Packet- vs. session-based modeling for intrusion detection systems

In today's interconnected networks, intrusion detection systems (IDSs), encryption devices, firewalls and other hardware and software solutions are critical in providing complete security solutions for corporations and government agencies. Many IDS variants exist which allow security personnel to identify attack network packets primarily through the use of signature detection where the IDS "recognizes" attack packets due to their well-known signatures as those packets cross the network's gateway threshold. However, anomaly-based ID systems identify normal traffic within a network and report abnormal behavior. We report the findings of our research in the area of anomaly-based intrusion detection systems using data-mining techniques to create a decision tree model of our network using the 1999 DARPA intrusion detection evaluation data set. After the model was created, we gathered data from our local campus network and scored the new data through the model using both packet-based and session-based modeling and compare the results.