A Comprehensive Study on Intrusion and Extrusion Phenomena

This paper presents a comprehensive survey on intrusion and extrusion phenomena and their existing detection and prevention techniques. Intrusion and extrusion events, breach of security system, hamper the protection of the devices or systems. Needless to say that security threats are flourishing with new level of complexity making difficulty in recognizing them. Therefore, security is the remarkable issue at the core of developing a boundless, constant and reliable web. In this paper, our purpose is to unveil and categorize all possible intrusion and extrusion events, bring out issues related to events and explore solutions associated with them. Nevertheless, we suggest further recommendations to improve the security in these issues. We strongly believe that this survey may help understanding intrusion and extrusion phenomena, and pave the way for a better design to protect against security threats. Keywords—Intrusion; extrusion; intrusion detection; security and survey


I. INTRODUCTION
No doubt, computing technology has changed the lifestyle of people drastically. All of these are happening through connecting devices, we call it networks. As devices are getting smarter and knowledgeable, people became much more dependent towards these devices. Things that come with comfort and contentment also brings issues and worries with it.
As networks are assisting individuals to communicate through the connecting devices, threats and breaches are getting more prominent. Computer security is the protection of electronic data and information against inner and outer, malevolent and vulnerability threats [1]. It renders protection as well as prevention from attacks and keeps the information secure. However, due to growth of the new technologies along with sophisticate devices, types and nature of the attacks are also changing [2].
All probable occurrences, contraventions, or approaching threats that violate system security are known as intrusion and extrusion events. More precisely, if an insider or outsider potentially intrudes the local system with his own remote system, it is known as intrusion event. Extrusion, known as an attack event, that generates from the local host system to take control over the system. It is usually done by the insider who is authorized to use any devices of the organization. To shield devices and networks against intrusion or extrusion events, security must be enough savvy and intelligent [3]. The concept of network security was first initiated in the late 1980s and since then experts have been exhorted to the unpredictable risk of numerous unsecured interconnected devices to the internet [4]. Now a days, numerous attacks events relate to intrusion and extrusion are continuously increasing concerns, devices like computer, refrigerators and even TVs are being used to dispatch malicious things to hackers. Hackers usually do not attack the devices themselves, but instead use other malicious devices to break into [5].
Some remarkable attack events related to intrusion and extrusion that affected the world most are RFIT botnet (December, 2018), ThinkPHP exploitation (11 December, 2018), D-link router exploitation, Shaolin botnet (exploitation of NETGEAR vulnerability, January, 2019), Mirai botnet [6] [7], the botnet barrage, Notpetya ransomware attack (June, 2017), etc. Most of these attacks are not discussed and also not prevented even though systems have enough security. So, it is hard to accept that even after 28-years, system does not have enough security to detect or prevent such events. Without these exception, devices and systems also face some regular intrusion and extrusion attacks, such as Address resolution protocol attack, Internet Control Message Protocol (ICMP) attack, Fraggle attack, ICMP tunneling attack, Internet Protocol (IP) fragment attack, Malformed packet, Outbound raw attack, Ping-of-death attack, Distributed denial of services, Phishing, Supply chain attack, Router attack etc, to name a few.
Although the conventional solutions exist on the aforementioned attacks, still the occurrence of the mentioned remarkable events indicate that no systems are fully protected. We have explored a large number of surveys on attacks. Some surveys [8] [9][10] [11] discussed about the attacks in different layers . Some [12][13] [14] have only discussed about DDoS attacks. Some [15] [16] [17] surveys mainly focused on intrusion detection and prevention systems. As network is expanding its region, more intrusion and extrusion events are occurring which are never discussed before.
This article incorporates up-to-date taxonomy, as well as descriptions of important scientific work in the field of incursion and extrusion. It offers an overview of the current intrusion and extrusion detection system in an organized and thorough fashion so that interested academics may rapidly learn about essential areas of anomaly detection. The intricacy and implications of the various approaches and their assessment procedures will be explored.
There have been no papers that thoroughly cover infiltration and extrusion detection, outcomes, and various types of attacks. Furthermore, the advancement of intrusion-detection systems has resulted in the proposal of numerous distinct systems in the interim. This document provides up-to-date information on the subject.
We have presented a comprehensive and in depth study on intrusion and extrusion events. Mostly, extrusion attacks [18] and their detection systems [19] are not covered in existing surveys. For better understanding, we have discussed about attacks' real-life examples, constructive definitions, attacks' consequences, their complexities, limitations and merits, method comparison and efficiency, etc.
As time passes, a scenario with a relatively novel phenomena emerges, and network defenses are inadequate. Because of the ubiquity of computer networks and our ever-increasing reliance on them, becoming aware of the threat might have disastrous repercussions. The density of study on this topic is continually increasing, and more scholars are becoming involved in this field of work on a daily basis. The potential of a new wave of cyber or network assaults is not just a possibility to be considered; it is a known truth that can occur at any time. We think that study should not be restricted to the concerns raised in this work.
Nevertheless, most of these events have never been categorized for understanding of the problems. In our paper, we categorize the attacks on the basis of intrusion and extrusion and we provide a comprehensive discussion on those events for better understanding. We further relate those events in terms of TCP/IP layers. All these motivated us in writing this article. We firmly believe that our effort might convey indelible influence to the research community towards next level of perfection.
The rest of the of paper is organized as follows. Section 2 outlines the taxonomy of intrusion and extrusion events. The intrusion events are described in details in Section 3. Section 4 continues with the detailed description on extrusion events. We present a big picture in tabular form summarizing all the intrusion and extrusion events in Section 5. Finally, We present open challenges and future research Issues in Section 6 and at end, we conclude our research in Section 7.

