge research,
Furthermore, the article examines the security features and frequently citing scholars like James P. Anderson.[5]
limitations of diverse IDPS technologies, encompassing The role and classification of Intrusion Prevention Systems
network-based, wireless, Network Behavior Analysis (NBA), (IDS/IPS) in network security and the differences between
and host-based IDPS, while highlighting specific techniques firewalls and routers. Explains signature-based detection and
and associated challenges. Advocating for the integration of identification and highlights their advantages and limitations.
IDPS technologies like Network Forensic Analysis Tools It also explores future developments in IDS/IPS technology,
(NFAT) and antivirus software for holistic crime detection including UTM security threat management and its potential
and prevention, the article serves as a valuable resource for to improve security measures.[6][7]
understanding and navigating the complexities of cyber threat Intrusion detection systems (IDS) monitor network traffic to
mitigation. [1] detect security breaches. Network-based (NIDS) and host-
The literature survey presents a comprehensive exploration based (HIDS) systems are prominent types. Founded in 1998,
of various techniques and approaches used in Intrusion Snort is a well-known open-source NIDS that provides real-
Detection and Prevention Systems (IDPS), highlighting both time traffic analysis and packet logging. In contrast, Suricata,
their strengths and limitations. It covers a wide range of a next-generation IDS/IPS engine, uses rule-based
methodologies including anomaly detection, signature monitoring and supports both internal and passive traffic
detection, host-based and network-based systems, as well as modes. This study showed that Suricata uses more memory
novel approaches such as secure mobile agents and virtual and more CPU than Snort, although Suricata handles
machine-based solutions. While these techniques offer increased network traffic without the need for multiple
varying levels of protection against intrusions, they also pose instances. While both systems are robust, there are
challenges such as false positives, resource requirements, and differences in scalability and resource usage that affect their
the need for continuous updates and monitoring. [2] suitability for specific network requirements.[8]
This study addresses the complexity of intrusion prevention The study focuses on using an intrusion prevention system
systems (IPS) and emphasizes the need to anticipate, detect (IDPS) with Snort and IPTables solutions on a Linux Mint
and prevent security breaches. Challenges currently facing server. Snort is important as a powerful network detection
IPS include identifying user behavior to distinguish between system (NIDS) capable of real-time packet inspection and
normal and malicious activity, threat assessment and threat detection, while IPTables serves as a firewall and auto
performance optimization. The misuse and abuse of the cooler for Linux operating systems. In this study, several
hybrid system has been studied in several studies, which have experiments were conducted to evaluate the effectiveness of
emerged as a good solution. Future research aims to improve using IDPS against various attacks, including SYN Flood,
the accuracy of behavioral prevention and combine the Ping of Death, and Nmap port scanning. The results show that
technique with other methods.[3] Snort was able to detect and warn against these attacks, while
IPTables successfully countered these attacks by blocking
malicious traffic. Quality of Service (QoS) tests showed that protect against threats. Firewalls act as filters for network
server performance decreased significantly during the attack, traffic and protect against various threats.[15]
but returned to normal after mitigation measures were
implemented. This study concludes that Snort and IPTables,
when integrated with Linux-based IDPS, can improve III. PROBLEM STATEMENT
network security by detecting and preventing various types of Challenges persist in improving the accuracy and scalability
network attacks.[9] of IDPS while addressing issues of resource consumption and
HawkEye solutions provide packet analysis, path discovery, interoperability. This study aims to tackle these challenges by
TCP discovery, and more, providing a comprehensive investigating IDPS methodologies and integration strategies
approach to intrusion detection and prevention. The ability to to bolster cyber resilience effectively.[1]
identify anomalous packets and provide detailed information The problem statement emerging from this survey revolves
sets them apart from traditional signature solutions. around the need for robust and adaptive IDPS solutions
Strengthens security measures by intercepting packets and capable of effectively detecting and preventing both known
monitoring network activity. However, as with all security and unknown threats in real-time, while minimizing false
systems, issues such as IP spoofing and malicious code positives and resource overhead.[2]
changes make them impossible to detect. Despite these Intrusion prevention systems (IPS) face challenges in
challenges, HawkEye solutions provide valuable information accurately profiling user behavior, real-time threat
and tools for cybersecurity.[10] assessment, and optimizing sensor performance. The
Compare different access detection and protection solutions integration of efficient hybrid detection methods is still an
such as Sourcefire, Radware, and Juniper to see their features unexplored frontier in improving the performance and
and performance. These systems provide advanced features reliability of IPS.[3]
including real-time analytics, user monitoring, and standard This research aims to solve the problems of intrusion
overlay traffic management to analyze, investigate, and detection system (IDS) and intrusion prevention system
prevent network attacks. Each system offers unique (IPS), focusing on improving detection accuracy, reducing
advantages, including Bro's forensic analysis capabilities, false alarms and improving public safety.[4]
Sourcefire's real-time network intelligence, Radware's attack The escalating frequency and complexity of cyber attacks
pattern analysis, and Juniper's powerful reporting and access necessitate the deployment of intelligent Intrusion Detection
control capabilities. Overall, these systems help improve Systems (IDS) to mitigate risks and safeguard critical
network security by providing threat awareness and infrastructure. Despite technological advancements, ongoing
mitigation capabilities.[11] research is crucial to address key challenges such as
There are two ways to classify IDS/IPS: behavioral and enhancing accuracy, resilience, and adaptability to evolving
script-based methods. Both methods can give positive or threats, integrating diverse IDS types and methods, and
negative results depending on the analysis process and mitigating issues like false positives and scalability.
