A Constraint-based intrusion detection system

Abstract

The expressiveness of constraints has a potential to define network behavior and defend against complex network intrusions. This potential can be an integral part of an Intrusion Detection System (IDS) for defending networks against various attacks. The existing approaches of constraint logic programming have limitations when it comes to solving the network constraints in the presence of the continuous, constantly changing stream of network data. In this paper, we propose two variations of a tree-based constraint satisfaction technique to evaluate network constraints on continuous network data. A Domain Specific Language (DSL) is developed so that the IDS users can specify different intrusions related to their networks. We also present a prototype implementation of these techniques. We evaluate the performance and effectiveness of our approach against the network traffic data generated from an experimental network.