Intrusion detection model based on selective packet sampling

Recent experimental work by Androulidakis and Papavassiliou (IET Commun 2(3):399, 2008; IEEE Netw 23(1):6, 2009) has shown that it is possible to maintain a high level of network security while selectively inspecting packets for the existence of intrusive activity, thereby resulting in a minimal amount of processing overhead. In this paper, a statistical approach for the modeling of network intrusions as Markov processes is introduced. The theoretical findings presented here confirm the earlier experimental results of Androulidakis and Papavassiliou. A common notion about network intrusion detection systems is that every packet arriving into a network must be inspected in order to prevent intrusions. This investigation, together with the earlier experimental results, disproves that notion. Additional experimental testing of a corporate local area network is reported.

[1]  Hui Zang,et al.  Is sampled data sufficient for anomaly detection? , 2006, IMC '06.

[2]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[3]  Stefan Savage,et al.  Proceedings of the 2003 ACM Workshop on Rapid Malcode, WORM 2003, Washington, DC, USA, October 27, 2003 , 2003, WORM.

[4]  D. Frincke,et al.  A Visual Mathematical Model for Intrusion Detection , 1998 .

[5]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[6]  Masud Mansuripur,et al.  Introduction to information theory , 1986 .

[7]  Jack Koziol Intrusion Detection with Snort , 2003 .

[8]  Vern Paxson,et al.  The shunt: an FPGA-based accelerator for network intrusion prevention , 2007, FPGA '07.

[9]  Nicolas Hohn,et al.  Inverting sampled traffic , 2003, IEEE/ACM Transactions on Networking.

[10]  Jeffrey O. Kephart,et al.  Measuring and modeling computer virus prevalence , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  S. Papavassiliou,et al.  Improving network anomaly detection via selective flow-based sampling , 2008, IET Commun..

[12]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  Tao Ye,et al.  Connectionless port scan detection on the backbone , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[14]  K. Mani Chandy,et al.  Computer Systems Performance Modeling , 1981 .

[15]  Bongnam Noh,et al.  Network Intrusion Detection Using Statistical Probability Distribution , 2006, ICCSA.

[16]  P. Peebles Probability, Random Variables and Random Signal Principles , 1993 .

[17]  Haoyu Song,et al.  Multi-pattern signature matching for hardware network intrusion detection systems , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[18]  Saswati Sarkar,et al.  A framework for misuse detection in ad hoc Networks-part I , 2006, IEEE Journal on Selected Areas in Communications.

[19]  Hui Zang,et al.  Impact of Packet Sampling on Portscan Detection , 2006, IEEE Journal on Selected Areas in Communications.

[20]  Chien-Min Ou,et al.  FPGA-based ROM-free network intrusion detection using shift-OR circuit , 2009, J. Embed. Comput..

[21]  D. S. Yeung,et al.  Network intrusion detection in covariance feature space , 2007, Pattern Recognit..

[22]  Kerry J. Cox Managing Security with Snort and IDS Tools , 2004 .

[23]  Klaus I. Pedersen,et al.  Macro transmission power reduction for HetNet co-channel deployments , 2012, 2012 IEEE Global Communications Conference (GLOBECOM).

[24]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[25]  Murali S. Kodialam,et al.  Detecting network intrusions via sampling: a game theoretic approach , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[26]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[27]  Yang Wang,et al.  Modeling the effects of timing parameters on virus propagation , 2003, WORM '03.

[28]  Lambert Schaelicke,et al.  Characterizing the Performance of Network Intrusion Detection Sensors , 2003, RAID.

[29]  Hisashi Kobayashi,et al.  Modeling and analysis , 1978 .

[30]  A. Botta,et al.  Multi-protocol and Multi-platform Traffic Generation and Measurement , 2010 .

[31]  Alefiya Hussain,et al.  Effect of Malicious Traffic on the Network , 2003 .

[32]  Saswati Sarkar,et al.  A framework for misuse detection in ad hoc networks- part II , 2006, IEEE Journal on Selected Areas in Communications.

[33]  Symeon Papavassiliou,et al.  Network anomaly detection and classification via opportunistic sampling , 2009, IEEE Network.

[34]  Yi Zhang,et al.  Performance Adaptation in Real-Time Intrusion Detection Systems , 2002, RAID.