RePIDS: A multi tier Real-time Payload-based Intrusion Detection System
نویسندگان
چکیده
1389-1286/$ see front matter 2012 Elsevier B.V http://dx.doi.org/10.1016/j.comnet.2012.10.002 ⇑ Corresponding author. E-mail addresses: [email protected] (A. Jamd uts.edu.au (Z. Tan), [email protected] (X. He uts.edu.au (P. Nanda), [email protected] (R.P. Liu). Intrusion Detection System (IDS) deals with huge amount of network traffic and uses large feature set to discriminate normal pattern and intrusive pattern. However, most of existing systems lack the ability to process data for real-time anomaly detection. In this paper, we propose a 3-Tier Iterative Feature Selection Engine (IFSEng) for feature subspace selection. Principal Component Analysis (PCA) technique is used for the pre-processing of data. Mahalanobis Distance Map (MDM) is used to discover hidden correlations between the features and between the packets. We also propose a novel Real-time Payload-based Intrusion Detection System (RePIDS) that integrates a 3-Tier IFSEng and the MDM approach. Mahalanobis Distance (MD) dissimilarity criterion is used to classify each packet as either a normal or an attack packet. The effectiveness of the proposed RePIDS is evaluated using DARPA 99 dataset and Georgia Institute of Technology attack dataset. The traffic for Web-based application is considered for validating our model. F-value, a criterion, is used to evaluate the detection performance of RePIDS. Experimental results show that RePIDS achieves better performance (high F-values, 0.9958 for DARPA 99 dataset and 0.976 for Georgia Institute of Technology attack dataset respectively, with only 0.85% false alarm rate) and lower computational complexity when compared against two state-of-the-art payload-based intrusion detection systems. Additionally, it has 1.3 time higher throughput in comparison with real scenario of medium sized enterprise network. 2012 Elsevier B.V. All rights reserved.
منابع مشابه
Poseidon: a 2-tier Anomaly-based Intrusion Detection System
We present Poseidon, a new anomaly based intrusion detection system. Poseidon is payload-based, and presents a two-tier architecture: the first stage consists of a Self-Organizing Map, while the second one is a modified PAYL system [22]. Our benchmarks on the 1999 DARPA data set [15] show a higher detection rate and lower number of false positives than PAYL and PHAD.
متن کاملReal-Time intrusion detection alert correlation and attack scenario extraction based on the prerequisite consequence approach
Alert correlation systems attempt to discover the relations among alerts produced by one or more intrusion detection systems to determine the attack scenarios and their main motivations. In this paper a new IDS alert correlation method is proposed that can be used to detect attack scenarios in real-time. The proposed method is based on a causal approach due to the strength of causal methods in ...
متن کاملar X iv : c s / 05 11 04 3 v 1 [ cs . C R ] 1 1 N ov 2 00 5 Poseidon : a 2 - tier Anomaly - based Intrusion Detection System ∗
We present Poseidon, a new anomaly based intrusion detection system. Poseidon is payload-based, and presents a two-tier architecture: the first stage consists of a Self-Organizing Map, while the second one is a modified PAYL system [22]. Our benchmarks on the 1999 DARPA data set [15] show a higher detection rate and lower number of false positives than PAYL and PHAD.
متن کاملar X iv : c s / 05 11 04 3 v 2 [ cs . C R ] 7 D ec 2 00 5 Poseidon : a 2 - tier Anomaly - based Network Intrusion Detection System ∗
We present Poseidon, a new anomaly based network intrusion detection system. Poseidon is payload-based, and has a two-tier architecture: the first stage consists of a Self-Organizing Map, while the second one is a modified PAYL system [30]. Our benchmarks on the 1999 DARPA data set [22] show a higher detection rate and lower number of false positives than PAYL and PHAD.
متن کاملar X iv : c s / 05 11 04 3 v 3 [ cs . C R ] 3 0 Ja n 20 06 Poseidon : a 2 - tier Anomaly - based Network Intrusion Detection System ∗
We present Poseidon, a new anomaly based network intrusion detection system. Poseidon is payload-based, and has a two-tier architecture: the first stage consists of a Self-Organizing Map, while the second one is a modified PAYL system [32]. Our benchmarks on the 1999 DARPA data set [23] show a higher detection rate and lower number of false positives than PAYL and PHAD.
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Computer Networks
دوره 57 شماره
صفحات -
تاریخ انتشار 2013