Elephant: Network Intrusion Detection Systems that Don't Forget

14 years 5 months ago

Download www.cs.cmu.edu

Modern Network Intrusion Detection Systems (NIDSs) maintain state that helps them accurately detect attacks. Because most NIDSs are signature-based, it is critical to update their rule-sets frequently; unfortunately, doing so can result in downtime that causes state to be lost, leading to vulnerabilities of attack misclassification. In this paper, we show that such vulnerabilities do exist and provide a way to avoid them. Using the open-source NIDS Snort, we present Elephant, an approach and implementation for updating rule-sets that provides a way to cause Snort to enter a safe quiescent point, load the new rules into memory, and remove the old rules from memory—all while preserving the state that is required to make sure that the NIDS does not miss attacks. We provide a critique and performance evaluation of our technique.

Michael G. Merideth, Priya Narasimhan

Real-time Traffic

Attack Misclassification | Biometrics | HICSS 2005 | Network Intrusion Detection | Safe Quiescent Point | System Sciences |

claim paper

Post Info
More Details (n/a)

Added	24 Jun 2010
Updated	24 Jun 2010
Type	Conference
Year	2005
Where	HICSS
Authors	Michael G. Merideth, Priya Narasimhan

Comments (0)

Sciweavers

Elephant: Network Intrusion Detection Systems that Don't Forget

Attack Misclassification | Biometrics | HICSS 2005 | Network Intrusion Detection | Safe Quiescent Point | System Sciences |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers