By Topic

An architecture for network stream splitting in support of intrusion detection

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

The purchase and pricing options are temporarily unavailable. Please try again later.
2 Author(s)
Judd, J.D. ; Dept. of Comput. Sci., Naval Postgraduate Sch., Monterey, CA, USA ; McEachen, J.C.

We describe a system where fuzzy reasoning is used to selectively reduce the amount of traffic sent to an intrusion detection system (IDS) while simultaneously both reducing the number of false alarms generated by the IDS and maintaining the ability of the IDS to accurately recognize network attacks. Specifically, we apply a type of filtering we term "IDS stream splitting," which consists of classifying each packet as either trusted or un-trusted when it is encountered between the sniffer and the IDS (within the firewall). This classification allows for fewer packets to be sent to an IDS devoted to examining un-trusted traffic. The logic of the splitter looks at each packet as part of a connection and give it a trust ranking from [0..1] using a fuzzy logic model. Initial results indicate that this approach can significantly reduce false alarm rates while increasing system up time.

Published in:

Information, Communications and Signal Processing, 2003 and Fourth Pacific Rim Conference on Multimedia. Proceedings of the 2003 Joint Conference of the Fourth International Conference on  (Volume:3 )

Date of Conference:

15-18 Dec. 2003