A behavior-based intrusion prevention system

Current intrusion prevention systems rely highly on a signature database to detect network attacks. The system provides an alternative to such systems by identifying attacks based on their behavior possibly enabling detection of undocumented attacks. The system works by undergoing a training period...

Full description

Saved in:
Bibliographic Details
Main Authors: Bundang, M. A., Ong, Arlyn Verina L., Goyena, K., Sy, M., Limengco, J. R., Cu, Gregory G.
Format: text
Published: Animo Repository 2008
Subjects:
Online Access:https://animorepository.dlsu.edu.ph/faculty_research/8592
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: De La Salle University
Description
Summary:Current intrusion prevention systems rely highly on a signature database to detect network attacks. The system provides an alternative to such systems by identifying attacks based on their behavior possibly enabling detection of undocumented attacks. The system works by undergoing a training period which allows the behavior of the network to be gathered and modeled as references after which, rules are generated from this model. Network traffic that violate any of the rules are prohibited by the systems which is implemented as an in-line device monitoring traffic from the Internet to the local network and traffic from the local network to both inside and outside networks. To quantify the accuracy and efficiency of the system, several tests have been deployed with the variables being the time duration for the training phase, and the network from which the attacker would belong to, either from the inside or outside network. The test results include the time delay before detection of attack, the classification of attacks identified and flagged, and rules violated based on the training phase. From the results, it can be deducted that the system is faithful and dependent on the model. It is able to detect all of the attacks with minimal detection delay, the same attacks detected by a third-party system of comparison, Snort. However, when valid non-malicious packets that resemble those from attacks are inserted during the modeling phase, the accuracy of the system goes down by 50% unable to detect half of the attacks tested. The number and type of parameters which are included in the model and traffic analysis also limit the types of attacks that can be detected by the system. With these, the potential of the system being a solution to pattern-based intrusion prevention systems and day 0 attacks is probable. Still, improvements to the implementation of the system, such as increasing the traffic parameters modeled and analyzed, are still necessary to achieve maximum accuracy. The system can also be deployed together with pattern-based systems for future hybrid detection systems.