Mohan et al. (2015) technologically advanced a hybrid IDS which was grounded on CEP. This CEP based IDS integrated Network IDS and Host IDS output into a CEP Module in adding to produce a combined output with greater accuracy. The whole placement secured the interior information system devoid of any data leak by stateful packet assessment. MCA was utilized to estimation, describe the usual behaviour of the network and guide the values to the CEP Engine which warned in case of any deviance from the usual design. The presentation of the suggested hybrid IDS was studied by a test bed with usual and different violence scenarios [15].
Kohler et al. (2018) offered CEP processes as the streams of fundamental events, like restricting from sensors of networked, into significant and multifaceted events. Generally, CEP treating has been done on servers or connection networks. Though, the authors specified that CEP was a worthy candidate for in-network computing besides the communication path evading detouring streams in order to withdrawn waiters to shrink communication dormancy although also abusing handling capabilities of innovative hardware of networking. The biographers highlighted that it was possible to convey CEP processes in P4. Further, they also presented a tool to assemble CEP processes, expressed in P4CEP rule specification language, in to P4 cipher. Furthermore, difficulties and issues that were to be met to demonstrate upcoming research guidelines for executing full-fledged in-network CEP systems [16].
Jun et al. (2014) proposed CEP methods for IDS in IoT. As of an assignment approach, the authors utilized a compacted methodology, as IDS was successively on the border router to monitor network packets. It is an IDS that was founded on the specification in which instructions were deposited in Rule Pattern Repository and considered EPL and SQL of Epser as a reference. The benefit of this effort was that it utilized the types of the proceedings movements to evaluate the interruptions, which could decrease the wrong alarm rate. They originate that their attitude was more CPU intensive, expended less memory and took a lesser amount of handling time than old-style IDS [17].
İnçki et al. (2017) presented a method of runtime monitoring for IoT schemes that exploited event associations conveyed regarding consecutive interface messaging model of Constrained Application Protocol (CoAP). The usage of CEP was suggested to perceive let-downs at runtime using abusing complex event designs definite via predetermined event algebra [18].
Hoßbach et al., (2013) motivated substantial enhancements of CEP technology through making the infrastructure dynamic behavior through changing the discovery paradigm from initials to anomalies. This leaded to numerous variations in the substructure that answered curious and inspiring research questions. The resultant dynamic CEP infrastructure made not only the present requests more influential and calmer to retain but also enabled original presentation domains [19].
Vasconcelos et al. (2017) adapted and compared three classical offline outlier discovery procedures to achieve online data stream treating with a CEP model. Therefore, a lightweight methodology for perceiving outliers through CEP was suggested and assessed in dynamic data streams produced as of the vehicle’s onboard sensors and mobile devices’ sensors. The key objectives of their research involved a device to achieve online outlier detection finished manifold data streams in a resource-constrained device and a prototype presentation that executed these supplies to categorize heavy behavior. A case study was conceded out in a real-world situation in Brazil with the purpose of authenticating the model [20].
Shi et al. (2017) proposed a ranked framework intended for real-time public attitude time sequence tracing over Chinese microblog streams with CEP. CEP could manage high-volume and high-speed data streams. Initially, microblogs were transformed into expressive microblog events over the text sentiment investigation. Then, an online group window technique was applied to review the public mood in various phases. To this end, smoothing in addition to trend following techniques was utilized to determine the increasing or falling tendencies of the public mood. Lastly, this method was applied to 6606 microblogs to validate its viability. The outcome demonstrated that the suggested model was not only practical but likewise efficient [21].
Mehdiyev et al. (2015) proposed a machine knowledge perfect to substitute the manual documentation of rule designs. After a pre-processing stage, different machine learning methods that were based on rule were useful to perceive complex actions. Favourable outcomes with great precision were acquired. A performance relative study of classifiers was debated [22].
Zimmerle et al. (2018) proposed the integration of two approaches namely WoT and CEP mashups, to form a basic method to tackle this new avalanche of information in the background of IoT uses. Reactive Programming was applied to execute the CEP operators that provided as existing WoT platform extensions. The present case scenario was used to demonstrate the method [23].
Muda et al., (2011) suggested a combined learning method by integrating K-Means clustering in addition to Naïve Bayes classification. The suggested method would group all the information into the consistent cluster formerly relating a classifier for of classification. Testing was done to assess a proposed approach performance with KDD Cup'99 dataset. The outcome disclosed that the suggested technique achieved improvement of accuracy and the rate of detection using a reasonable false alarm rate [24].
Sharma et al., (2012) applied an effective data mining procedure known as k-means clustering through naïve Bayes classification intended for anomaly-based network intrusion recognition. Experimental outcomes on KDD cup'99 dataset demonstrated the innovation of a methodology in perceiving intrusion of a network. It was detected that the proposed technique outperformed concerning detection rate while applied to KDD'99 datasets related to a naïve Bayes based method [25].
2.1 Inference of Literature Review
Extensive research was being carried out in the field of IDS design to build a highly scalable IDS without compromising efficiency and security. The idea of the existing work [15] was to develop an effective and scalable hybrid IDS design using a CEP Module as the core and come up with a generic hybrid IDS design to bring forth a standardization in the IDS Framework portion of the computer security domain and to evaluate it in terms of performance and security requirements.
For detection strategy, there was a hybrid system that utilized a signature-based detection along with an anomaly based detection technique, namely Multivariate Correlation Analysis (MCA). To improve the scalability of the system, IDS as a service (IDSaaS) has been proposed to provide an easy to access IDS using the cloud. There was also a parallel design that effectively distributes the detection workload among multiple cores. However, the existing solutions stated above focus mainly on either the security or scalability and not both.
Using IDS as a service (IDSaaS) as well as make use of the Multivariate Correlation Analysis algorithm. The existing system was a hybrid IDS that considered signature based detection, anomaly based detection strategies and CEP for detection of intrusion. In their CEP module, MCA was implemented to estimate and characterize the normal state. So compared to a traditional IDS, their design provided better defense against Zero day attacks as well. Also the IDSaaS approach ensured scalability of the existing system by offering the IDS capability using network connectivity only. Thus, we attempt to achieve security as well as scalability using IIDS-LCKIB.
2.3 Problem Statement
Network security has turn out to be a very interesting characteristic, and IDSs are becoming essential solutions to identify different kinds of attacks. There are several types of IDS with a fair share of merits and demerits, thus making IDS design a field suitable for further research and development. Another big concern of IDS design is that as the computer networks are growing exponentially, there is a need for an effective and highly scalable IDS that allow more deployments to manage and defend a larger network. This project combines multiple intrusion detection techniques in an optimal manner to meet the necessities in terms of security and scalable performance.