Skip to Main Content
We describe a system where fuzzy reasoning is used to selectively reduce the amount of traffic sent to an intrusion detection system (IDS) while simultaneously both reducing the number of false alarms generated by the IDS and maintaining the ability of the IDS to accurately recognize network attacks. Specifically, we apply a type of filtering we term "IDS stream splitting," which consists of classifying each packet as either trusted or un-trusted when it is encountered between the sniffer and the IDS (within the firewall). This classification allows for fewer packets to be sent to an IDS devoted to examining un-trusted traffic. The logic of the splitter looks at each packet as part of a connection and give it a trust ranking from [0..1] using a fuzzy logic model. Initial results indicate that this approach can significantly reduce false alarm rates while increasing system up time.