Open AccessConditional Hybrid Approach for Intrusion Detection
Author(s) -
Hashem Alaidaros,
Massudi Mahmuddin
Publication year - 2016
Publication title -
research journal of information technology
Language(s) - English
Resource type - Journals
eISSN - 2151-7959
pISSN - 1815-7432
DOI - 10.3923/rjit.2016.55.65
Subject(s) - computer science , intrusion detection system , intrusion , data mining , geology , geochemistry
Background and Objective: Inspecting all packets to detect intrusions faces challenges when coping with a high volume of traffic.Packet-based detection processes every payload on the wire, which degrades the performance of intrusion-detection systems.This issue requires the introduction of a flow-based IDS approach that reduces the amount of data to be processed by examining aggregated information of related packets in the form of flow.However, flow-based detection still suffers from the generation of false positive alerts due to lack of completed data input.This study proposed a model to improve packet-based performance and reduce flow-based false positive rate by combining flow-based with packet-based detection to compensate for their mutual shortcomings.This proposed model is named as conditional hybrid intrusion detection.Materials and Methods: In this model, only malicious flows marked by flow-based must be further analyzed by packet-based detection.For packet-based detection to communicate with flow-based detection, input framework approach was used.To evaluate the proposed detection methods, public datasets were replayed in different traffic rates into both the proposed method and default Bro implementations in a testbed controlled environment.Results: Experimental evaluation shows that the proposed approach was able to detect all infected hosts reported and corresponding datasets.At 200 Mbps rate, proposed approach can save 50.6% of memory and 18.1% of CPU usage compared with default Bro packet-based detection. Experiments demonstrated that the default Bro packet-based can handle bandwidth up to 100 Mbps without packets drop, while 200 Mbps in the proposed approach. Conclusion: Experimental evaluation showed that the proposed model gains a significant performance improvement, in term of resource consumption and packet drop rate compared with a default Bro packet-based detection implementation.The proposed approach can mitigate the false positive rate of flow-based detection and reduce the resource consumption of packet-based detection, while preserving detection accuracy.This study can be considered as skeleton model to be applied for intrusion or monitoring detection systems