The base-rate fallacy and its implications for the difficulty of intrusion detection
CCS '99 Proceedings of the 6th ACM conference on Computer and communications security
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
A fast string searching algorithm
Communications of the ACM
Efficient string matching: an aid to bibliographic search
Communications of the ACM
ACM Transactions on Information and System Security (TISSEC)
A String Matching Algorithm Fast on the Average
Proceedings of the 6th Colloquium, on Automata, Languages and Programming
Fast Content-Based Packet Handling for Intrusion Detection
Fast Content-Based Packet Handling for Intrusion Detection
An empirical study of spam traffic and the use of DNS black lists
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Operational experiences with high-volume network intrusion detection
Proceedings of the 11th ACM conference on Computer and communications security
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Efficient packet classification for network intrusion detection using FPGA
Proceedings of the 2005 ACM/SIGDA 13th international symposium on Field-programmable gate arrays
Packet pre-filtering for network intrusion detection
Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
Wire-Speed TCAM-Based Architectures for Multimatch Packet Classification
IEEE Transactions on Computers
Scalable packet classification with controlled cross-producting
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hierarchical packet classification using a Bloom filter and rule-priority tries
Computer Communications
CompactDFA: generic state machine compression for scalable pattern matching
INFOCOM'10 Proceedings of the 29th conference on Information communications
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Spam mitigation using spatio-temporal reputations from blacklist history
Proceedings of the 26th Annual Computer Security Applications Conference
Toward Advocacy-Free Evaluation of Packet Classification Algorithms
IEEE Transactions on Computers
A fast pattern matching algorithm with multi-byte search unit for high-speed network security
Computer Communications
Towards the effective temporal association mining of spam blacklists
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse and Spam Conference
IEEE Transactions on Parallel and Distributed Systems
Bit-parallel search algorithms for long patterns
SEA'10 Proceedings of the 9th international conference on Experimental Algorithms
Journal of Discrete Algorithms
Bayesian Neural Networks for Internet Traffic Classification
IEEE Transactions on Neural Networks
A prefix-based approach for managing hybrid specifications in complex packet filtering
Computer Networks: The International Journal of Computer and Telecommunications Networking
A new hierarchical packet classification algorithm
Computer Networks: The International Journal of Computer and Telecommunications Networking
Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Analysis
IEEE Transactions on Dependable and Secure Computing
Multi-Stride String Searching for High-Speed Content Inspection
The Computer Journal
Hi-index | 0.00 |
Network intrusion detection systems (NIDS) are widely deployed in various network environments. Compared to an anomaly based NIDS, a signature-based NIDS is more popular in real-world applications, because of its relatively lower false alarm rate. However, the process of signature matching is a key limiting factor to impede the performance of a signature-based NIDS, in which the cost is at least linear to the size of an input string and the CPU occupancy rate can reach more than 80% in the worst case. In this paper, we develop an adaptive blacklist-based packet filter using a statistic-based approach aiming to improve the performance of a signature-based NIDS. The filter employs a blacklist technique to help filter out network packets based on IP confidence and the statistic-based approach allows the blacklist generation in an adaptive way, that is, the blacklist can be updated periodically. In the evaluation, we give a detailed analysis of how to select weight values in the statistic-based approach, and investigate the performance of the packet filter with a DARPA dataset, a real dataset and in a real network environment. Our evaluation results under various scenarios show that our proposed packet filter is encouraging and effective to reduce the burden of a signature-based NIDS without affecting network security.