The structure of many standalone network intrusion detection systems (NIDSs) centers around a chain of analysis that begins with packets captured by a packet filter, where the filter describes the protocols (TCP/UDP port numbers) and sometimes hosts or subnets to include or exclude from the analysis. In this work we argue for augmenting such analysis with an additional, separately filtered stream of packets. This "Secondary Path" supplements the "Main Path" by integrating sampling and richer forms of filtering into a NIDS's analysis. We discuss an implementation of a secondary path for the Bro intrusion detection system and enhancements we developed to the Berkeley Packet Filter to work in concert with the secondary path. Such an additional packet stream provides benefits in terms of both efficiency and ease of expression, which we illustrate by applying it to three forms of NIDS analysis: tracking very large individual connections, finding "heavy hitter" traffic streams, and implementing backdoor detectors (developed in previous work) with particular ease. © Springer-Verlag Berlin Heidelberg 2006.
CITATION STYLE
Gonzalez, J. M., & Paxson, V. (2006). Enhancing network intrusion detection with integrated sampling and filtering. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4219 LNCS, pp. 272–289). Springer Verlag. https://doi.org/10.1007/11856214_14
Mendeley helps you to discover research relevant for your work.