IDS performance enhancement with intelligent predictive packet inspection

Mohammad M. Masud; Mohamed Saleh Al Maleki; Zouheir Trabelsi

IDS performance enhancement with intelligent predictive packet inspection

Mohammad M. Masud, Mohamed Saleh Al Maleki, Zouheir Trabelsi

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Intrusion detection systems (IDS) such as Snort apply deep packet inspection to detect intrusions. Usually these are rule-based systems, where each incoming packet is matched against a set of rules. Each rule consists of two parts, namely, the rule header and the rule options. The rule header is compared against the packet header. The rule options usually contain a signature string that is matched against packet content using efficient string matching algorithm. The traditional approach for IDS packet inspection works by checking a packet against the detection rules by scanning from the first rule in the set and continuing to scan rules until a match is found. If no match is found, then a default rule is applied. This approach is inefficient if the number of rules is too large and majority of the packets match with rules located towards the end of the rule set. In this paper, we propose an intelligent predictive technique for packet inspection based on data mining. We consider each rule in the rule set as a class. A classifier is first trained with labeled training data. Each such labeled data point contains a packet header info and the packet content summary info and the corresponding class label (i.e., rule number with which the packet matches). Then the classifier is used to classify new incoming packets. The predicted class, i.e., rule, is checked against the packet to see if this packet really matches the predicted rule. If yes, the corresponding action (i.e., alert) of the rule is taken. Otherwise (prediction of the classifier is wrong), we go back to the traditional way of matching rules. The advantage of this intelligent predictive packet matching is that it offers a much faster rule matching. We have proved both analytically and empirically that even with millions of real network traffic packets and hundreds of rules, the classifier can achieve very high accuracy, thereby making the IDS several times faster in making matching decisions.

Original language	English
Title of host publication	7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings
Publisher	International Institute of Informatics and Systemics, IIIS
Pages	107-112
Number of pages	6
Volume	1
ISBN (Electronic)	9781941763346
Publication status	Published - Jan 1 2016
Event	7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Orlando, United States Duration: Mar 8 2016 → Mar 11 2016

Other

Other	7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016
Country/Territory	United States
City	Orlando
Period	3/8/16 → 3/11/16

ASJC Scopus subject areas

Artificial Intelligence
Information Systems
Computer Networks and Communications

Cite this

Masud, M. M., Al Maleki, M. S., & Trabelsi, Z. (2016). IDS performance enhancement with intelligent predictive packet inspection. In 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings (Vol. 1, pp. 107-112). International Institute of Informatics and Systemics, IIIS.

IDS performance enhancement with intelligent predictive packet inspection. / Masud, Mohammad M.; Al Maleki, Mohamed Saleh; Trabelsi, Zouheir.

7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings. Vol. 1 International Institute of Informatics and Systemics, IIIS, 2016. p. 107-112.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Masud, MM, Al Maleki, MS & Trabelsi, Z 2016, IDS performance enhancement with intelligent predictive packet inspection. in 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings. vol. 1, International Institute of Informatics and Systemics, IIIS, pp. 107-112, 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016, Orlando, United States, 3/8/16.

Masud MM, Al Maleki MS, Trabelsi Z. IDS performance enhancement with intelligent predictive packet inspection. In 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings. Vol. 1. International Institute of Informatics and Systemics, IIIS. 2016. p. 107-112

Masud, Mohammad M. ; Al Maleki, Mohamed Saleh ; Trabelsi, Zouheir. / IDS performance enhancement with intelligent predictive packet inspection. 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings. Vol. 1 International Institute of Informatics and Systemics, IIIS, 2016. pp. 107-112

@inproceedings{4f58bd5d695247aab957a8df741700d8,

title = "IDS performance enhancement with intelligent predictive packet inspection",

abstract = "Intrusion detection systems (IDS) such as Snort apply deep packet inspection to detect intrusions. Usually these are rule-based systems, where each incoming packet is matched against a set of rules. Each rule consists of two parts, namely, the rule header and the rule options. The rule header is compared against the packet header. The rule options usually contain a signature string that is matched against packet content using efficient string matching algorithm. The traditional approach for IDS packet inspection works by checking a packet against the detection rules by scanning from the first rule in the set and continuing to scan rules until a match is found. If no match is found, then a default rule is applied. This approach is inefficient if the number of rules is too large and majority of the packets match with rules located towards the end of the rule set. In this paper, we propose an intelligent predictive technique for packet inspection based on data mining. We consider each rule in the rule set as a class. A classifier is first trained with labeled training data. Each such labeled data point contains a packet header info and the packet content summary info and the corresponding class label (i.e., rule number with which the packet matches). Then the classifier is used to classify new incoming packets. The predicted class, i.e., rule, is checked against the packet to see if this packet really matches the predicted rule. If yes, the corresponding action (i.e., alert) of the rule is taken. Otherwise (prediction of the classifier is wrong), we go back to the traditional way of matching rules. The advantage of this intelligent predictive packet matching is that it offers a much faster rule matching. We have proved both analytically and empirically that even with millions of real network traffic packets and hundreds of rules, the classifier can achieve very high accuracy, thereby making the IDS several times faster in making matching decisions.",

