Enhancing list-based packet filter using IP verification mechanism against IP spoofing attack in network intrusion detection

Abstract

Signature-based network intrusion detection systems (NIDSs) have become an essential part in current network security infrastructure to identify different kinds of network attacks. However, signature matching is a big suffering problem for these systems in which the cost of the signature matching is at least linear to the size of an input string. To mitigate this issue, we have developed a context-aware packet filter by means of the blacklist technique to filter out network packets for a signature-based NIDS and achieved good results. But the effect of the whitelist technique has not been explored in our previous work. In this paper, we therefore aim to develop a list-based packet filter by combining the whitelist technique with the blacklist-based packet filter under some specific conditions, and investigate the effect of the whitelist on packet filtration. To protect both the blacklist and the whitelist, we employ an IP verification mechanism to defend against IP spoofing attack. We implemented the list-based packet filter in a network environment and evaluated it with two distinct datasets, the experimental results show that by deploying with the IP verification mechanism, the whitelist technique can improve the packet filtration without lowering network security. © 2012 Springer-Verlag.