II. TAXONOMY OF INTRUSION AND EXTRUSION
This paper categorizes different attacks into intrusion and extrusion events. Nevertheless, each of the attack is associated with any of the layers in TCP/IP protocol suite. Hence, our main classification also exhibits the corresponding layer where the attack occurs as demonstrated in Fig. 1. We have enlisted 14 intrusion and 10 extrusion events knowing that this list will grow in course of time. AS far as our knowledge perceives, this is the first attempt that accumulates all the intrusion and extrusion events, along with their comparative analyses.

III. INTRUSION EVENTS
This body of our work digs out the intrusion events manifesting their definitions, explaining how they occur and presenting the possible solutions for them along with figures wherever applicable. When a trusted insider violates the regular use of the system, then an intrusion event occur. The most common intruders may be the hackers, company's employees, criminal enterprises etc. Any attack that roots from a remote system to a local system is considered to be intrusion. Suppose, an attacker disguises himself as a legitimate host and sends request (i.e. malware, malformed packets, emails, etc.) to the targeted PC. If an authorized user accepts the request, the malware or malformed packets might attack or freeze his PC or this request might lead him to a proxy fake website and force him to fill the personal information. Thus, the information will be revealed to the attacker. This process is known as intrusion event. Fig. 2 illustrates a generalized model of how intrusion event occurs.   1) Attacker picks up a packet from connected network among host A and host B as there is an open port exist in the router. 2) Then, attacker generates one packet which will address to host A and sends with host A's address to host B. Packet must have at least one byte of data. Packet must be inside the TCP connection.

3) Finally, hacker manages to send packets form Host
A to Host B maintaining the time frame. As the attackers gets reply, it will continue in a loop of back and forth of packets.
The basic one packet TCP-ACK storm attack [24] can be further amplified to the Two-packets Ack-Storm attack, exhausting bandwidth and lengthening the session duration. This attack causes disruption of the regular web activities by sending huge traffic.
Some existing solutions related to this attack are shown in Table I.   4, attacker is attacking the computers using BOT PC A to generate UDP flood to PC X, Y and Z. This UDP flood is then propagated to the nodes downward. Note that, port 7 is open for all computers and it supports character generation system. Eventually, the traffic will overwhelm the target PC T and block its normal functioning, resulting in fraggle attack.

B. Fraggle Attack
The Fraggle attack is a type of amplification attack where UDP packets are dispatched to ports 7 and 19 depending on which one is open. Also, character generation service may run which is eligible for character generation. This intrusion may cause havoc to the system with the help of the insiders as they unintentionally help the hackers to flood UDP packets. As this attack is not new, all operating systems are protected from such attack. Therefore, no new such attacks [28] have been found nowadays, although in the late 90s, the attack was very acute.
A successful attempt of Fraggle attack may hang any system servers for an indefinite period of time (e.g., hours, days or even months). To Identify Fraggle attack, three types of techniques are introduced: traffic degree monitoring, source IP address monitoring, and packet attributes analysis. When the attack is detected, some countermeasures might be taken such as filtration [29], congestion control [30], Submissive trace back [31], Reproduction [32], etc. ICMP redirect message sends out of bound message that passes the information to a host regarding the existence of more optimal routes through the server network. But this system is effectively misused by the attacker to redirect the traffic or information to his own system. In this attack, the hacker poisons the router by sending ICMP redirect message to the targeted host, so that all traffic uses optimal way for the destination. These attacks mostly happen on the port or network layer. These attacks can also cause problems if there exists firewall and non-deterministic traffic [33]. Zimperium Mobile Security Labs have researched last year attack named "DoubleDirect" which can be generated through ICMP redirect massage attack. It enables the attacker to redirect target's traffic [34] to attacker's PC. Once the process is done, attacker may steal or inject payload to the victim's PC. Machine learning approach generates the best detection rate till now.
In Fig. 5, host A is the source and host B is the destination. The files are supposed to transfer from source to destination through router. But the attacker redirects the messages by manipulating the router. Hence, the files finds the new path and goes to the attacker's PC considering it as the destination. In what follows, the Table II enlists some existing solutions to this attacks.

D. Internet Protocol (IP) Fragmentation Attack
IP fragmentation attack exploits the IP fragmentation mechanism as an attack vector [40] [41].
Black nurse attack is one of the most common organizational names of IP fragmentation attack. Basically, it is based on sending crafted IP fragments in order to eliminate firewall services [42].
This process may occur in two ways as described in the following: 1) UDP and ICMP fragmentation attacks: This attack [43] exploits the transmission of malicious UDP or ICMP packets exceeding the maximum transmission unit. The inability of reassembling these packets causes high resource consumption resulting in the victim server issues. 2) TCP fragmentation attacks: This attack, also regarded Teardrop attack, inhibits reassembly procedure of the TCP/IP for the fragmented data packets resulting in data packets overlap. Consequently, the server gets swamped [44].
Improving packet loss and 95% accuracy rate makes sparsely tagged fragmentation marking a best solution for this attack. Table III presents existing solutions related to this attack.

