TY - GEN
T1 - IDS performance enhancement with intelligent predictive packet inspection
AU - Masud, Mohammad M.
AU - Al Maleki, Mohamed Saleh
AU - Trabelsi, Zouheir
PY - 2016
Y1 - 2016
N2 - Intrusion detection systems (IDS) such as Snort apply deep packet inspection to detect intrusions. Usually these are rule-based systems, where each incoming packet is matched against a set of rules. Each rule consists of two parts, namely, the rule header and the rule options. The rule header is compared against the packet header. The rule options usually contain a signature string that is matched against packet content using efficient string matching algorithm. The traditional approach for IDS packet inspection works by checking a packet against the detection rules by scanning from the first rule in the set and continuing to scan rules until a match is found. If no match is found, then a default rule is applied. This approach is inefficient if the number of rules is too large and majority of the packets match with rules located towards the end of the rule set. In this paper, we propose an intelligent predictive technique for packet inspection based on data mining. We consider each rule in the rule set as a class. A classifier is first trained with labeled training data. Each such labeled data point contains a packet header info and the packet content summary info and the corresponding class label (i.e., rule number with which the packet matches). Then the classifier is used to classify new incoming packets. The predicted class, i.e., rule, is checked against the packet to see if this packet really matches the predicted rule. If yes, the corresponding action (i.e., alert) of the rule is taken. Otherwise (prediction of the classifier is wrong), we go back to the traditional way of matching rules. The advantage of this intelligent predictive packet matching is that it offers a much faster rule matching. We have proved both analytically and empirically that even with millions of real network traffic packets and hundreds of rules, the classifier can achieve very high accuracy, thereby making the IDS several times faster in making matching decisions.
AB - Intrusion detection systems (IDS) such as Snort apply deep packet inspection to detect intrusions. Usually these are rule-based systems, where each incoming packet is matched against a set of rules. Each rule consists of two parts, namely, the rule header and the rule options. The rule header is compared against the packet header. The rule options usually contain a signature string that is matched against packet content using efficient string matching algorithm. The traditional approach for IDS packet inspection works by checking a packet against the detection rules by scanning from the first rule in the set and continuing to scan rules until a match is found. If no match is found, then a default rule is applied. This approach is inefficient if the number of rules is too large and majority of the packets match with rules located towards the end of the rule set. In this paper, we propose an intelligent predictive technique for packet inspection based on data mining. We consider each rule in the rule set as a class. A classifier is first trained with labeled training data. Each such labeled data point contains a packet header info and the packet content summary info and the corresponding class label (i.e., rule number with which the packet matches). Then the classifier is used to classify new incoming packets. The predicted class, i.e., rule, is checked against the packet to see if this packet really matches the predicted rule. If yes, the corresponding action (i.e., alert) of the rule is taken. Otherwise (prediction of the classifier is wrong), we go back to the traditional way of matching rules. The advantage of this intelligent predictive packet matching is that it offers a much faster rule matching. We have proved both analytically and empirically that even with millions of real network traffic packets and hundreds of rules, the classifier can achieve very high accuracy, thereby making the IDS several times faster in making matching decisions.
UR - http://www.scopus.com/inward/record.url?scp=85032922187&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85032922187&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85032922187
T3 - 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings
SP - 107
EP - 112
BT - 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings
A2 - Callaos, Nagib C.
A2 - Sanchez, Belkis
A2 - Chu, Hsing-Wei
A2 - Ferrer, Jose
A2 - Fernandes, Steven Lawrence
PB - International Institute of Informatics and Systemics, IIIS
T2 - 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016
Y2 - 8 March 2016 through 11 March 2016
ER -