A theoretical exploration of the impact of packet loss on network intrusion detection

In this paper we review the problem of packet loss as it pertains to Network Intrusion Detection, seeking to answer two fundamental research questions which are stepping stones towards building a model that can be used to predict the rate of alert loss based upon the rate of packet loss. The first question deals with how the packet loss rate affects the sensor alert rate, and the second considers how the network traffic composition affects the results of the first question. Potential places where packet loss may occur are examined by dividing the problem into network, host, and sensor based packet loss. We posit theories about how packet loss may present itself and develop the Packet Dropper that induces packet loss into a dataset. Drop rates ranging from 0% to 100% are applied to four different datasets and the resulting abridged datasets are analyzed with Snort to collect alert loss rate. Conclusions are drawn about the importance of the distribution of packet loss and the effect of the network traffic composition.

[1]  Bo Song,et al.  Achieving Flow-Level Controllability in Network Intrusion Detection System , 2010, 2010 11th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing.

[2]  Jeong-Nyeo Kim,et al.  Kernel-level intrusion detection system for minimum packet loss , 2004, The 6th International Conference on Advanced Communication Technology, 2004..

[3]  Khaled Salah,et al.  Improving snort performance under linux , 2009, IET Commun..

[4]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[5]  E. Gilbert Capacity of a burst-noise channel , 1960 .

[6]  Sotiris Ioannidis,et al.  MIDeA: a multi-parallel intrusion detection architecture , 2011, CCS '11.

[7]  Lee M. Rossey,et al.  Extending the DARPA off-line intrusion detection evaluations , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[8]  Stefan Savage,et al.  Detecting Malicious Packet Losses , 2009, IEEE Transactions on Parallel and Distributed Systems.

[9]  Chen Junjie,et al.  Application of Unbalanced Data Approach to Network Intrusion Detection , 2009, 2009 First International Workshop on Database Technology and Applications.

[10]  L. Schaelicke,et al.  Characterizing sources and remedies for packet loss in network intrusion detection systems , 2005, IEEE International. 2005 Proceedings of the IEEE Workload Characterization Symposium, 2005..