A New Approach to Network Intrusion Detection Based on Hybrid Methods

The role of intrusion detection systems has been considered significant in network anomaly detection. New and unknown attacks have proved that signature-based detection methods are inefficient, and raised the attention to anomaly-based detection methods. Despite their great ability in anomaly detection, these methods suffer from high rate of false-alarms. Therefore, the idea of using hybrid intrusion detection systems is developed in order to reduce the false-alarm rate. In this paper, we propose a four-layered model based on hybrid methods. The first layer consists of data flow analysis and service type classification modules. The service type classifier uses both an n-gram-based statistical technique, and an evolutionary algorithm. In the intrusion detection layer, a signature-based and several anomaly-based detection modules have been implemented with hybrid methods. These specific detection modules are called according to the type of service which has been identified through the first layer. The decision-making layer is then called based on the results of intrusion detection process. This layer identifies the attack nature and the type of response, and then calls the event management layer. In this layer, network administrator is notified appropriately; and, responsive actions are managed if needed. Applying the cross-validation method shows that intrusion detection has been improved and, in result, the false alarm rate has been reduced.