Abstract
Intrusion detection systems (IDS) such as Snort apply deep packet inspection to detect intrusions. Usually these are rule-based systems, where each incoming packet is matched against a set of rules. Each rule consists of two parts, namely, the rule header and the rule options. The rule header is compared against the packet header. The rule options usually contain a signature string that is matched against packet content using efficient string matching algorithm. The traditional approach for IDS packet inspection works by checking a packet against the detection rules by scanning from the first rule in the set and continuing to scan rules until a match is found. If no match is found, then a default rule is applied. This approach is inefficient if the number of rules is too large and majority of the packets match with rules located towards the end of the rule set. In this paper, we propose an intelligent predictive technique for packet inspection based on data mining. We consider each rule in the rule set as a class. A classifier is first trained with labeled training data. Each such labeled data point contains a packet header info and the packet content summary info and the corresponding class label (i.e., rule number with which the packet matches). Then the classifier is used to classify new incoming packets. The predicted class, i.e., rule, is checked against the packet to see if this packet really matches the predicted rule. If yes, the corresponding action (i.e., alert) of the rule is taken. Otherwise (prediction of the classifier is wrong), we go back to the traditional way of matching rules. The advantage of this intelligent predictive packet matching is that it offers a much faster rule matching. We have proved both analytically and empirically that even with millions of real network traffic packets and hundreds of rules, the classifier can achieve very high accuracy, thereby making the IDS several times faster in making matching decisions.
Original language | English |
---|---|
Title of host publication | 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings |
Publisher | International Institute of Informatics and Systemics, IIIS |
Pages | 107-112 |
Number of pages | 6 |
Volume | 1 |
ISBN (Electronic) | 9781941763346 |
Publication status | Published - Jan 1 2016 |
Event | 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Orlando, United States Duration: Mar 8 2016 → Mar 11 2016 |
Other
Other | 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 |
---|---|
Country/Territory | United States |
City | Orlando |
Period | 3/8/16 → 3/11/16 |
ASJC Scopus subject areas
- Artificial Intelligence
- Information Systems
- Computer Networks and Communications