Recent Advances in Intrusion Detection

Volume 4219 of the series Lecture Notes in Computer Science pp 272-289

Enhancing Network Intrusion Detection with Integrated Sampling and Filtering

  • Jose M. GonzalezAffiliated withInternational Computer Science Institute
  • , Vern PaxsonAffiliated withInternational Computer Science Institute

* Final gross prices may vary according to local VAT.

Get Access


The structure of many standalone network intrusion detection systems (NIDSs) centers around a chain of analysis that begins with packets captured by a packet filter, where the filter describes the protocols (TCP/UDP port numbers) and sometimes hosts or subnets to include or exclude from the analysis. In this work we argue for augmenting such analysis with an additional, separately filtered stream of packets. This “Secondary Path” supplements the “Main Path” by integrating sampling and richer forms of filtering into a NIDS’s analysis.

We discuss an implementation of a secondary path for the Bro intrusion detection system and enhancements we developed to the Berkeley Packet Filter to work in concert with the secondary path. Such an additional packet stream provides benefits in terms of both efficiency and ease of expression, which we illustrate by applying it to three forms of NIDS analysis: tracking very large individual connections, finding “heavy hitter” traffic streams, and implementing backdoor detectors (developed in previous work) with particular ease.