physical activity. Intrusion detection and prevention systems Analyzing IDS's broader impact on network security and IT
(IDS) are critical to operational security. They must be management, identifying research trends, and establishing
confident, sensitive and situational aware. Efficiency is also best practices and standards are imperative for effective cyber
important because the system must not impede maintenance. infrastructure protection. Thus, comprehensive research and
Data is one additional process.[12] development in IDS are essential to counter evolving cyber
Intrusion detection and prevention systems (IDPS) are threats effectively.[5]
classified based on a variety of factors, including reliability, The purpose of this article is to discuss the challenges of
responsiveness, ease of use, performance, location of effective network intrusion detection and prevention using
monitored data (network, system, or application part), post- IDS/IPS, including its limitations and future technological
intrusion behavior (passive or active), and frequency etc. developments.[6]
Other purposes (temporary or permanent), compatibility with This study highlights the need for effective security systems
operating systems (Linux, Windows, etc.) and functionality- that combine intrusion prevention systems (IDS) and
based (open or proprietary). This classification will help you intrusion prevention systems (IPS) to effectively monitor,
choose the IDPS solution that best suits your unique security detect and prevent cyber attacks in the network
needs and workplace.[13] environment.[7]
Provides a brief overview of IDS and IDPS tools, focusing on The evolution of cyber threats requires a sophisticated
their key features. Although they do not measure intrusion detection system (IDS). The purpose of this study is
effectiveness, understanding these limitations can help you to compare the performance and optimization capabilities of
develop a strategy for choosing the best tool for your specific the open source IDS solutions Snort and Suricata based on
security needs.[14] cybersecurity decisions.[8]
This research focuses on the challenge of improving network
Honeypots can be used as decoy systems to detect and security against cyber attacks by implementing and
monitor unauthorized activity and improve network security evaluating intrusion prevention systems (IDPS) using Snort
by identifying vulnerabilities. According to the purpose and and IPTables on Linux Mint servers. Specifically, it aims to
level of interaction, they are divided into research and determine how effective IDPS is at detecting and mitigating
production honeypots; Advanced honeypots take real risks. SYN Flood, Ping of Death, and Nmap port scanning
Intrusion detection systems (IDS) monitor and warn of attacks.[9]
suspicious activity, while intrusion prevention systems (IPS)
The challenges currently facing IDPS solutions are described to detect unknown threats. However, hybrid detection is more
and the need for more efficient and effective solutions to complex and resource-intensive than either signature-based
overcome these challenges is highlighted.[10] or anomaly-based detection.
Organizations face the ongoing challenge of effectively 4. Intrusion Detection Systems (IDS):
detecting and preventing threats such as hacking and Intrusion Detection Systems (IDS) are designed to monitor
intrusions. Because many Intrusion Prevention Systems network traffic and alert security personnel to any suspicious
(IDS) and Intrusion Prevention Systems (IPS) have different activity or policy violations. IDS provides visibility into
capabilities and methods, the unique features, benefits, and network activity and can detect both known and unknown
limitations of each system must be measured and threats. However, IDS is not proactive in preventing attacks,
understood.[11] as it relies on security personnel to take action based on the
Due to the large number of cyber threats, it is important to alerts generated.
develop a comprehensive test (IDS/IPS) for the detection and 5. Intrusion Prevention Systems (IPS):
prevention of infections. This paper aims to address this need Intrusion Prevention Systems (IPS) are designed to monitor
by combining traditional evaluation methods with advanced network traffic and take action to prevent any suspicious
technologies such as artificial neural networks (ANN) to activity or policy violations. IPS can proactively block
improve the reliability and performance of IDS/IPS in real attacks, preventing them from reaching their target while
situation.[12] alerting security personnel. However, IPS is more expensive
It addresses the challenge of selecting appropriate security than IDS and may have a higher false-positive rate.
