A Sampling Method for Intrusion Detection System

  • Zhuo Ning
  • Jian Gong
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5297)


It is well known that Intrusion Detection System (IDS) does not scale well with Gigabit links. Unlike the other solutions that try to increase the performance of IDS by the distributed architecture, we develop a novel sampling method IDSampling whose sampling rate is adaptive to the memory bottleneck consumption to capture attack packets as many as possible by analyzing characteristics of the attack traffic. IDSampling applies a single sampling strategy based on four traffic feature entropies when large-scale traffic anomaly occurs, and another complicated one instructed by the feedback of the following detection results by default. The results of experiment show that IDSampling can help IDS to remain effective even when it is overloaded. And compared with the other two notable sampling method, packet sampling and random flow sampling, IDSampling outperforms them greatly, especially in low sampling rate.


Intrusion detection system sampling multistage bloom filter feature entropy 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bos, H., Huang, K.: Towards Software-Based Signature Detection for Intrusion Prevention on the Network Card. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 102–123. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Cho, Y., Mangione-Smith, W.: Fast reconfiguring deep packet filter for 1+gigabit network. In: IEEE Symposium on Field-Programmable Custom Com[putting Machines (FCCM), NaPa, CA (April 2005)Google Scholar
  3. 3.
    Fanklin, R., Caraver, D., Hutchings, B.: Assisting network intrusion detection with reconfigurable hardware. In: Proceedings from filed Programmable Custom Computing Machines (2002)Google Scholar
  4. 4.
    Chen, X.x., fang, B.x.: The architecture of Intrusion detection system in high-speed network. Computer research development, [J] 41(9), 1481–1487 (2004)Google Scholar
  5. 5.
    Charitakis, I., Anagnostakis, K., Markatos, E.: An active traffic splitter architecture for intrusion detection. In: Proceedings of 11th IEEE/ACM International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS 2003), Orlando, October 2003, pp. 238–241 (2003)Google Scholar
  6. 6.
    Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. In: Proc. ACM SIGCOMM 2005, Philadelphia, PA, USA (August 2005)Google Scholar
  7. 7.
    J.MAI, ,SRIDHARDAN, A.,Chuah, C.N, Aang, H., Impack of packet sampling on portscan detection. IEEE Journal on Selected Areas in Communication(2006). Google Scholar
  8. 8.
    Mai, J., Chuah, C.N., Sridharan, A., Ye, T., Zang, H.: Is sampled data sufficient for anomaly detection? In: Proc. of the 6th ACM SIGCOMM on Internet measurement, Brazil (2006)Google Scholar
  9. 9.
    Brauckhoff, D., Tellenbach, B., Wagner, A.: Impact of packet sampling on anomaly detection metrics. In: Proc. ACM SIGCOMM 2006, Rio de Janeriro, Brazil (2006)Google Scholar
  10. 10.
    Estan, C., Varghese, G.: New Directions in Traffic Measurement and Accounting[C]. In: SIGCOMM 2002, pp. 270–313 (August 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Zhuo Ning
    • 1
    • 2
  • Jian Gong
    • 1
    • 2
  1. 1.School of Computer Science and EngineeringSoutheast UniversityNanjingChina
  2. 2.Jiangsu Provincial Key Laboratory of Computer Network TechnologyNanjingChina

Personalised recommendations