Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection

Authors:
Yuxin Meng;Lam-For Kwok
Affiliations:
-;-
Venue:
Journal of Network and Computer Applications
Year:
2014

Citing 30
Cited 0

The base-rate fallacy and its implications for the difficulty of intrusion detection

CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
The base-rate fallacy and the difficulty of intrusion detection

ACM Transactions on Information and System Security (TISSEC)
A fast string searching algorithm

Communications of the ACM
Efficient string matching: an aid to bibliographic search

Communications of the ACM
Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
A String Matching Algorithm Fast on the Average

Proceedings of the 6th Colloquium, on Automata, Languages and Programming
Fast Content-Based Packet Handling for Intrusion Detection

Fast Content-Based Packet Handling for Intrusion Detection
An empirical study of spam traffic and the use of DNS black lists

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Operational experiences with high-volume network intrusion detection

Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Efficient packet classification for network intrusion detection using FPGA

Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays
Packet pre-filtering for network intrusion detection

Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
Wire-Speed TCAM-Based Architectures for Multimatch Packet Classification

IEEE Transactions on Computers
Scalable packet classification with controlled cross-producting

Computer Networks: The International Journal of Computer and Telecommunications Networking
Hierarchical packet classification using a Bloom filter and rule-priority tries

Computer Communications
CompactDFA: generic state machine compression for scalable pattern matching

INFOCOM'10 Proceedings of the 29th conference on Information communications
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection

SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Spam mitigation using spatio-temporal reputations from blacklist history

Proceedings of the 26th Annual Computer Security Applications Conference
Toward Advocacy-Free Evaluation of Packet Classification Algorithms

IEEE Transactions on Computers
A fast pattern matching algorithm with multi-byte search unit for high-speed network security

Computer Communications
Towards the effective temporal association mining of spam blacklists

Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
A Memory-Efficient Bit-Split Parallel String Matching Using Pattern Dividing for Intrusion Detection Systems

IEEE Transactions on Parallel and Distributed Systems
Bit-parallel search algorithms for long patterns

SEA'10 Proceedings of the 9th international conference on Experimental Algorithms
On the bit-parallel simulation of the nondeterministic Aho-Corasick and suffix automata for a set of patterns

Journal of Discrete Algorithms
Bayesian Neural Networks for Internet Traffic Classification

IEEE Transactions on Neural Networks
A prefix-based approach for managing hybrid specifications in complex packet filtering

Computer Networks: The International Journal of Computer and Telecommunications Networking
A new hierarchical packet classification algorithm

Computer Networks: The International Journal of Computer and Telecommunications Networking
Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis

IEEE Transactions on Dependable and Secure Computing
Multi-Stride String Searching for High-Speed Content Inspection

The Computer Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network intrusion detection systems (NIDS) are widely deployed in various network environments. Compared to an anomaly based NIDS, a signature-based NIDS is more popular in real-world applications, because of its relatively lower false alarm rate. However, the process of signature matching is a key limiting factor to impede the performance of a signature-based NIDS, in which the cost is at least linear to the size of an input string and the CPU occupancy rate can reach more than 80% in the worst case. In this paper, we develop an adaptive blacklist-based packet filter using a statistic-based approach aiming to improve the performance of a signature-based NIDS. The filter employs a blacklist technique to help filter out network packets based on IP confidence and the statistic-based approach allows the blacklist generation in an adaptive way, that is, the blacklist can be updated periodically. In the evaluation, we give a detailed analysis of how to select weight values in the statistic-based approach, and investigate the performance of the packet filter with a DARPA dataset, a real dataset and in a real network environment. Our evaluation results under various scenarios show that our proposed packet filter is encouraging and effective to reduce the burden of a signature-based NIDS without affecting network security.