Abstract
By using string matching, signature-based network intrusion detection systems (NIDSs) can achieve a higher accuracy and lower false alarm rate than the anomaly-based systems. But the matching process is very expensive regarding to the performance of a signature-based NIDS in which the cost is at least linear to the size of the input string and the CPU occupancy rate can reach more than 80 percent in the worst case. This problem greatly limits the high performance of a signature-based NIDS in a large operational network. In this paper, we present a context-aware packet filter scheme aiming to mitigate this problem. In particular, our scheme incorporates a list technique, namely the blacklist to help filter network packets based on the confidence of the IP domains. Moreover, our scheme will adapt and update the blacklist contents by using the method of statistic-based blacklist generation according to the actual network environment. In the experiment, we implemented our scheme and showed the first experimental evaluation of its effectiveness. © 2011 IEEE.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the 2011 7th International Conference on Information Assurance and Security, IAS 2011 |
| Pages | 74-79 |
| DOIs | |
| Publication status | Published - 2011 |
| Event | 2011 7th International Conference on Information Assurance and Security, IAS 2011 - Malacca, Malaysia Duration: 5 Dec 2011 → 8 Dec 2011 |
Conference
| Conference | 2011 7th International Conference on Information Assurance and Security, IAS 2011 |
|---|---|
| Country/Territory | Malaysia |
| City | Malacca |
| Period | 5/12/11 → 8/12/11 |
Research Keywords
- blacklist
- intrusion detection
- network packet filter