Enhancing Network Intrusion Detection with Integrated Sampling and Filtering

  • Jose M. Gonzalez
  • Vern Paxson
Conference paper

DOI: 10.1007/11856214_14

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4219)
Cite this paper as:
Gonzalez J.M., Paxson V. (2006) Enhancing Network Intrusion Detection with Integrated Sampling and Filtering. In: Zamboni D., Kruegel C. (eds) Recent Advances in Intrusion Detection. RAID 2006. Lecture Notes in Computer Science, vol 4219. Springer, Berlin, Heidelberg

Abstract

The structure of many standalone network intrusion detection systems (NIDSs) centers around a chain of analysis that begins with packets captured by a packet filter, where the filter describes the protocols (TCP/UDP port numbers) and sometimes hosts or subnets to include or exclude from the analysis. In this work we argue for augmenting such analysis with an additional, separately filtered stream of packets. This “Secondary Path” supplements the “Main Path” by integrating sampling and richer forms of filtering into a NIDS’s analysis.

We discuss an implementation of a secondary path for the Bro intrusion detection system and enhancements we developed to the Berkeley Packet Filter to work in concert with the secondary path. Such an additional packet stream provides benefits in terms of both efficiency and ease of expression, which we illustrate by applying it to three forms of NIDS analysis: tracking very large individual connections, finding “heavy hitter” traffic streams, and implementing backdoor detectors (developed in previous work) with particular ease.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Jose M. Gonzalez
    • 1
  • Vern Paxson
    • 1
  1. 1.International Computer Science InstituteBerkeleyUSA

Personalised recommendations