Modernize Your Intrusion Detection Strategy with an AI-Powered, Open-Source NIDS

As 2020 comes to an end, cyber risk has reached an all-time high, and intrusion detection has never been more essential in securing networks and preventing attacks and breaches. Cyber criminals’ methods, tactics and techniques are evolving to become increasingly stealthy and sophisticated, and more organizations than ever are turning to AI-based intrusion detection systems to beef up their security defenses, outsmart the “bad guys” and protect their critical servers, systems and data.

Forty-four percent of organizations worldwide are now using some form of AI to detect and deter attacks on their networks - an impressive number given that AI-based intrusion detection technology is still under active development. To help you modernize your intrusion detection strategy heading into the new year, we’ll examine the benefits and potential drawbacks of implementing an AI-powered network intrusion detection system (NIDS) and introduce you to a fast and flexible open-source NIDS we love called AIEngine. But first, let’s quickly review the basics.

What Is an NIDS and Why Do I Need One?

A network intrusion detection system (NIDS) is a system that attempts to detect hacking activity, denial of service (DoS) attacks or port scans on a network by identifying suspicious patterns in incoming packets. A NIDS is strategically positioned at various points in the network of interest to monitor incoming and outgoing traffic to and from networked devices. Malicious activity or policy violations detected by the system are either reported to an administrator or collected centrally using a security information and event management (SIEM) system.

Preventing sophisticated modern cyberattacks requires a defense-in-depth approach to security, and deploying a NIDS is a key element of any effective network security strategy. In order to combat the array of attack vectors and intrusion methods available to cyber criminals today, it is critical that organizations secure their networks with layered technologies and detection methods. It is no longer sufficient to rely on simple security systems or antivirus software that can only protect against known attacks at the application layer. Network intrusion detection systems help administrators proactively identify and respond to threats to their systems, set up preventative, layered defenses and mitigate the risk of data theft and system compromise.

The Future of Intrusion Detection Will Be Driven by AI

The advancing technology available to network security teams and cybercriminals alike has led to the use of AI in the majority of modern intrusion detection systems. As threats evolve dynamically, it's becoming increasingly difficult to write a static set of rules for these systems to follow. Through the use of Artificial Intelligence and Machine Learning, IDS systems can proactively use what they’ve learned from previous attacks to write and update rules for themselves. Although AI-based intrusion detection technology is currently being actively developed, AI-based IDS systems have already proven to be very effective. Given enough time and data, these systems are able to distinguish a honeypot from a real asset and beat decoy defenses.

One significant challenge that AI-based IDS systems face is adversarial AI attacks in which attackers inject false positives and negatives into AI training data in an effort to “confuse” these systems. However, there has recently been promising development in the battle to combat adversarial AI, with honeypot-style defenses now being used to enhance Machine Learning. Researchers at the University of Texas at Dallas are further developing this concept with DeepDig, a honeypot that transforms cyberattacks into live training data for Machine Learning-based intrusion detection systems. This is accomplished by placing traps and decoys onto real systems before applying Machine Learning techniques to gain a deeper understanding of attackers’ behavior. UT Dallas computer science professor Kevin Hamlin explains, “Even the most proficient adversary cannot avoid interacting with the trap because the trap is within the real asset that is the adversary's target - not a separate machine or software process.”

AIEngine: Combining the Power of AI and Open Source to Detect Modern Threats

AIEngine is a next-generation AI-based NIDS that is fast, flexible and suitable for a variety of use cases including banking environments, IoT infrastructures, data center environments and industrial architectures. Through the use of advanced Open-source Intelligence (OSINT) gathered from an innovative global community, AI algorithms and Machine Learning, the engine is capable of automatically generating signatures of unknown traffic and using them in other instances with no human intervention. AIEngine’s internal design is based on the fact that all internal objects of the system are exposed to the user via a scripting language such as Lua or Python. AIEngine lead developer Luis C. explained to LinuxSecurity.com security researchers: “This architecture offers a high degree of customization by enabling administrators to easily reprogram the engine to meet specific and evolving needs. It also offers convenient, seamless integration with multiple systems with few lines of code in a matter of hours.”

AIEngines’s unrivaled speed is undoubtedly one of the engine’s defining characteristics. AIEngine supports the programming of customer requirements into code in real-time, and is capable of dealing with new threats with a reaction time close to zero. Despite the engine’s use of interpreted languages such as Python, Lua and Ruby, no open-source NIDS is faster than AIEngine. 

Notable features of AIEngine include:

• DNS domain classification
• Spam protection
• Network collector
• Network forensics 
• Zero-day exploit signature generation
• Real-time interaction

A complete list of features supported on AIEngine can be found aiengine.

AIEngine can be downloaded AIEngine downloads.

Conclusion

Heading into 2021, having an effective NIDS in place as part of a defense-in-depth security strategy has never been more important. Artificial Intelligence is becoming increasingly critical in the realm of intrusion detection, as traditional, static approaches are no longer able to reliably detect sophisticated modern threats. AIEngine is an excellent option for administrators and organizations looking for a fast, flexible and proactive NIDS to deploy on their Linux systems.

Thank you to AIEngine lead developer Luis C. for his contributions to this article.