E. Perpetual Echo Attack
Perpetual echo attack [51], a fraudulent activity, takes place at port 7. Source port and the destination port perpetually echo each other when the connection is established . UDP requests are sent to a malicious IP address for all victims to get back their responses. The malicious source address is not the  [52] on the UDP ports. Some UDP applications unconditionally respond to every datagram received. If a datagram is inserted into the network with one of these applications as the destination and another of these applications spoofed as the source, the two applications will respond to each other continually. Each inserted datagram will result in another perpetual echo conversation between them. In the worst case, attacker's attempt is to hide attacks or render them and become untraceable. Ant colony optimization has more efficiency to generate true alarm rate while detecting the attack In Fig. 6, attacker uses another PC's IP address to remain hidden and sends UDP flood through port 7 of the router to the target PC to establish connection. If one connection is established, the affected PC will be working as BOT that sends UDP flood to other PC. Table IV presents existing solutions to this attack.

F. Internet Control Message Protocol (ICMP) Tunneling Attack
ICMP tunnel is created where the information flow may not be regulated by security technique. ICMP is used as an attack vector shield of IP-Sec gateway [55]. In the worst case, attackers are able to disturb the network design architecture by doing malicious activity. An ICMP tunneling attack makes connection between the hosts, and ruins the firewall service in a way that it fails to alarm if any data sent via ICMP. It is a covert connection [56] between hosts using ICMP messages  In Fig. 7, host A is using an original server through a proxy server. Proxy server may be easily manipulated or authorized by the attacker without the knowledge of the firewall. ICMP messages are used as the payload in this figure. Thus, the information is routed through the attacker's PC without anyone's interference or knowledge.

G. Smurf Attack
Smurf attack mostly resembles to ping flood attack due to their similar nature of sending ICMP echo request packets. It, being an amplification attack vector [57], accelerates its damage potential through utilizing broadcast network characteristics. It is different than ping flood. 1990 is the year when first smurf attack [58] happened in University of Minnesota. It has effected more than 1 hour and chaining throughout the state. It has completely shut down many computers and servers. As a result, we face loss of data and slowdowns. We need to IP broad casting to eliminate Smurf attack.
Following describes the procedure of Smurf attack.
1) The malware generates a network packet attached to a fake IP address. There is a ping message inside the packet. Upon receiving these spoofed packets, the nodes echo back causing a loop eventually leading to a complete denial of service. 2) An insider may directly inject smurf Trojan or it may be accidentally downloaded from forged e-mail or web site. Typically it will remain as it is until activated by the attacker. Consequently, a good number of Smurfs are integrated with rootkits, allows hackers to create backdoor for system access. Table V shows state-of-the-art solutions of smurf attack.

H. Router Attack
Router attacks mainly exploit the vulnerabilities in the networking protocols that lead to inconsistency in software and weak authentication [61]. It normally occurs in the network layer. Attacks [62] [63], that can be a part or origin from router attacks, are mainly brute force and denial of service attacks. When it occurs, it impacts network services and business operations.
2018's report from eSentire shows 539% of increase in router attackers since 2017. ACI (American consumer institute) also found 84% WiFi routers [64] are under risk of cyber attacks or malicious activity. As, people are not aware of security vulnerabilities properly, hackers takes the chance. Black hole routers can detect most types of the router attack and can be modified if the attacker's way changes with time.
In Fig. 8, attacker modified the valid protocol to make new protocol which is malicious and may cause havoc to the system. Some attacks that might disrupt the performance of the router is discussed in the following. 1) Brute Force: Brute force attack is a method where trial and error process is used to get data such as user's password or pin details. In this attack, an automated software generates a large number of close to accurate guesses as to get the desired value. It may be used by the attacker to crack the encrypted data. It may also be used to test the security system of any organization.
2) Packet Mistreating Attack: Router attacks may lead to packet mistreating, mostly like DoS attacks. These packets get mistreated by injecting malicious packets to confuse and overwhelm the system. Table Poisoning: A routing table in a router is not immune to protection and encryption vulnerabilities.Routing table may poison the whole routing routine. These attacks are achieved by manipulating the packet information that are routed through the router.

4) Hit and Run Attacks:
This attack is also known as test hacks, and occurs when malicious data is injected into a router. However, the injection process may or may not be successful. The main aim of the is to disturb the environment of a system.

5) Persistent Attacks on Routers:
Persistent attack is somewhat similar to hit and run, but in this attack, the injection process becomes successful and the attacker may gain control over the system. After injecting, it will continue it's intended work. The attacker will continue to add malicious packets and confuse the routing table thereafter.

