Graphical techniques in intrusion detection systems

As coordinated attacks on networks become more frequent, the study of systems that can identify unlawful attempts to penetrate a network, or so called intrusion detection systems (IDS), has become increasingly popular. IDS traditionally suffer from an inability to detect an attack that is built from a sequence of valid network activity. For this reason it is important to develop a system capable of analyzing the global nature of the network activity. One such system is GrIDS-a graph based intrusion detection system for large networks, being developed at the University of California, Davis, California. This system constructs graphs based on the network activity and then detects attacks based on an analysis of the characteristics of these graphs. One of the bottlenecks in this process is the inability to efficiently compare characteristics of very large networks. This often becomes necessary because the increasing complex nature of network traffic generates graphs with multiple nodes and edges. We propose using a new result on subgraph isomorphism due to Eppstein (see Journal of Graph Algorithms and Applications, vol.3, no.3, p.1-27, 1999) to maximize the efficiency of this analysis. This provides the IDS with the ability to analyze traffic on a broader level and thus increases the overall performance of the system.