TCP/IP Model and Intrusion Detection Systems

To accommodate the information security growth and hacker´s improved strategies and tools, intrusion detection systems (IDSs) are required to be allocated across the network. Furthermore, previous studies showed that the choice of network features used for the IDS is dependent on the type of the attack. Accordingly, each TCP/IP network layer has specific type of network attacks, which means that each TCP/IP network layer needs a specific type of IDS. This paper proposes a new categorization for IDS depending on the TCP/IP network model: application layer IDS (AIDS), transport layer IDS (TIDS), network layer IDS (NIDS) and link layer IDS (LIDS). Each of these IDS types is specialized to a specific network device. So, the detection process will be distributed among all TCP/IP network model layers through the network devices. To design each of these different types of IDS, several experiments have been conducted using two different features selection approaches to select the appropriate features set for each IDS type. The experimental results indicate that each IDS type has different features set that can not only improve the overall performance of the IDS, but it also can improve its scalability.