I. Slow and Fast Port Scans Attack
Port scanning [67] is one of the dangerous network intrusions for getting exploitable communication channel between the attacker and the target. Attacker uses attack to discover service to get into the network. It consists of probing a host in a network for open host. It not only scans but also gathers information that attempts to profile the services running on a potential target. Port scan attack on 4G router of HUAWEI company [68], detected last year, is one of the recent port scan attack complained by the consumers. Artificial immune systems and fuzzy logic provide more accuracy and also have a robust model compared to other models.
In Fig. 9, attacker uses two scanners to send malicious requests disguised as service messages for scanning system www.ijacsa.thesai.org devices. These scanners scan the system PC and machine and send results to the attacker.
These attacks are of two types, slow and fast port scan attacks.
1) Slow scan is an active scanning of devices [69] that connects to network where two successive probe messages are spaced in time at least in minutes, but mostly in hours or days. It may take weeks or even months to complete the process. As time passes by, network noise can destroy the scans which might remain unnoticed. Suspicion may be avoided through scanning target slowly by the attacker. Attackers send probe packets in every 5 or 15 minutes. Since slow scan does not create any deviation in the normal traffic, detection of this scan through anomaly and real time detection is very difficult [70]. 2) An attacker scans the port in order to change the traffic settings. It can last for minutes or some fractions seconds.
Table VII shows some of the existing solutions of slow and fast port scan.

J. Restricted IP Attack
It allows an attacker to limit access [76] to the site to an attacker's defined set of IP addresses. If anyone attempts for site access from different IP address not belonging to the list of authorized IP addresses, it will be redirected to an access denied page. No blocks will be rendered, and no JavaScript will be added to the page. The module also has various configuration options including white list or blacklist pages, bypass IP checking by role, and alter the output when blocked. System administrator [77][78] uses this option for enforcing IP-based restrictions to minimize unwanted traffic.
Over 30% [79] of secure access cloud customers are using the IP address restriction to limit access to corporate resources from a specific set of IP addresses, while still performing strong user authentication. In Fig. 10, attacker sends commands to the BOT PC to attack the main server in order to modify the restrict IP list, so that which PCs are in the restricted list may easily get access in the server. ARP spoofing is an attack that occurs when a hacker dispatches fake ARP messages to the local system network. It ends up connecting a hacker's media access control (MAC) address with the IP address of the device that existed in the network. Once the attacker is connected with the system device, he may get his desired information from that device by disguising his own identity. This attack enables attackers to intrude, edit or steal data from the system and also stops data from being transmitted between the system and the host [81].
In April 2018, Cisco Talos released information on the Sea Turtle campaign that hijacked and redirected traffic from more than 40 government and enterprise organizations using ARP www.ijacsa.thesai.org attack [82]. Match prevention is the best way to defend this attack as most ARP replies can be detected by this model.
ARP intrusion may result in the following types of attacks: 1) Session Hijacking: It is a cyber security attack on a user session over a network. In this attack, attackers exploit ARP spoofing attack to get one session ID and steal their sensitive information.
2) Man in the Middle Attack: This attack also employs ARP spoofing to disturb the traffic from a user and manipulates it to get access to user sessions. This attack re-routes the network traffic between the host and the attacker. So, the attacker will transmit the received packets to the desired destination. Hence, the communication between two original hosts is not disrupted and the sniffing process may go unnoticed.
3) Cloning Attack: In this attack, hacker himself change his IP and MAC to look exactly like the target host. Once the process is done, there will be two hosts having same address. The target host gets confused and the attacker takes the advantage as real one.
As ARP intrusion can have many forms, detection can be difficult and needs perfection. We can have lots of false alarms, which could lead the team ignoring the alarms without investigation. The most simple way to get rid of this intrusion is to use static, read-only entries for the services in the ARP cache. There exists a good number of research efforts presenting intelligent methods to get rid of this intrusion. Table IX shows some effective detection and prevention systems of ARP intrusion.

L. Ping of Death Attack
A ping of death (PoD) sends a malicious ping to a computer. The maximum size of an IPv6 packet including the IP header is 65,535 bytes. Many ancient computers [88] cannot handle this large size of packets and will crash if it receives one. This attack exploits early TCP/IP implementations including Windows, Mac, Linux and other network devices like router and fax etc. Since sending packets in large form causes IP fragmentation by attacker, targeted system can get lot of ICMP packets via ping without waiting for the reply. Once the system becomes vulnerable to this attack, other attacks may dig in like Trojan horse. Cloud flare protection can demolish the PoD attacks before they reach the targeted host. There is no specific works related to this attack. Certainly, some DDoS attack related paper added the solution of this intrusion as a small part of it. The low rate [89] "Ping of death" attack, dubbed BlackNurse, effects firewalls from Cisco, Zyxel, and possibly Palo Alto in 2016. Fig. 12 shows a general model of such attack. In this figure, BOT have sent ICMP spoofed ping messages in the network. The server will broadcast ping flood resulting in other PCs connected with the server unable to work. This mostly happens on the data link layer. This attack is less common today as many computers are immune to this attack. Generally in this attack, attacker transmits malformed or oversized packets exploiting ping command that results in system crash.
One of the solutions is to add a verification to reassemble the function to make sure data packets size don't get maximized. Other solution can be creating a memory buffer to handle the space of every incoming packets . Cloud flare protection can demolish the PoD attacks before making any harm to the PC [90].
There is no specific works related to this attack. Certainly, some DDoS attack related paper added the solution of this intrusion as a small part of it.

