Adaptive context-aware packet filter scheme using statistic-based blacklist generation in network intrusion detection

2011 7th International Conference on Information Assurance and Security (IAS) Pub Date : 2011-12-01 DOI:10.1109/ISIAS.2011.6122798

Yuxin Meng, Lam-for Kwok

{"title":"Adaptive context-aware packet filter scheme using statistic-based blacklist generation in network intrusion detection","authors":"Yuxin Meng, Lam-for Kwok","doi":"10.1109/ISIAS.2011.6122798","DOIUrl":null,"url":null,"abstract":"By using string matching, signature-based network intrusion detection systems (NIDSs) can achieve a higher accuracy and lower false alarm rate than the anomaly-based systems. But the matching process is very expensive regarding to the performance of a signature-based NIDS in which the cost is at least linear to the size of the input string and the CPU occupancy rate can reach more than 80 percent in the worst case. This problem greatly limits the high performance of a signature-based NIDS in a large operational network. In this paper, we present a context-aware packet filter scheme aiming to mitigate this problem. In particular, our scheme incorporates a list technique, namely the blacklist to help filter network packets based on the confidence of the IP domains. Moreover, our scheme will adapt and update the blacklist contents by using the method of statistic-based blacklist generation according to the actual network environment. In the experiment, we implemented our scheme and showed the first experimental evaluation of its effectiveness.","PeriodicalId":139268,"journal":{"name":"2011 7th International Conference on Information Assurance and Security (IAS)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 7th International Conference on Information Assurance and Security (IAS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISIAS.2011.6122798","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

By using string matching, signature-based network intrusion detection systems (NIDSs) can achieve a higher accuracy and lower false alarm rate than the anomaly-based systems. But the matching process is very expensive regarding to the performance of a signature-based NIDS in which the cost is at least linear to the size of the input string and the CPU occupancy rate can reach more than 80 percent in the worst case. This problem greatly limits the high performance of a signature-based NIDS in a large operational network. In this paper, we present a context-aware packet filter scheme aiming to mitigate this problem. In particular, our scheme incorporates a list technique, namely the blacklist to help filter network packets based on the confidence of the IP domains. Moreover, our scheme will adapt and update the blacklist contents by using the method of statistic-based blacklist generation according to the actual network environment. In the experiment, we implemented our scheme and showed the first experimental evaluation of its effectiveness.

查看原文本刊更多论文

基于统计生成黑名单的自适应上下文感知包过滤方案

利用字符串匹配技术，基于签名的网络入侵检测系统比基于异常的系统具有更高的检测准确率和更低的虚警率。但是，匹配过程对于基于签名的NIDS的性能来说是非常昂贵的，其中成本至少与输入字符串的大小成线性关系，并且在最坏的情况下CPU占用率可以达到80%以上。这个问题极大地限制了基于签名的网络入侵在大型运营网络中的高性能。在本文中，我们提出了一个上下文感知的包过滤方案，旨在缓解这一问题。特别是，我们的方案结合了列表技术，即黑名单，以帮助过滤基于IP域置信度的网络数据包。此外，我们的方案将根据实际网络环境，采用基于统计的黑名单生成方法对黑名单内容进行调整和更新。在实验中，我们实现了我们的方案，并对其有效性进行了第一次实验评价。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2011 7th International Conference on Information Assurance and Security (IAS)

自引率

0.00%

发文量