Application Level IDS using Protocol Analysis

Abstract

As network attacks have increased in number and severity over the past few years, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations. From a security perspective, firewalls and SSL offer little protection. Web traffic often contains attacks such as cross-site scripting and SQL injection that enter through port 80 and are not blocked by the firewall. Among the Web applications HTTP holds the majority share of the traffic transported through Web. In this paper, implementation of an application level IDS has been presented which uses combination of pattern matching and protocol analysis approaches. The first method of detection relies on a multi pattern matching within the protocol fields, the second one provides an efficient decision tree adaptive to the application traffic characteristics to limit the number of patterns to be checked. The proposed IDS can be effectively implemented in a high performance semantic processor