Architecture of the reconnaissance intrusion detection system (RIDS)

This paper describes the architecture and provides early test results of the reconnaissance intrusion detection system (RIDS) prototype. RIDS is a session oriented, statistical tool, that relies on training to mold the parameters of its algorithms, capable of detecting even distributed stealthy reconnaissance attacks. It consists of two main functional modules or stages: the reconnaissance activity profiler (RAP), followed by the reconnaissance alert correlation (RAC), along with a security console. RAP is a session-oriented module capable of detecting stealthy scanning and probing attacks, while RAC is an alert-correlation module that fuses the RAP alerts into attack scenarios and discovers the distributed stealthy attack scenarios, RIDS has been evaluated against two data sets: (a) the DARPA'98 data, and (b) 3 weeks of experimental data generated using the CONEX testbed, running at average Ethernet speeds. RIDS has demonstrably achieved remarkable success; the false positive, false negative and misclassification rates found are low, less than 0.1%, for most reconnaissance attacks; they rise to about 6% for distributed highly stealthy attacks; the latter is a most challenging type of attack, which has been difficult to detect effectively until now. Thus, the RIDS system promises to provide an early warning by detecting the reconnaissance first phase of an impending attack, even if it is very stealthy and distributed.