Enhancing Network Intrusion Detection with Integrated Sampling and Filtering
- Jose M. GonzalezAffiliated withInternational Computer Science Institute
- , Vern PaxsonAffiliated withInternational Computer Science Institute
The structure of many standalone network intrusion detection systems (NIDSs) centers around a chain of analysis that begins with packets captured by a packet filter, where the filter describes the protocols (TCP/UDP port numbers) and sometimes hosts or subnets to include or exclude from the analysis. In this work we argue for augmenting such analysis with an additional, separately filtered stream of packets. This “Secondary Path” supplements the “Main Path” by integrating sampling and richer forms of filtering into a NIDS’s analysis.
We discuss an implementation of a secondary path for the Bro intrusion detection system and enhancements we developed to the Berkeley Packet Filter to work in concert with the secondary path. Such an additional packet stream provides benefits in terms of both efficiency and ease of expression, which we illustrate by applying it to three forms of NIDS analysis: tracking very large individual connections, finding “heavy hitter” traffic streams, and implementing backdoor detectors (developed in previous work) with particular ease.
- Enhancing Network Intrusion Detection with Integrated Sampling and Filtering
- Book Title
- Recent Advances in Intrusion Detection
- Book Subtitle
- 9th International Symposium, RAID 2006 Hamburg, Germany, September 20-22, 2006 Proceedings
- pp 272-289
- Print ISBN
- Online ISBN
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- Series ISSN
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Industry Sectors
To view the rest of this content please follow the download PDF link above.