Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journal

26 Scopus Citations
View graph of relations

Author(s)

Related Research Unit(s)

Detail(s)

Original languageEnglish
Pages (from-to)83-92
Journal / PublicationJournal of Network and Computer Applications
Volume39
Issue number1
Online published24 May 2013
Publication statusPublished - Mar 2014

Abstract

Network intrusion detection systems (NIDS) are widely deployed in various network environments. Compared to an anomaly based NIDS, a signature-based NIDS is more popular in real-world applications, because of its relatively lower false alarm rate. However, the process of signature matching is a key limiting factor to impede the performance of a signature-based NIDS, in which the cost is at least linear to the size of an input string and the CPU occupancy rate can reach more than 80% in the worst case. In this paper, we develop an adaptive blacklist-based packet filter using a statistic-based approach aiming to improve the performance of a signature-based NIDS. The filter employs a blacklist technique to help filter out network packets based on IP confidence and the statistic-based approach allows the blacklist generation in an adaptive way, that is, the blacklist can be updated periodically. In the evaluation, we give a detailed analysis of how to select weight values in the statistic-based approach, and investigate the performance of the packet filter with a DARPA dataset, a real dataset and in a real network environment. Our evaluation results under various scenarios show that our proposed packet filter is encouraging and effective to reduce the burden of a signature-based NIDS without affecting network security. © 2013 Elsevier Ltd.

Research Area(s)

  • Adaptive system, Blacklist generation, Network intrusion detection, Packet filter, Signature matching