Группа авторов

Artificial Intelligence and Data Mining Approaches in Security Frameworks


Скачать книгу

private networks encrypted information cannot be analysed with network-based IDS.

      2 Successful implementation of network-based IDS is based on the intermediate switches present in the network.

      3 Network-based IDS would be unstable and crash when the attackers splinter their packets and release them.

       2.5.1.2 Host-Based IDS

      Advantages

      Following are the advantages of Host-Based IDS:

      1 It can perceive even those attacks that are not detected by a Network-Based IDS.

      2 For the detection of attacks concerning software integrity breaches, it works on audit log trails of operating system.

      Disadvantages

      Disadvantages of Host-Based IDS are as follows:

      1 Various types of DoS (Denial of Service) attacks can disable the Host-Based IDs.

      2 Attacks that target the network cannot be detected by host-based IDS.

      3 To configure and manage every individual system is very difficult.

       2.5.1.3 Hybrid IDS

      It is a combination of network and host-based IDS to form a structure for next-generation intrusion detection systems. This arrangement is generally known as a fusion/hybrid intrusion detection system. By adding network based and host-based IDS, it would significantly improve resistance against few more attacks. Data mining techniques required for IDS are Pattern Matching, Classification and Feature Selection Pattern Matching.

      It is a kind of social engineering attack generally used to filch data of a user, like login credentials and credit card numbers. To cover up honest websites, forged websites are usually formed by fraudulent people. Due to phishing activities of attackers, users mistakenly lose their money. Therefore, a critical step must be taken for the protection of online trading. Goodness of the extracted features denotes the prediction and classification accuracy of a website. An anti-phishing tool is used by most of the internet users to feel safe against phishing attacks. Anti-phishing tool is required to predict accurate phishing. Content parts of phishing websites along with security indicators may have a set of clues within the browsers. Various methods have been proposed to handle the problem of phishing. For predicting phishing attacks, rule-based classification, which is a data mining technique, is used as a proficient method for prediction. If an attacker is sending an email to victims by requesting them to reveal their personal information, it is an indication of phishing. To create phishing websites with proper trick, a set of mutual features are used by phishers. We can distinguish between phishy and non-phishy websites on the basis of extracted features of that visited website.

      Identification of phishing sites can be done with the help of two approaches:

      1 i) Blacklist based: It includes comparative analysis of the URL, i.e., requested along with other URLs which are present in that list.

      2 ii) Heuristic based: Certain features from various websites are collected and labeled as either as phishy or genuine.

      There are two stages in association classification (AC):

      1 i) Training phase: It is used to induce hidden knowledge (rules) with the help of Association rule.

      2 ii) Classification phase: It is used to build a classifier after cropping ineffective and superfluous rules.

      It has been proved from many research studies that association classifier (AC) generally shows better classifiers in terms of error rate than decision tree and rule induction (standard classification approaches).

      Code injection attack is a technique to write new machine code into the susceptible program’s memory. If there is a bug in the program, the control can be sent to the new code after manipulating it. W+X, the protection technique (Diwate, Sahu, 2014) alleviates the code injection attack by permitting one operation, i.e., either to write or execute operations but not both simultaneously (Mitchell, Chen, 2013).

      2.7.1 Code Injection and Its Categories

      Following are the types of code injection attacks:

      1 i) SQL Injection

      2 ii) HTML Script Injection

      3 iii) Object Injection

      4 iv) Remote File Injection

      5 v) Code Reuse Attacks (CRAs).

      1 SQL Injection: It can be defined as a technique by which SQL syntax can be used to input commands for reading, alteration or modification of a database.For example, there is a field on a web page regarding authentication for user password. Generally, we use script code for this. This script code will generate a SQL query so that matching password entered against the list of user names could be verified: SELECT User List. Username FROM User List WHERE User List. Password = ‘Password’

      2 HTML Script Injection: Malicious code can be injected by an attacker with the help of tags. Thus, location property of the document would be changed by setting it to an injected script.

      3 Object Injection: Hypertext pre-processor (PHP) is used for serialization and deserialization of objects. With the help of object injection, existing classes in the program can be modified and malicious attacks can be executed if an untrustworthy input is allowed into the deserialization function.

      4 Remote File Injection: To cause the intended destruction, remote infected file name could be provided by attackers by alter the path command of the script file as the path.

      5 Code Reuse Attacks: Code reuse attacks (CRAs) are recent development in security. They occur when an attacker expresses the flow of control through a previously existing code. By using this, attackers are allowed to execute random code on a compromised machine. These are return-oriented and jump-oriented programming approaches. They can reclaim library code fragments.