Packet- vs. session-based modeling for intrusion detection systems

In today's interconnected networks, intrusion detection systems (IDSs), encryption devices, firewalls and other hardware and software solutions are critical in providing complete security solutions for corporations and government agencies. Many IDS variants exist which allow security personnel to identify attack network packets primarily through the use of signature detection where the IDS "recognizes" attack packets due to their well-known signatures as those packets cross the network's gateway threshold. However, anomaly-based ID systems identify normal traffic within a network and report abnormal behavior. We report the findings of our research in the area of anomaly-based intrusion detection systems using data-mining techniques to create a decision tree model of our network using the 1999 DARPA intrusion detection evaluation data set. After the model was created, we gathered data from our local campus network and scored the new data through the model using both packet-based and session-based modeling and compare the results.

[1]  Stephen Northcutt,et al.  Intrusion Signatures and Analysis , 2001 .

[2]  Lee M. Rossey,et al.  Extending the DARPA off-line intrusion detection evaluations , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[3]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[4]  Philip K. Chan,et al.  Learning Rules and Clusters for Anomaly Detection in Network Traffic , 2005 .

[5]  Paul Douglas,et al.  Proceedings International Conference on Information Technology: Coding and Computing , 2002, Proceedings. International Conference on Information Technology: Coding and Computing.

[6]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[7]  Alberto Leon-Garcia,et al.  Communication Networks: Fundamental Concepts and Key Architectures , 1999 .

[8]  Aurobindo Sundaram,et al.  An introduction to intrusion detection , 1996, CROS.

[9]  William H. Allen,et al.  Analysis, detection, and modeling of attacks in computer communication networks , 2003 .

[10]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[11]  J. P. Ed,et al.  Transmission control protocol- darpa internet program protocol specification , 1981 .

[12]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).