Enhancing the effectiveness of signature-based detection

Abstract

An Intrusion Detection System (IDS) is a security tool, capable of detecting ongoing attacks. They monitor network traffic or host activities in order to detect security breaches. Once an attack has been detected, an alarm is raised, prompting administrators to initiate the necessary response procedure. However, such systems raise a large amount of false alarms for benign connections, which results in a heavy burden on administrators, to the extent that IDSes are totally ignored. IDSes are categorized as either anomaly or signature-based. Although the former have a wider detection scope, their rate of false alerts is even more severe. Therefore, improving the accuracy of the latter increases the credibility of IDSes. This sets the main objective for this project, where its overall aim is to render effective and practical IDSes. A network IDS is developed by integrating a signature-based IDS with a signal based detection component. The component monitors effects of ongoing attacks described by various network/host statistics, such as network packet rates or availability indicators of network services, and filters out alerts that are not raised in their presence. Network connections and statistics are collected and correlated to classify their context as dangerous or safe, and are further examined to issue justified alerts. The technique also consults a whitelist of trusted connections, and clusters similar connections to lessen the number of alerts. The original technique is extensively adapted by considering further statistics used in data-mining approaches, and by utilizing statistical characteristics of alerts. Evaluation results, obtained from a benchmark IDS dataset (DARPA 1999), showed a substantial reduction of alerts, both in terms of false positives and connection clustering. The technique is most effective for the probe attacks, and has the potential to detect novel attacks. However, this benefit is provided at the cost of a halved detection rate, but could be resolved through more suitable parameter settings.