M. SYN Flood Attack
In a SYN flood attack, the attacker does not respond with the expected ACK to the server. Also, the attacker might spoof the source IP address in the SYN packets which causes the server to transmit SYN-ACK to a fake IP address. Due to the creation of a half open connection [99] [91], the malicious client consumes server resources unnecessarily and prohibits the server in establishing connections to the other clients. One of the ways of mitigating this attack is the use of Cloud flare between the target server and the SYN flood.
A well-documented DDOS attack was introduced in 1996 by panix. In 2005 [100] [101], the website of this company got hijacked again in the period of holiday. It took off their sleeps to get everything back together. figure, by sending initial connection request through SYN packets, the hacker makes the ports of the Victim server overwhelmed.
Some state-of-the-art solutions of SYN floods attack are presented in Table X.

N. Malformed Attack
Malformed packet consists of malware or other malicious elements. In this attack, a BOT PC sends incorrectly formed packets to the victim to crash the system by receiving attacker instruction. The massive combination of DDOS and IoT attacks have been blown up in late 2016. This is the largest one till now. It has extremely terrifying capability of exploiting about 1.2 TB per seconds. Best way to filter this attack is to allow legitimate traffic and discard floods of packets [102] like ICMP or UDP.
Categorizing it as follows: (i) IP address malformed attack and, (ii) IP packet malformed attack.
1) IP address malformed attack contains the same source and destination IP address which confuses the target system resulting in system crash. 2) In this attack, system is forced to process and waste additional time due to randomizing the optional fields in IP packet along with setting all QoS bit to 1 [103]. This attack might lead to the system crash if combined with multiple attackers [104]. In the Fig. 14 attacker changes his IP address to source IP address 192.168.0.1 and acts as an legitimate server. By establishing connection with the server it sends malformed packet. Packet malforming leads to packet manipulation. A larger ping more than 65,535 bytes [105] is enough to conduct a attack. So attackers send it by fragments. If the victim tries to reassemble it, they will face oversized packet or memory over flow. It could crush PC or servers in the mean time Some existing solutions related to this attack is enlisted in Table XI. IV. EXTRUSION EVENTS In this section, we excavate the extrusion events. In what follows, we present their definitions, explain how they occur and outlined the possible solutions with necessary figures and tables, wherever applicable. As stated earlier, extrusion event might bring vulnerability to the remote system device by getting injected with malware or by opening a malicious web page etc. Fig. 15 shows a generalized model of an extrusion in a system. Basically, in Fig. 15, two hosts are connected with the same LAN. LAN connects to the switch and switch connects to the internet. Firewall is the barrier between the attacker and the target. Also, numerous attackers and BOT PC (created by attackers) are connected with the internet through LAN. If any user of that host clicks on malicious websites, or opens malware related software, then extrusion may occur. As numerous attackers frequently upload malware through internet and also send phishing e-mails, it is highly probable to get infected by clicking malicious links or downloading malicious files. This section describes all possible extrusion events and the related existing counter measures.

A. Supply Chain Attack
According to November2018 study by Opus Ponemon Institute, 59 percent of organizations in UK and US has already experienced data tempering and compromised security issues by their third party stakeholders [107]. Fig. 16 shows a general model of a supply chain attack. In this figure, attacker changes the script of any targeted server which makes the server compromised. Eventually, the malicious or compromised server makes other server compromised and thus the chain continues.
Due to the repeated attack on different servers, it is almost impossible to detect it. Other attacks only target the victim computer, but in this attack, the victim is not the ultimate target of the attack, rather stepping a stone to other networks. This attack mainly occurs on application layer. The 2013 attack against Target is the classic example of a supply chain attack. As the attack is new and very difficult to detect, no such paper has discussed about the solution to it.

B. Destruction of Services (DeOS) Attack
A destruction of services targets the entire organization's ability to recover from the attack afterwards. It is meant to damage the maximum amount possible, resulting in data loss, service disruptions and cost of data recovery. It puts business in such a position that either they have to rebuild their architecture from scratch or pay the money to the attacker.
In its 2017 Midyear Cybersecurity Report, Cisco said the rapid spread of WannaCry, for example, foreshadowed the emergence of what it is termed "destruction of service" (DeOS) attacks, which could present an existential threat and leave businesses completely unable to recover.
To defend against this attack, a system needs to check regular penetration test results, hiring more cyber security staffs and decreasing mean time to detect man in the middle destruction statistics. The quicker the threat is detected, less the damage occurs throughout the system.
In the Fig. 17 attacker commands the BOT PC's to attack the website of the organization to destroy the back up file or the database.
The two most common points of entry for attackers are through known exploitable vulnerabilities and acquired administrator credentials. This attack includes Cisco's 2017 that made Cisco worry to use creative ideas to mitigate the attack. The common default passwords, common default setting is also an concerned issue.
Popular destruction-of-service attack vectors include:

1) Business Email Compromise (BEC):
Business email compromise attacks uses the ID of someone on the particular network to trick the victim into sending money or info to the attacker. The most common victims are those who use wire transfers to send money to international clients.
2) Cyberwarfare: Cyberwarefare generally refers to attacks that relate to cybernet. In every case, it has been observed that a terrorist group or hacker groups aimed at a particular nation or political organization to do their work done. This event is also new to the network system, and no specific solution has come out.

