A Real-Time Intrusion Detection System (IDS) for Large Scale Networks and Its Evaluations

Nei KATO  Hiroaki NITOU  Kohei OHTA  Glenn MANSFIELD  Yoshiaki NEMOTO  

Publication
IEICE TRANSACTIONS on Communications   Vol.E82-B   No.11   pp.1817-1825
Publication Date: 1999/11/25
Online ISSN: 
DOI: 
Print ISSN: 0916-8516
Type of Manuscript: Special Section PAPER (Special Issue on New Paradigms in Network Management)
Category: 
Keyword: 
intrusion detection system,  traffic monitoring,  traffic tendency,  dynamic access tress,  real-time,  

Full Text: PDF>>
Buy this Article




Summary: 
Internet communication is increasingly becoming an important element in daily life. Keeping this network safe from malicious elements is an urgent task for network management. To maintain the security level networks are generally, monitored for indications of usage with ill-intentions. Such indications are events which need to be collated, correlated and analyzed in real-time to be effective. However, on an average medium to large size network the number of such events are very large. This makes it practically impossible to analyze the information in real-time and provide the necessary security measures. In this paper, we propose a mechanism that keeps the number of events, to be analyzed, low thereby making it possible to provide ample security measures. We discuss a real-time Intrusion Detection System (IDS) for detecting network attacks. The system looks out for TCP ACK/RST packets, which are generally caused by network scans. The system can extract the tendency of network flows in real-time, based on the newly developed time-based clustering and Dynamic Access Tree creation techniques. The algorithm, implemented and deployed on a medium size backbone network using RMON (Remote MONitoring) technology, successfully detected 195 intrusion attempts during a one month period. The results of the pilot deployment are discussed. In this paper, the proposal, implementation and evaluation will be described.