measures based on criteria such as reliability, repeatability,
ease of use, flexibility and performance across different
network configurations and threat environments.[13]
The capabilities and limitations of intrusion detection Technique Advantages Disadvantages
systems (IDS) are discussed, as well as their ability to
improve security by identifying attacks, tracking user Signature- High accuracy Limited
activities, and monitoring quality control activities. However, based for known effectiveness
it is also acknowledged that IDS cannot compensate for weak detection attacks against unknown
authentication processes, cannot investigate without human attacks
intervention, or cannot resolve all problems in the
network.[14] Anomaly- Effective High false-
The challenge is that honeypots can be used to detect and based against positive rate
prevent unauthorized activity, while the roles of IDS, IPS and detection unknown
firewalls differ from network security.[15] attacks
Hybrid Combines Complexity and
detection strengths of resource
IV. COMPARATIVE ANALYSIS signature- requirements
based and
1. Signature-based Detection: anomaly-based
Signature-based detection is a method that uses predefined Intrusion Provides Not proactive in
signatures or patterns to identify known threats in network Detection visibility into preventing
traffic. This technique is highly accurate for known attacks,
Systems network attacks
as it can detect and alert security personnel to the presence of
a known threat with a high degree of confidence. However, activity
signature-based detection has limited effectiveness against Intrusion Proactively More expensive
unknown attacks, as it relies on having a predefined signature Prevention blocks attacks than IDS
for the attack. Systems
2. Anomaly-based Detection:
Anomaly-based detection is a method that uses machine Table 1: compares the different techniques used in IDS/IPS
learning algorithms to create a normal behavior model for for OS protection.
network traffic and flags any deviations from this model as
potential threats. This technique is effective against unknown This table provides a concise comparison of the advantages
attacks, as it can detect and alert security personnel to the and disadvantages of different IDS/IPS techniques and
presence of a new or unknown threat. However, anomaly- systems, including signature-based detection, anomaly-based
based detection has a high false-positive rate, which can lead detection, hybrid detection, Intrusion Detection Systems
to alert fatigue and reduce the effectiveness of the system. (IDS), and Intrusion Prevention Systems (IPS).
3. Hybrid Detection:
Hybrid detection is a method that combines both signature-
based and anomaly-based detection methods to provide more V. FUTURE SCOPE
accurate and faster threat detection. Hybrid detection can This paper lays the foundation for further research and
detect both known and unknown threats by using predefined development in the field of intrusion detection systems (IDS).
signatures for known threats and machine learning algorithms Future work may include improving IDS functionality to
address these limitations, including improving the and alerts for potential intrusions, IPS takes a more proactive
authentication process, use of responders, and system stance by actively preventing threats from causing harm. The
improvements. Additionally, exploring the integration of IDS choice between IDS and IPS depends on the organization's
with other security measures, such as intrusion prevention specific needs, resources, and the level of autonomy required
systems (IPS) and artificial intelligence (AI), can create more in responding to potential security incidents. By leveraging
robust and flexible fixed security solutions. There will also the strengths of both IDS and IPS, organizations can establish
be opportunities to pave the way for advancements in a robust defense mechanism to protect their operating
cybersecurity by exploring how new technologies and systems from a wide range of cyber threats.
evolving threats impact the performance and effectiveness of
IDS. VII. REFERENCE
The future of knowledge regarding access to research and
disease prevention lies in many areas: [1] Intrusion Detection and Prevention Systems
Integrating new technologies: With the emergence of new [2] A Study of the Novel Approaches Used in Intrusion Detection and
Prevention Systems
technologies such as artificial intelligence and machine
International Journal of Information and Education Technology, Vol.
