Improvement of an anagram based NIDS by reducing the storage space of bloom filters (poster abstract)

  • Authors:

  • Hugo Villanúa Vega;Jorge Maestre Vidal;Jaime Daniel Mejía Castro;Luis Javier García Villalba

  • Affiliations:

  • Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), School of Computer Science, Universidad Complutense de Madrid (UCM), Madrid, ...;Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), School of Computer Science, Universidad Complutense de Madrid (UCM), Madrid, ...;Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), School of Computer Science, Universidad Complutense de Madrid (UCM), Madrid, ...;Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), School of Computer Science, Universidad Complutense de Madrid (UCM), Madrid, ...

  • Venue:
  • RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

When optimizing our NIDS APAP [1] we started focusing our efforts on ensuring that it would work on real-time network traffic. This effort, was penalized by the excessive cost of storage of various data structures needed to meet its goals satisfactorily. APAP is based on Anagram [2] and initially worked with small size N-gram. This allowed us to detect more attacks at the expense of a higher rate of false positives. But when we wanted to test the results obtained with larger N-gram sizes, we found that the cost of storage of the Bloom filter structures that we generated to analyze the payload of the traffic was too large.