A Sampling Method for Intrusion Detection System
It is well known that Intrusion Detection System (IDS) does not scale well with Gigabit links.Unlike the other solutions that try to increase the performance of IDS by the distributed architecture,we develop a novel sampling method IDSampling whose sampling rate is adaptive to the memory bottleneck consumption to capture attack packets as many as possible by analyzing characteristics of the attack traffic.IDSampling applies a single sampling strategy based on four traffic feature entropies when large-scale traffic anomaly occurs,and another complicated one instructed by the feedback of the following detection results by default.The results of experiment show that IDSampling can help IDS to remain effective even when it is overloaded.And compared with the other two notable sampling method,packet sampling and random flow sampling,IDSampling outperforms them greatly,especially in low sampling rate.
Intrusion detection system sampling multistage bloom filter feature entropy.
Zhuo Ning Jian Gong
School of Computer Science and Engineering,Southeast University,Nanjing 210096,China Jiangsu Provincial Key Laboratory of Computer Network Technology,Nanjing 210096,China
国际会议
11th Asia-Pacific Network Operations and Management Symposium(APNOMS 2008)(第十一届亚太网络运行和管理国际研讨会)
北京
英文
419-428
2008-10-22(万方平台首次上网日期,不代表论文的发表时间)