TY - JOUR
T1 - Towards effective and robust list-based packet filter for signature-based network intrusion detection: an engineering approach
AU - Meng, Weizhi
AU - Li, Wenjuan
AU - Kwok, Lam For
N1 - Funding Information:
This project was partly funded by the Innovation to Realization Funding Scheme of the City University of Hong Kong (under the project number 6351018).
Publisher Copyright:
© 2017 The Hong Kong Institution of Engineers.
PY - 2017/10/2
Y1 - 2017/10/2
N2 - Network intrusion detection systems (NIDSs) which aim to identify various attacks, have become an essential part of current security infrastructure. In particular, signature-based NIDSs are being widely implemented in industry due to their low rate of false alarms. However, the signature matching process is a big challenge for these systems, in which the cost is at least linear to the size of an input string. As a result, overhead packets will be a major issue for practical usage, where the incoming packets exceed the maximum capability of an intrusion detection system (IDS). To mitigate this problem, packet filtration is a promising solution to reduce unwanted traffic. Motivated by this, in this work, a list-based packet filter was designed and an engineering method of combining both blacklist and whitelist techniques was introduced. To further secure such filters against IP spoofing attacks, a lightweight but efficient IP verification mechanism was developed. In the evaluation, a list-based packet filter was deployed in both simulated and real network environments under honest and dishonest scenarios. Experimental results demonstrate that the developed list-based packet filter is effective in traffic filtration as well as workload reduction, and is robust against IP spoofing attacks.
AB - Network intrusion detection systems (NIDSs) which aim to identify various attacks, have become an essential part of current security infrastructure. In particular, signature-based NIDSs are being widely implemented in industry due to their low rate of false alarms. However, the signature matching process is a big challenge for these systems, in which the cost is at least linear to the size of an input string. As a result, overhead packets will be a major issue for practical usage, where the incoming packets exceed the maximum capability of an intrusion detection system (IDS). To mitigate this problem, packet filtration is a promising solution to reduce unwanted traffic. Motivated by this, in this work, a list-based packet filter was designed and an engineering method of combining both blacklist and whitelist techniques was introduced. To further secure such filters against IP spoofing attacks, a lightweight but efficient IP verification mechanism was developed. In the evaluation, a list-based packet filter was deployed in both simulated and real network environments under honest and dishonest scenarios. Experimental results demonstrate that the developed list-based packet filter is effective in traffic filtration as well as workload reduction, and is robust against IP spoofing attacks.
KW - Intrusion detection system
KW - IP verification
KW - list generation
KW - network packet filter
KW - network security and performance
UR - http://www.scopus.com/inward/record.url?scp=85039149296&partnerID=8YFLogxK
U2 - 10.1080/1023697X.2017.1375437
DO - 10.1080/1023697X.2017.1375437
M3 - Journal article
AN - SCOPUS:85039149296
SN - 1023-697X
VL - 24
SP - 204
EP - 215
JO - HKIE Transactions Hong Kong Institution of Engineers
JF - HKIE Transactions Hong Kong Institution of Engineers
IS - 4
ER -