Optimal Traffic Scheduling for Intrusion Prevention Systems

Extracting Ambiguous Sessions from Real Traffic with Intrusion Prevention Systems

False Positives (FP) and False Negatives (FN) are common in every Intrusion Prevention System (IPS). None of the systems could judge better than others all the time. This work proposes a system of Ambiguous Session Extraction (ASE) to create a pool of ambiguous traffic traces. Traffic traces or sessions are called “ambiguous”, meaning they cause potential FNs (abbreviated as P-FNs) and potentia...

Intrusion Detection Systems and Intrusion Prevention Systems

P2P Traffic classification for Intrusion Detection Systems

Multiple approaches have been taken to study the classification of peer-to-peer (P2P) traffic and to study the impact of P2P on IDS/IPS systems. Majority of the approaches have used rule based or a mix of rule based and anomaly based detection algorithms. Physical setup is generally a firewall and SNORT or similar IDS/IPS solution on the WAN/ISP interface from the organization. In this paper we...

Carousel: Scalable Logging for Intrusion Prevention Systems

We address the problem of collecting unique items in a large stream of information in the context of Intrusion Prevention Systems (IPSs). IPSs detect attacks at gigabit speeds and must log infected source IP addresses for remediation or forensics. An attack with millions of infected sources can result in hundreds of millions of log records when counting duplicates. If logging speeds are much sl...

Real traffic logs creation for testing intrusion detection systems

Port scanning is one of the most popular reconnaissance techniques that many attackers use to profile running services on a potential target before launching an attack. Many port scanning detection mechanisms have been suggested in literature. To test the proposed detection approaches, researchers use data sets that are available online or simulate their own. However, the available data sets do...