Sciweavers

HICSS
2005
IEEE

Elephant: Network Intrusion Detection Systems that Don't Forget

14 years 6 months ago
Elephant: Network Intrusion Detection Systems that Don't Forget
Modern Network Intrusion Detection Systems (NIDSs) maintain state that helps them accurately detect attacks. Because most NIDSs are signature-based, it is critical to update their rule-sets frequently; unfortunately, doing so can result in downtime that causes state to be lost, leading to vulnerabilities of attack misclassification. In this paper, we show that such vulnerabilities do exist and provide a way to avoid them. Using the open-source NIDS Snort, we present Elephant, an approach and implementation for updating rule-sets that provides a way to cause Snort to enter a safe quiescent point, load the new rules into memory, and remove the old rules from memory—all while preserving the state that is required to make sure that the NIDS does not miss attacks. We provide a critique and performance evaluation of our technique.
Michael G. Merideth, Priya Narasimhan
Added 24 Jun 2010
Updated 24 Jun 2010
Type Conference
Year 2005
Where HICSS
Authors Michael G. Merideth, Priya Narasimhan
Comments (0)