C. Distributed Denial of Services (DDoS) Attack
DDoS attack is a fraudulent attempt to make any service unavailable to the users. It can be launched from globally distributed compromised devices, also known as Botnet. It is hard to differentiate legal user traffic from malicious trafficn [108] when dispatched across many points of origin. This may cause long-term reputation damage. detection method and also has an efficient code enhancement system. Fig. 18 depicts a model of how DDoS occurs. In this figure, the attacker commands the BOT computer to send illegitimate traffic in order to flood the system server PC. From the system server PC, users/clients also get illegitimate traffic, causing the system unavailable.
It can be categorized into three types [109], which are: 1) Volume Based Attack: This attack is related with ICMP flood attack, UDP flood attack and also spoofed packet flood attack. Attacker intends to change the value of the bandwidth of victim's site. The parameter of this attack is measured in bits/second.

2) Protocol Attack:
This type of attack is related with fragment packet attack, syn flood attack, ping of death and smurf attack and many more. Here, the attacker attacks attacks actual server data, communicating devices between hosts, firewalls as well as load balancer. The parameter of this attack is measured in packet/second.

3) Application Layer Attack: This attack is related with
Post/Get php flood attack, slow attack and many more. Mainly the attacker targets the victim's windows or OpenBSD vulnerabilities. Attacker makes the victim believed that the request is innocent and legitimate. The main goal of the attack is to crash the main server of the system. The magnitude of this attack is measured in requests per second.
Solutions related to this event are presented in Table XII.

D. Phishing Attack
Phishing attack targets the victim's computer through mails, messages or via link by pretending to be a legitimate person or organization to lure the victim. By doing these, the attacker gets to know the victim's personal sensitive data [115] for example, ID card information, credit card information and passwords, etc.
In 2020, Doharty associate claimed their customer faced one phish, two phish, red phish, blue phish in the name of phishing attacks. They also fell for it and gave away their password details. Support vector machine and Naive Bayes algorithm have approximately 100% efficiency to defend any kind of phishing attacks.
Usually, the attacker performs the phishing attack using one of the following ways: 1) The attacker can hand over the important information.
2) Attacker spams out the phishing messages to many people, so that at least some people will be the customers of some specific bank or organization.
Phishing attack may be categorized as follows.
1) Spear Phishing: Spear phishing may attack a particular person of an organization often with content tailor made only for the victim. The attacker requires sufficient knowledge about the organization to produce such content. The content may relate to victim's colleagues, names and relationship with employees. With this kind of data, attacker may generate a trusted email.
2) Clone Phishing: The attacker attaches a malicious link or attachment utilizing a previously delivered valid email. Once the user clicks on the link, he becomes the victim. Then the attacker gets his desired information from that victim using certain measurements. Victim may give organization's confidential data to the attacker in some cases [116].  Fig. 19 illustrates how a phishing attack takes place. In this figure, attacker sends malicious e-mails or other documents. If the user clicks on a link provided by an attacker given through a message, then he may provide his username, password, etc. to that website which may resemble as real but actually is a malicious site. Now attacker may enter into his account. Most of the messages are sent to the HR staff with the infected file that disguised as a job seeker's resume, for instance [117]. Most of these attachments are often zip files, or documents with embedded code. It plays a significant role in other attacks like Trojan and ransomware.
Some state-of-the-art solutions to this attack are presented in Table XIII.

E. URL Poisoning Attack
URL poisoning attack, also addressed as location poisoning, tracks down any web user's page sequence or information Israeli researcher Omer Gil has introduced a method called as deception attack. It has many advantages over cached pages. It mainly targets e-commerce and online payment gateway. This attack occurs on by exploiting cookies. In this attack, user may never find a way to opt out from the trap. A system that is infected by URL poisoning will assign an ID to the victim when he visits the first page. Then, this ID will be a part of the URL without victim's knowledge. All information related to this ID might be recorded as long as he visits the same page. It may also be attached with the browser when a victim visits any original site.
In Fig. 20, attacker intentionally enters ID to the victim's page and stores the number sequence. Further, attacker uses the data for the illegal purpose. Our rigorous exploration in this very topic reveals that no specific research works exist to the solution of this attack.

F. Outbound Attack
A traffic that generates from the insiders is known as outbound traffic [127]. The main reason of locking down outbound attack as securely as inbound is DDoS attack. If an open port is not available to move out traffic, a system network may be immune to this event [128]. Fig. 21 shows a sample scenario of an outbound attack.
Outbound attack can lead to Wild botnet attack that maybe be worst case of this attack.
In this figure, hacker sends traffic to overwhelm the target www.ijacsa.thesai.org PC. As, he sends payload with the traffic, target may click on this. Once clicked, the server is compromised. Nevertheless, the user also establishes outbound HTTPS connection with the attacker which surely tunnels back and takes control over the system. In most cases, the employee has no idea that they have been compromised, nor does their employer. In such a case, the computer needs to be reinstalled but at least the rest of the network will still be intact. If this connections [128] are restricted to specific protocols and can only be established by the specific users or authenticated users, then the attacks become ineffective.There is no specific research study found on this very topic.

