Service discrimination and audit file reduction for effective intrusion detection

  • Authors:

  • Fernando Godínez;Dieter Hutter;Raúl Monroy

  • Affiliations:

  • Centre for Intelligent Systems, ITESM–Monterrey, Monterrey, México;DFKI, Saarbrücken University, Saarbrücken, Germany;Department of Computer Science, ITESM–Estado de México, Estado de México, México

  • Venue:
  • WISA'04 Proceedings of the 5th international conference on Information Security Applications
  • Year:
  • 2004

Quantified Score

Hi-index 0.00

Visualization

Abstract

Current IDSs can be easily overwhelmed by the the amount of information they ought to analyse. By pre-processing the information, this paper aims both to alleviate the computational overhead involved in intrusion detection and to make IDSs scalable. Regardless whether it is a sequence of network packets or a sequence of system calls, the information an IDS analyses is often redundant in at least two respects: first, every entry in the sequence may contain spurious information; second, any sequence may contain redundant subsequences. By using Rough Sets we have identified key attributes for every entry eliminating spurious information, without missing chief details. Using n-gram theory we have identified the most redundant subsequences within a sequence, and then substituting them with a fresh tag, resulting in a sequence length reduction. To make an IDS scalable we have proposed to structure the IDS as a collection of sensors, each of which is specialised to a particular service, i.e. telnet, smtp, etc. To approach service selection, we suggest the use of Hidden Markov Models, trained to detect an specific service described by a family of n-grams. Our results are encouraging, we have obtained an average reduction factor of 12. Using the service discriminator we have also written a simple, yet effective, misuse IDS. The impact over detection and false alarm ratio using reduced sequences is negligible.