Embed Size (px)
Citation preview
Presentation by : Samad Najjar
Enhancing the performance of intrusion detection system using pre-process
mechanisms
Supervisor:Dr. L. Mohammad Khanli
OutLine
• Introduction• Problem in NIDS• Background & Related Work• Proposed method• expected conclusion
2
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
3
Three basic security concerns :
• Confidentiality• Integrity• Availability
Intrusion detection is the detection of actions that attempt to compromise the integrity, confidentiality, or availability of a resource.
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
4
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
5
NIDS
High-volume traffic
Drop a large number of incoming packets
To mitigate this problem
Efficient algorithm for pattern matching
Load balancing, splitting, or processing of traffic (i.e. distributed/parallel execution based approach)
Hardware based approach such as using graphics processing units or field-programmable gate array (FPGA) devices
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
6
•A fast string searching algorithm (1977) •compares the target string with the input content beginning with the rightmost character of the string and uses two heuristics to reduce the number of searches in the matching process.
Boyer and Moore algorithm
•Practical fast searching in strings (1980)•Improved the Boyer–Moore algorithm by using only the bad-character heuristic with the purpose of achieving a more efficient implementation
Horspool algorithm
•Efficient string matching: an aid to bibliographic search (1975)•preprocesses the patterns to construct a deterministic finite automaton (DFA) aiming to search for all strings at the same time.
Aho–Corasick algorithm
• Agrep— A fast approximate pattern-matching tool (1992) •created the UNIX tool agrep Wu–Manber Algorithm
•Fast Pattern Matching Approach for Intrusion Detection Systems (2014)•Aho–Corasick algorithm + Wu–Manber AlgorithmM. Manjunath
•Hua et al. (2009), Bremler-Barr et al. (2010), Ďurian et al. (2010), Vespa et al. (2011), Choi et al. (2011), Kim et al. (2011), Cantone et al. (2012)andPao and Wang (2012).ETC.
Algorithm for pattern matching:
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
7
Load balancing, splitting, or processing of traffic:
•Packet Pre-filtering for Network Intrusion Detection (2006) •combining the header matching with a small prefix matchSourdis et al.
•Network Intrusion Detection System Based on SOA (NIDS-SOA): Enhancing Interoperability Between IDS (2013)Loiola Costa et al.
•D-SCIDS: Distributed soft computing intrusion detection system (2005)Ajith Abraham et al.
•EFM: Enhancing the Performance of Signature-based Network Intrusion Detection Systems Using Enhanced Filter Mechanism (2014)Weizhi Meng et al.
•Adaptive blacklist-based packet filter with a statistic-based approach in network intrusion detection (2013)Yuxin Meng et al.
•Auld et al. (2007), Faezipour and Nourani (2009), Wang (2009), Alagu Priya and Lim (2010), Song and Turner (2011), Lim et al. (2012)and Neji and Bouhoula (2012).ETC.
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
8
A novel hybrid intrusion detection method integrating anomaly detection with misuse detection (2014).
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
9
Data mining for intrusion detection• Clustering
- Partition-based clustering - Fuzzy C-means- K-means
• Classification- Uses a training Data set- Bayesian- Naïve Bayesian- Decision tree classification
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
10
High level pre-process mechanisms system
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
11
The architecture and deploymentBlacklist packet filter
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
12
Monitor engine in pervious work:
monitoring the NIDS
calculating the confidences of IP addresses
Periodically updates the blacklist
Weighted ratio-based blacklist generation
Represents the total number of good packets
The weight value
Represents the total number of bad packets
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
The results of average CPU load(ACL) for each day in pervious work
13
when using Snort with the packet filter
when using Snort without the packet filter
Introduction Problems in NIDS
Background & Related Work
Proposed method
expected conclusion
14
Blacklist-based packet filter is effective to reduce the burden of a signature-based NIDS without lowering network security.
The packet filter shows an acceptable false positive rate and false negative rate
Reduce the time consumption of signature matching
Question
15
Thanks for your attention