G. Violating Traffic Regulation Conditions Attack
Traffic regulation [129] means to achieve the required quality of services goals such as bandwidth, load, delay, security etc. Our concern is the issue of security [130].
Policies that relate to traffic regulation might monitor the TCP connections on all IP addresses and ports in a system. IDS traffic regulation (TR) policies for TCP ports limits the total number of connections an application has been active at one time. Attacker may violate the traffic regulation policies by modifying TCP connection of the hosts . It could result in establishing TCP connection by the attacker with the target's host to do malicious activity. After successfully connected with the host, it takes full control over host. To the best of our knowledge, we have not found any significant research endeavors addressing the solutions on this attack.

H. Social Engineering Attack
Social engineering attack is one of the most popular and easy ways to get any information from any person that may relate to any organization. The attacker designs the process so deceivingly that any person may easily be manipulated. In the context of cyber security, this is used to lure victim to disclose sensitive data, perform security breaches or infect system unknowingly [136]. During the process of conversation, victims are not aware of the intention of the attacker. Therefore, they easily fall in trap. Many types of explicit methods are used to seduce or attract the victim to start a conversation [137]. It may be classified into two types which are, (i) Hunting and (ii) Farming [137].
1) Hunting approach executes the social engineering attack by doing minimum conversation between the target and the hacker. Once hacker is successful in getting the information, he terminates the conversation between them. This process is the most used one in the cyber world. It can encounter a single operand at once [138]. 2) Social engineering farming is not something that is practiced often. This is used for some particular situations. To get the information, attacker needs longer period of time to keep himself connected with the user. During this process, the conversation or interaction may change between them. Some cases, target may understand the tactics. If not, then user may get blackmailed by the hacker [138].
In Fig. 22, attacker collects information about the victim and makes a customized attack for the victim. Then, he collects response from the victim and uses the sensitive information against him. The main focus of this attack is to ignore manual security process by deceiving user. They may get the weakest link to attack people emotionally [137]. Table XIV lists some existing solutions researched so far.

I. Malware Attack
Malware [139] can be a file or software program which is harmful for a system or computer. They may vary from function to function that can do theft, encryption or delete any important data, alter or hijack programs of a system, and monitor any activity of the users without their permissions. Attacker uses ways to spread the malware through physical or virtual means. Some malwares are automatically downloaded to the system as they are designed without the user's knowledge [140]. Some types of malware, that have new techniques, are designed to not only deceive the users but also to detour the anti-virus easily. Anti-sandbox technique can detect malware and delay execution after it leaves the sandbox [141]. Fear has been upgraded its level during the time of corona virus. Many cyber criminals, and ransomware are introduced in this period. Covidlock is one of them [142].
Some types of malware include the following: 1) Virus: A virus is a type of malware that may execute itself without any command and may spread on it's own.
2) Worm: A worm can replicate itself without any host or user program. It spreads itself without human intervention and is directed by malware attackers.

3) Trojan:
A trojan virus disguised as legitimate to get access to a system. If it is activated, it starts to follow installations. It can execute their malicious actions by itself.

4) Spyware:
Spyware is made to get a collection of information of data on a user device and monitor activity of the victim without their knowledge. It is like keeping an eye on users.

5)
Ransomware: Ransomware infects a system, encrypts its data and demands a certain amount of ransom money from the victim in exchange for fixing the system. 6) Rootkit: A rootkit is created by a hacker to get access into the administration level of the target's system. If it is installed, the system gets threat from root or deep infrastructure.

7)
Backdoor: A backdoor is a form of virus or remote access Trojan. It constructs a backdoor into a compromised system that facilitates the attacker for remote access without causing any disturbance of user's security issues.

8) Adware:
The main purpose of the adware is to trail the browsing history of a user with the intention of displaying advertisements. This allures an user to make any purchase.

9) Keylogger:
Keylogger is a type of monitoring system which nearly sees everything that users actually do on the computers including emails, web pages etc.
State-of-the-art research works on malware attack are depicted in Table XV.

J. IoT Botnet Attack
A group of computers, appliances and connected devices [149] [150] that have been controlled by a hacker or a hacker group for illegitimate purpose is known as IoT botnet. It is made up of computers that can be accessed remotely by a hacker without the victim's knowledge. It forwards the data to the other computers through internet. Botnets are increasing and have become more advanced since the evolution of IoT. It may target many devices and appliances on any infrastructure and inject them with malicious payloads or packets. The evolution of IoT increases the risk of security breaches [151] [152].
In Fig. 23, The IoT is comprised of diverge devices including cameras, routers, DVRs, wearable and other embedded technologies.
Three botnets have been occurred in 2018. It gave rise to different domains, but all of them are inter connected. Each of them are skillful and ingenious system which can detect fraud. Google, White Ops, and other tech companies came together at that time to invade the operation of this attack. As most of the devices are Linux and Unix based, they become the common target of the attacker. Since in those system, an executable format exists which is modifiable by the attacker. The modified file becomes the malware that targets SSH or telnet network protocols. Once the system is compromised, the payload is delivered to the system through installation and thus turned into a botnet. [153] [154]. Some existing solutions related to this attack is summarized in Table  XVI.