author = "Masud, {Mohammad M.} and {Al Maleki}, {Mohamed Saleh} and Zouheir Trabelsi",

year = "2016",

month = jan,

day = "1",

language = "English",

volume = "1",

pages = "107--112",

booktitle = "7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings",

publisher = "International Institute of Informatics and Systemics, IIIS",

note = "7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 ; Conference date: 08-03-2016 Through 11-03-2016",

}

TY - GEN

T1 - IDS performance enhancement with intelligent predictive packet inspection

AU - Masud, Mohammad M.

AU - Al Maleki, Mohamed Saleh

AU - Trabelsi, Zouheir

PY - 2016/1/1

Y1 - 2016/1/1

N2 - Intrusion detection systems (IDS) such as Snort apply deep packet inspection to detect intrusions. Usually these are rule-based systems, where each incoming packet is matched against a set of rules. Each rule consists of two parts, namely, the rule header and the rule options. The rule header is compared against the packet header. The rule options usually contain a signature string that is matched against packet content using efficient string matching algorithm. The traditional approach for IDS packet inspection works by checking a packet against the detection rules by scanning from the first rule in the set and continuing to scan rules until a match is found. If no match is found, then a default rule is applied. This approach is inefficient if the number of rules is too large and majority of the packets match with rules located towards the end of the rule set. In this paper, we propose an intelligent predictive technique for packet inspection based on data mining. We consider each rule in the rule set as a class. A classifier is first trained with labeled training data. Each such labeled data point contains a packet header info and the packet content summary info and the corresponding class label (i.e., rule number with which the packet matches). Then the classifier is used to classify new incoming packets. The predicted class, i.e., rule, is checked against the packet to see if this packet really matches the predicted rule. If yes, the corresponding action (i.e., alert) of the rule is taken. Otherwise (prediction of the classifier is wrong), we go back to the traditional way of matching rules. The advantage of this intelligent predictive packet matching is that it offers a much faster rule matching. We have proved both analytically and empirically that even with millions of real network traffic packets and hundreds of rules, the classifier can achieve very high accuracy, thereby making the IDS several times faster in making matching decisions.

AB - Intrusion detection systems (IDS) such as Snort apply deep packet inspection to detect intrusions. Usually these are rule-based systems, where each incoming packet is matched against a set of rules. Each rule consists of two parts, namely, the rule header and the rule options. The rule header is compared against the packet header. The rule options usually contain a signature string that is matched against packet content using efficient string matching algorithm. The traditional approach for IDS packet inspection works by checking a packet against the detection rules by scanning from the first rule in the set and continuing to scan rules until a match is found. If no match is found, then a default rule is applied. This approach is inefficient if the number of rules is too large and majority of the packets match with rules located towards the end of the rule set. In this paper, we propose an intelligent predictive technique for packet inspection based on data mining. We consider each rule in the rule set as a class. A classifier is first trained with labeled training data. Each such labeled data point contains a packet header info and the packet content summary info and the corresponding class label (i.e., rule number with which the packet matches). Then the classifier is used to classify new incoming packets. The predicted class, i.e., rule, is checked against the packet to see if this packet really matches the predicted rule. If yes, the corresponding action (i.e., alert) of the rule is taken. Otherwise (prediction of the classifier is wrong), we go back to the traditional way of matching rules. The advantage of this intelligent predictive packet matching is that it offers a much faster rule matching. We have proved both analytically and empirically that even with millions of real network traffic packets and hundreds of rules, the classifier can achieve very high accuracy, thereby making the IDS several times faster in making matching decisions.

UR - http://www.scopus.com/inward/record.url?scp=85032922187&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85032922187&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85032922187

VL - 1

SP - 107

EP - 112

BT - 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016 - Proceedings

PB - International Institute of Informatics and Systemics, IIIS

T2 - 7th International Multi-Conference on Complexity, Informatics and Cybernetics, IMCIC 2016 and 7th International Conference on Society and Information Technologies, ICSIT 2016

Y2 - 8 March 2016 through 11 March 2016

ER -

IDS performance enhancement with intelligent predictive packet inspection

Abstract

Other

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this