Alaidaros, H. and Mahmuddin, Massudi (2016) Conditional hybrid approach for intrusion detection. Research Journal of Information Technology, 8 (3). pp. 55-65. ISSN 1815-7432
Preview |
PDF
Download (317kB) | Preview |
Abstract
Background and Objective: Inspecting all packets to detect intrusions faces challenges when coping with a high volume of traffic.Packet-based detection processes every payload on the wire, which degrades the performance of intrusion-detection systems.This issue requires the introduction of a flow-based IDS approach that reduces the amount of data to be processed by examining aggregated information of related packets in the form of flow.However, flow-based detection still suffers from the generation of false positive alerts due to lack of completed data input.This study proposed a model to improve packet-based performance and reduce flow-based false positive rate by combining flow-based with packet-based detection to compensate for their mutual shortcomings.This proposed model is named as conditional hybrid intrusion detection.Materials and Methods: In this model, only malicious flows marked by flow-based must be further analyzed by packet-based detection.For packet-based detection to communicate with flow-based detection, input framework approach was used.To evaluate the proposed detection methods, public datasets were replayed in different traffic rates into both the proposed method and default Bro implementations in a testbed controlled environment.Results: Experimental evaluation shows that the proposed approach was able to detect all infected hosts reported and corresponding datasets.At 200 Mbps rate, proposed approach can save 50.6% of memory and 18.1% of CPU usage compared with default Bro packet-based detection. Experiments demonstrated that the default Bro packet-based can handle bandwidth up to 100 Mbps without packets drop, while 200 Mbps in the proposed approach. Conclusion: Experimental evaluation showed that the proposed model gains a significant performance improvement, in term of resource consumption and packet drop rate compared with a default Bro packet-based detection implementation.The proposed approach can mitigate the false positive rate of flow-based detection and reduce the resource consumption of packet-based detection, while preserving detection accuracy.This study can be considered as skeleton model to be applied for intrusion or monitoring detection systems.
Item Type: | Article |
---|---|
Uncontrolled Keywords: | Flow-based detection, packet-based detection, Bro IDS, false positive, input framework |
Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science |
Divisions: | School of Computing |
Depositing User: | Dr. Massudi Mahmuddin |
Date Deposited: | 16 Jan 2017 08:02 |
Last Modified: | 16 Jan 2017 08:02 |
URI: | https://repo.uum.edu.my/id/eprint/20605 |
Actions (login required)
View Item |