Design and implementation of network intrusion detection system

Abstract

Most of the intrusion detection systems are based on matching signatures or rules. These rules are the patterns that define the possibility of occurrence of attack. Such signature based intrusion detection system look at incoming events and match these events against the signature rules to detect known attacks. We propose a generic model of Network Intrusion Detection System (NIDS) that includes a signature definition language, signature based detection engine and alert generation and prevention schemes.

This generic model is based on signature classification techniques employed by current signature based NIDS architectures in which signatures are stored in main memory in the form of non-optimized tree or multi link list structures.

At high-speed, techniques employed by signature-based systems become inefficient resulting in performance degradation of NIDS. We have applied clustering and classification algorithm based on decision tree for efficient signature matching. The decision tree classifier approach creates tree from the signature features and its discrete set of values. Decision tree classify the signatures based on features such that each of the signature could be classified either as individual or group identity. We have compared the performance of signature detection engine based on linear as well as decision tree classification. In particular we have shown that tree based classifier outperforms the link list structure by a factor of 4 to 5 when tested by reading sample data from tcp dump files and also the tree classifier has more % of throughput at high data traffic. The % detection varied from 72 % to 30% for tree approach while for linear model % detection varied from 52 % to 30% when packets were flooded at the rate of 4000 to 16000 packets/sec that clearly indicates that linear classifiers dropped more number of packets.

For multi packet inspection we compared sequential based threshold method, adaptive threshold method and cusum algorithms and found that adaptive threshold method and cusum method performs better than sequential time based method in terms of producing less number of false alarms.