VI. OPEN CHALLENGES AND FUTURE RESEARCH ISSUES
Theoretically, it is expected from computer security mechanisms to prevent attacks and to provide solutions to the threats.
If not impossible, it should be capable of predicting future threats. As a consequence, towards fulfilling this expectation, researchers around the globe are working to design, develop and implement increasingly secure systems.
Our effort of excavating numerous research papers conveys what aspects of intrusion and extrusion have been studied and what have not. What concerns us the most is that there is no unified policy or mechanism exists that could be applied to an enterprise system to tackle the possible intrusion or extrusion events. We strongly believe that there is a need for a smart system that might learn and take effective countermeasures against the impending threats. Therefore, we would like to make suggestions for future directions to the research community.
One of the challenges is to build new data sets. Due to the rapid advancement of technology, innovative attack methods also evolve. Protocol developed using existing old data sets do not reflect the impending innovative threats to be mitigated or neutralize. As a natural consequence, research on this very issue requires tremendous attention.
With the advent of deep learning technique, security research got new research dimension. However, one of the limitations of using this in security, particularly in intrusion detection, is to balance between high accuracy and minimal false alarms. This limitation mainly presents in the Convolution neural networks (CNN). Also, using Feed-forward neural networks (FNN) for multi-class classification is a limiting factor. The third limitation includes performance degradation in IDS under heavy traffic load. Furthermore, using Deep Neural Network (DNN) causes higher execution time due to the larger training dataset. However, developing new methods using deep learning, if not impossible, might mitigate the mentioned limitations.
One of the important concerns regarding present research endeavors is that researchers apply variations of machine learning, if results are convincing, they conclude their methods may be applicable for certain scenarios. However, we argue that an interpretable or explainable reasons should be there is to why certain machine learning methods work better.
Software defined network (SDN) mingled with machine learning approaches is the new trends in IDS. However, SDN itself might be the interest to the attacker. This obviates to excavate the vulnerabilities in SDN. On a different note, since SDN network controller suffers from performance degradation for larger network, new research efforts are essential to address the challenge.
We believe that each attack is unique and attackers are very intelligent. Irrespective of the nature and severity of attacks, the future research on this domain should consider not only the detection and prevention of existing attacks but also should predict the future threats. If not impossible, if that is achieved to a certain extent, research community may render meaningful and fruitful contributions to the society.
The difficulties that lay ahead of us in infiltration and extrusion detection systems have grown significantly in recent years. The following is a list of them.
• Inability to decrease the amount of false positives, reducing IDS efficiency. A good IDS should have a high level of accuracy and recall, as well as a low rate of false positives and false negatives. A key concern is how one can have faith in the outcome.
• The amount of time it takes to analyze such a vast amount of data for training is enormous.
• In IDS, improving classification accuracy is a significant goal. It forces to concentrate on a multi-classifier system.
• Due to a lack of computer resources and a significant increase in targeted assaults, a real-time intrusion detection system is urgently required. However, putting it into practice in a real-world setting is difficult.
• A problem is the lack of a common assessment dataset that can mimic real-time IDS.
• Many research employ the selection of functions to reduce the computer complexity in function reduction work. To carry out the data deduction task, greater focus is necessary.
• A combination detection and anomaly detection approach is necessary.
It's not an amazing mountain to create an effective detecting system. The above mentioned difficulties might greatly contribute to this trip.

VII. CONCLUSION
Network attacks are a daily security concern that may be mitigated. As a result, it is critical to explore more complicated security alternatives than simple firewall systems today. This article discusses numerous forms of attacks on TCP/IP networks at each layer, the merits and limits of Intrusion Detection System (IDS) and Extrusion Detection System (EDS) solutions, IDS and EDS efficiency and code environment, and utilized techniques for both.Some intrusion detection systems have progressed significantly, and the data generated by software and the tactics used by attackers are getting increasingly sophisticated. This makes it difficult to discern between genuine system use and potential infiltration. A false alarm, also known as a false positive, occurs when an IDS erroneously detects an activity as a probable intrusion.Poorly designed intrusion detection systems, particularly behavior-based intrusion detection systems, can generate a large number of false positives. In the case of passiveresponse intrusion detection systems, this might result in an overwhelming administrative load (getting paged for a false alarm every 3 minutes becomes annoying very quickly). In the case of active-response IDS, this might potentially result in a DoS situation.If the IDS incorrectly blocks a valid user's IP address. As a result, before adopting an IDS, considerable preparation and thought are required. The paper isolates the concerns and concentrates on why IDS and EDS are required for delivering secure network service. Because one of the most important criteria for enabling privacy is security.Loss or (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 12, No. 8, 2021 unauthorized access, deletion, use, alteration, or disclosure of personal data should all be safeguarded by appropriate security precautions. Work on system design and algorithm design for secure communication over complicated networks can be done in the future.
In this paper, we have provided the thorough survey and the state-of-the-art of existing intrusion and extrusion events and introduced a refined security analyses by means of threats, counter measures and future research directions. The comprehensive review presented in our work may provide designers with new means to look for solutions in a unified manner according to several security and resource parameters. Finally, we are aware that attacks other than those considered in this paper might exist. We strongly believe that addressing provable security of intrusion and extrusion events is a challenge for future research, but not impossible.

CONFLICT OF INTEREST
On behalf of all authors, the corresponding author states that there is no conflict of interest.