Conditional hybrid approach for intrusion detection

Dimensions

Alaidaros, H. and Mahmuddin, Massudi (2016) Conditional hybrid approach for intrusion detection. Research Journal of Information Technology, 8 (3). pp. 55-65. ISSN 1815-7432

Preview

PDF
Download (317kB) | Preview

Official URL: http://doi.org/10.3923/rjit.2016.55.65

Abstract

Background and Objective: Inspecting all packets to detect intrusions faces challenges when coping with a high volume of traffic.Packet-based detection processes every payload on the wire, which degrades the performance of intrusion-detection systems.This issue requires the introduction of a flow-based IDS approach that reduces the amount of data to be processed by examining aggregated information of related packets in the form of flow.However, flow-based detection still suffers from the generation of false positive alerts due to lack of completed data input.This study proposed a model to improve packet-based performance and reduce flow-based false positive rate by combining flow-based with packet-based detection to compensate for their mutual shortcomings.This proposed model is named as conditional hybrid intrusion detection.Materials and Methods: In this model, only malicious flows marked by flow-based must be further analyzed by packet-based detection.For packet-based detection to communicate with flow-based detection, input framework approach was used.To evaluate the proposed detection methods, public datasets were replayed in different traffic rates into both the proposed method and default Bro implementations in a testbed controlled environment.Results: Experimental evaluation shows that the proposed approach was able to detect all infected hosts reported and corresponding datasets.At 200 Mbps rate, proposed approach can save 50.6% of memory and 18.1% of CPU usage compared with default Bro packet-based detection. Experiments demonstrated that the default Bro packet-based can handle bandwidth up to 100 Mbps without packets drop, while 200 Mbps in the proposed approach. Conclusion: Experimental evaluation showed that the proposed model gains a significant performance improvement, in term of resource consumption and packet drop rate compared with a default Bro packet-based detection implementation.The proposed approach can mitigate the false positive rate of flow-based detection and reduce the resource consumption of packet-based detection, while preserving detection accuracy.This study can be considered as skeleton model to be applied for intrusion or monitoring detection systems.

Item Type:	Article
Uncontrolled Keywords:	Flow-based detection, packet-based detection, Bro IDS, false positive, input framework
Subjects:	Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Divisions:	School of Computing
Depositing User:	Dr. Massudi Mahmuddin
Date Deposited:	16 Jan 2017 08:02
Last Modified:	16 Jan 2017 08:02
URI:	https://repo.uum.edu.my/id/eprint/20605

Actions (login required)

View Item

Altmetric