TY - GEN
T1 - Improving the accuracy of network intrusion detection systems under load using selective packet discarding
AU - Papadogiannakis, Antonis
AU - Polychronakis, Michalis
AU - Markatos, Evangelos P.
PY - 2010/4/13
Y1 - 2010/4/13
N2 - Under conditions of heavy traffic load or sudden traffic bursts, the peak processing throughput of network intrusion detection systems (NIDS) may not be sufficient for inspecting all monitored traffic, and the packet capturing subsystem inevitably drops excess arriving packets before delivering them to the NIDS. This impedes the detection ability of the system and leads to missed attacks. In this work we present selective packet discarding, a best effort approach that enables the NIDS to anticipate overload conditions and minimize their impact on attack detection. Instead of letting the packet capturing subsystem randomly drop arriving packets, the NIDS proactively discards packets that are less likely to affect its detection accuracy, and focuses on the traffic at the early stages of each network flow. We present the design of selective packet discarding and its implementation in Snort NIDS. Our experiments show that selective packet discarding significantly improves the detection accuracy of Snort under increased traffic load, allowing it to detect attacks that would have otherwise been missed.
AB - Under conditions of heavy traffic load or sudden traffic bursts, the peak processing throughput of network intrusion detection systems (NIDS) may not be sufficient for inspecting all monitored traffic, and the packet capturing subsystem inevitably drops excess arriving packets before delivering them to the NIDS. This impedes the detection ability of the system and leads to missed attacks. In this work we present selective packet discarding, a best effort approach that enables the NIDS to anticipate overload conditions and minimize their impact on attack detection. Instead of letting the packet capturing subsystem randomly drop arriving packets, the NIDS proactively discards packets that are less likely to affect its detection accuracy, and focuses on the traffic at the early stages of each network flow. We present the design of selective packet discarding and its implementation in Snort NIDS. Our experiments show that selective packet discarding significantly improves the detection accuracy of Snort under increased traffic load, allowing it to detect attacks that would have otherwise been missed.
KW - Intrusion detection
KW - Overload control
KW - Selective packet discarding
UR - https://www.scopus.com/pages/publications/77952346235
U2 - 10.1145/1752046.1752049
DO - 10.1145/1752046.1752049
M3 - Conference contribution
AN - SCOPUS:77952346235
SN - 9781450300599
T3 - Proceedings of the 3rd European Workshop on System Security, EUROSEC'10
SP - 15
EP - 21
BT - Proceedings of the 3rd European Workshop on System Security, EUROSEC'10
PB - Association for Computing Machinery (ACM)
T2 - 3rd European Workshop on System Security, EUROSEC 2010
Y2 - 13 April 2010 through 13 April 2010
ER -