learning, future research may investigate how these 1, No. 5, December 2011
technologies can be improved. The operation of IDS/IPS [3] Characterizing Network Intrusion Prevention System
systems that increases their accuracy in detecting and International Journal of Computer Applications (0975 – 8887) Volume
preventing attacks. 14– No.1, January 2011
IoT Security: With the proliferation of Internet of Things [4] A Survey On Intrusion Detection System by Jayesh Surana, Jagrati
(IoT) devices, the need for IDS/IPS systems to meet IoT Sharma, Ishika Saraf, Nishima Puri,5Bhavna Navin
security requirements continues to increase. Future research 2017 IJEDR | Volume 5, Issue 2 | ISSN: 2321-9939
may focus on developing specific solutions to identify and [5] A Survey of Intrusion Detection & Prevention Techniques Usman
mitigate IoT-related threats. Asghar Sandhu 1+ , Sajjad Haider 2 , Salman Naseer 3 , Obaid Ullah
Ateeb
Cloud Security: As more organizations move their
2011 International Conference on Information Communication and
operations to the cloud, there is a need for IDS/IPS solutions Management IPCSIT vol.16 (2011) © (2011) IACSIT Press, Singapore
specifically designed for cloud environments. Future research [6] Intrusion Detection System and Intrusion Prevention System – A
could investigate how cloud-native IDS/IPS systems can Review Study Kanika
monitor and protect against cloud threats. International Journal of Scientific & Engineering Research, Volume 4,
Automation and Orchestration: Future advances in Issue 8, August-2013 594 ISSN 2229-5518
automation and orchestration can simplify the deployment [7] Subject review: Intrusion Detection System (IDS) and Intrusion
and management of IDS/IPS systems, making them more Prevention System (IPS) Safana Hyder Abbas * , Wedad Abdul Khuder
Naser and Amal Abbas Kadhim
efficient and responsive. Threats are increasing.
Global Journal of Engineering and Technology Advances, 2023,
Threat Intelligence Integration: Integrating threat 14(02), 155–158
intelligence into an IDS/IPS system can improve the system's [8] Comparison of Different Intrusion Detection and Prevention Systems
ability to identify and respond to emerging threats. Future Chintan Kacha1 , Kirtee A. Shevade
research may focus on integrating threat intelligence International Journal of Emerging Technology and Advanced
platforms with IDS/IPS solutions to provide real-time threat Engineering Website: www.ijetae.com (ISSN 2250-2459, ISO
9001:2008 Certified Journal, Volume 2, Issue 12, December 2012)
information and preventive measures.
[9] IMPLEMENTATION INTRUSION DETECTION PREVENTION
User Behavior Analysis: Enhancing IDS/IPS systems with SYSTEM AS A SECURITY SYSTEM USING SNORT AND
user behavior analysis can help identify unusual behavior and IPTABLES BASED ON LINUX Ruri Hartika Zain 1,* , Yelmi
insider threats. Future research could investigate how to Rahmawati2
incorporate user behavior analysis into IDS/IPS solutions to IJDES 8(2) (2023) 103-108
increase the accuracy of threat detection. [10] A Comparative Study of Related Technologies of
Legal Compliance: As data protection and cybersecurity Intrusion Detection & Prevention Systems
regulations continue to evolve, future research may focus on https://www.researchgate.net/publication/220049910
_A_Comparative_Study_of_Related_Technologies_o
developing IDS/IPS systems and solutions to help comply f_Intrusion_Detection_Prevention_Systems
with regulations such as GDPR, HIPAA, and PCI DSS. [11] Performance method of assessment of the intrusion detection and
Cyber Threat Hunting: Cyber threat hunting consists of: prevention systemsperformance method of assessment of the intrusion
Detecting and mitigating security threats before they cause detection and prevention systemsperformance method of assessment
of the intrusion detection and prevention systems
damage. Future research could investigate how IDS/IPS
https://www.researchgate.net/publication/258836839_PERFORMAN
systems can be enhanced with threat intelligence to identify CE_METHOD_OF_ASSESSMENT_OF_THE_INTRUSION_DETE
and eliminate persistent threats. Discussing future research CTION_AND_PREVENTION_SYSTEMS
directions, this article can provide insights and prevention [12] Intrusion Detection and Prevention System: Classification and Quick
strategies for growing access to research, find and help Review 1 Bilal Maqbool Beigh, 2 Prof.M.A.Peer
develop better network security solutions. VOL. 2, NO. 7, August 2012 ISSN 2225-7217
[13] Intrusion Detection System- Types and Prevention B.Santos Kumar,
T.Chandra Sekhara Phani Raju, M.Ratnakar, Sk.Dawood Baba,
VI. CONCLUSION N.Sudhakar
B. Santos Kumar et al, / (IJCSIT) International Journal of Computer
Intrusion Detection and Prevention Systems (IDS/IPS) are Science and Information Technologies, Vol. 4 (1) , 2013, 77 - 82
essential components of network security, offering a [14] Intrusion Detection Systems: A Feature and Capability Analysis
proactive approach to identifying and mitigating cyber https://tr.soe.ucsc.edu/sites/default/files/technical-reports/UCSC-
threats. While IDS provides visibility into network activity SOE-10-12.pdf
[15] INTRUSION DETECTION& PREVENTION USING HONEYPOT
Vivekanand Rajbhar
Vivekanand Rajbhar, International Journal of Advanced Research in
Computer Science, 9 (4), July-August 2018,30-36