Abstract
It is well known that Intrusion Detection System (IDS) does not scale well with Gigabit links. Unlike the other solutions that try to increase the performance of IDS by the distributed architecture, we develop a novel sampling method IDSampling whose sampling rate is adaptive to the memory bottleneck consumption to capture attack packets as many as possible by analyzing characteristics of the attack traffic. IDSampling applies a single sampling strategy based on four traffic feature entropies when large-scale traffic anomaly occurs, and another complicated one instructed by the feedback of the following detection results by default. The results of experiment show that IDSampling can help IDS to remain effective even when it is overloaded. And compared with the other two notable sampling method, packet sampling and random flow sampling, IDSampling outperforms them greatly, especially in low sampling rate.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bos, H., Huang, K.: Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 102–123. Springer, Heidelberg (2006)
Cho, Y., Mangione-Smith, W.: Fast reconfiguring deep packet filter for 1+gigabit network. In: IEEE Symposium on Field-Programmable Custom Com[putting Machines (FCCM), NaPa, CA (April 2005)
Fanklin, R., Caraver, D., Hutchings, B.: Assisting network intrusion detection with reconfigurable hardware. In: Proceedings from filed Programmable Custom Computing Machines (2002)
Chen, X.x., fang, B.x.: The architecture of Intrusion detection system in high-speed network. Computer research development, [J] 41(9), 1481–1487 (2004)
Charitakis, I., Anagnostakis, K., Markatos, E.: An active traffic splitter architecture for intrusion detection. In: Proceedings of 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS 2003), Orlando, October 2003, pp. 238–241 (2003)
Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: Proc. ACM SIGCOMM 2005, Philadelphia, PA, USA (August 2005)
J.MAI, ,SRIDHARDAN, A.,Chuah, C.N, Aang, H., Impack of packet sampling on portscan detection. IEEE Journal on Selected Areas in Communication(2006).
Mai, J., Chuah, C.N., Sridharan, A., Ye, T., Zang, H.: Is sampled data sufficient for anomaly detection? In: Proc. of the 6th ACM SIGCOMM on Internet measurement, Brazil (2006)
Brauckhoff, D., Tellenbach, B., Wagner, A.: Impact of packet sampling on anomaly detection metrics. In: Proc. ACM SIGCOMM 2006, Rio de Janeriro, Brazil (2006)
Estan, C., Varghese, G.: New Directions in Traffic Measurement and Accounting[C]. In: SIGCOMM 2002, pp. 270–313 (August 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ning, Z., Gong, J. (2008). A Sampling Method for Intrusion Detection System. In: Ma, Y., Choi, D., Ata, S. (eds) Challenges for Next Generation Network Operations and Service Management. APNOMS 2008. Lecture Notes in Computer Science, vol 5297. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88623-5_43
Download citation
DOI: https://doi.org/10.1007/978-3-540-88623-5_43
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88622-8
Online ISBN: 978-3-540-88623-5
eBook Packages: Computer ScienceComputer Science (R0)