Alaidaros, Hashem Mohammed (2017) CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets. Doctoral thesis, Universiti Utara Malaysia.
s93165_01.pdf
Download (3MB) | Preview
s93165_02.pdf
Download (1MB) | Preview
Abstract
Inspecting packets to detect intrusions faces challenges when coping with a high volume of network traffic. Packet-based detection processes every payload on the wire, which degrades the performance of network intrusion detection system (NIDS). This issue requires an introduction of a flow-based NIDS that reduces the amount of data to be processed by examining aggregated information of related packets.
However, flow-based detection still suffers from the generation of the false positive alerts due to incomplete data input. This study proposed a Conditional Hybrid Intrusion Detection (CHID) by combining the flow-based with packet-based detection. In addition, it is also aimed to improve the resource consumption of the packet-based detection approach. CHID applied attribute wrapper features evaluation algorithms that marked malicious flows for further analysis by the packet-based detection. Input Framework approach was employed for triggering packet flows between the packetbased and flow-based detections. A controlled testbed experiment was conducted to evaluate the performance of detection mechanism’s CHID using datasets obtained from on different traffic rates. The result of the evaluation showed that CHID gains a significant performance improvement in terms of resource consumption and packet drop rate, compared to the default packet-based detection implementation. At a 200 Mbps, CHID in IRC-bot scenario, can reduce 50.6% of memory usage and decreases 18.1% of the CPU utilization without packets drop. CHID approach can mitigate the
false positive rate of flow-based detection and reduce the resource consumption of packet-based detection while preserving detection accuracy. CHID approach can be considered as generic system to be applied for monitoring of intrusion detection systems.
Item Type: | Thesis (Doctoral) |
---|---|
Supervisor : | Mahmuddin, Massudi |
Item ID: | 6950 |
Uncontrolled Keywords: | Flow-based detection, Packet-based detection, Input Framework approach. |
Subjects: | Q Science > QA Mathematics > QA76 Computer software |
Divisions: | Awang Had Salleh Graduate School of Arts & Sciences |
Date Deposited: | 06 Jan 2019 00:59 |
Last Modified: | 02 May 2021 01:08 |
Department: | Awang Had Salleh Graduate School of Arts and Sciences |
Name: | Mahmuddin, Massudi |
URI: | https://etd.uum.edu.my/id/eprint/6950 |