A Sampling Method for Intrusion Detection System

Authors:
Zhuo Ning;Jian Gong
Affiliations:
School of Computer Science and Engineering, Southeast University, Nanjing, China 210096 and Jiangsu Provincial Key Laboratory of Computer Network Technology, Nanjing, China 210096;School of Computer Science and Engineering, Southeast University, Nanjing, China 210096 and Jiangsu Provincial Key Laboratory of Computer Network Technology, Nanjing, China 210096
Venue:
APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
Year:
2008

Citing 8
Cited 1

Assisting Network Intrusion Detection with Reconfigurable Hardware

FCCM '02 Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice

ACM Transactions on Computer Systems (TOCS)
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Fast Reconfiguring Deep Packet Filter for 1+ Gigabit Network

FCCM '05 Proceedings of the 13th Annual IEEE Symposium on Field-Programmable Custom Computing Machines
Impact of packet sampling on anomaly detection metrics

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Is sampled data sufficient for anomaly detection?

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Towards software-based signature detection for intrusion prevention on the network card

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Impact of Packet Sampling on Portscan Detection

IEEE Journal on Selected Areas in Communications

Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues

Information Sciences: an International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

It is well known that Intrusion Detection System (IDS) does not scale well with Gigabit links. Unlike the other solutions that try to increase the performance of IDS by the distributed architecture, we develop a novel sampling method IDSampling whose sampling rate is adaptive to the memory bottleneck consumption to capture attack packets as many as possible by analyzing characteristics of the attack traffic. IDSampling applies a single sampling strategy based on four traffic feature entropies when large-scale traffic anomaly occurs, and another complicated one instructed by the feedback of the following detection results by default. The results of experiment show that IDSampling can help IDS to remain effective even when it is overloaded. And compared with the other two notable sampling method, packet sampling and random flow sampling, IDSampling outperforms them greatly, especially in low sampling rate.