Design of a multimedia traffic classifier for Snort

Purpose – The purpose is to enhance the capabilities of a general-purpose IDS solution with additional knowledge of multimedia file formats and protocols, to better handle multimedia-specific security exploits. Design/methodology/approach – The authors have designed a multimedia traffic classifier, implemented as an optional preprocessor for Snort. The solution has been successfully tested with downloading and streaming traffic. Findings – Test results confirm that the additional specialized knowledge encoded in the preprocessor results in two significant gains: trusted multimedia contents can be identified and allowed to bypass the detection engine, with substantial computational savings; the IDS is now able to detect multimedia-specific exploits which would otherwise go unnoticed. Research limitations/implications – Not all multimedia-related scenarios have been covered by the described implementation yet. The proposed solution is being extended to other file types and protocols, fine-tuned, as well as tested more extensively. Practical implications – Snort users interested in this work will be able to add the multimedia-specific functionality – and enjoy the resulting benefits – with minimal effort. Originality/value – The research reported in this paper is – to the authors’ knowledge – the first effort to add multimedia-specific knowledge to the operation of an IDS. In addition to being innovative, the proposed method is relevant for more than one reason, since it enhances the IDS capabilities while at the same time alleviating the computational cost of performing detailed traffic analysis in high-speed networks.