An Attack Behavior Based Scheme To Improve IDP Performance

• Main Authors: Hung-Shen Wu, 吳鴻伸
• Other Authors: Nen-Fu Huang
• Format: Others
• Language: en_US
• Published: 2005
• Online Access: http://ndltd.ncl.edu.tw/handle/13587992741455144239

碩士 === 國立清華大學 === 通訊工程研究所 === 93 === This thesis proposes an adaptive scheme to improve IDP (Intrusion Detection Prevention System) performance. Unlike IDS (Intrusion Detection System), the IDP detects and blocks intrusion online. Therefore the performance is one of the most important issues on IDP. The IDP takes much effort on pattern matching to detect if any intrusion exists in the packet. Many hardware-based or software-based pattern matching algorithms have been developed to speed up the work of pattern matching. However, it is interesting to find that if there exists an attack in a stream, then the signatures of the attack always appear early in the stream. That is, we don’t have to inspect all the packets of a stream if there is no attack pattern appeared in the early stream. In this thesis, a scheme based on this observation and concept is designed to improve the IDP performance. The most critical issue of this scheme is the way to determine the “inspection depth” of each attack. Thus, how many bytes of a TCP stream need to be inspected for detecting a particular attack? We do this by training the scheme with real traffic. The accuracy of this scheme is evaluated by processing the packets captured in 9th DEFCON, and the improved performance is evaluated by IXIA traffic generator. Compared to an IDP without the proposed scheme, the accuracy of an IDP with the proposed scheme is 8% less, and the performance improvement is around 28.5%.