Service discrimination and audit file reduction for effective intrusion detection uri icon


  • Current IDSs can be easily overwhelmed by the the amount of information they ought to analyse. By pre-processing the information, this paper aims both to alleviate the computational overhead involved in intrusion detection and to make IDSs scalable. Regardless whether it is a sequence of network packets or a sequence of system calls, the information an IDS analyses is often redundant in at least two respects: first, every entry in the sequence may contain spurious information; second, any sequence may contain redundant subsequences. By using Rough Sets we have identified key attributes for every entry eliminating spurious information, without missing chief details. Using n-gram theory we have identified the most redundant subsequences within a sequence, and then substituting them with a fresh tag, resulting in a sequence length reduction. To make an IDS scalable we have proposed to structure the IDS as a collection of sensors, each of which is specialised to a particular service, i.e. telnet, smtp, etc. To approach service selection, we suggest the use of Hidden Markov Models, trained to detect an specific service described by a family of n-grams. Our results are encouraging, we have obtained an average reduction factor of 12. Using the service discriminator we have also written a simple, yet effective, misuse IDS. The impact over detection and false alarm ratio using reduced sequences is negligible. © Springer-Verlag Berlin Heidelberg 2004.

Publication date

  • September 1, 2005