The design and implementation of session-based IDS

Masayoshi Mizutani, Shin Shirahata, Masaki Minami, Jun Murai

Research output: Contribution to journalArticlepeer-review

1 Citation (Scopus)


One of the techniques for detecting malicious communications from network traffic is to use a network-based intrusion detection system (IDS). However, since an existing IDS handles a low-risk alert for which an attack failed and a high-risk alert for which an attack succeeded in a similar manner, malicious communications cannot be detected properly unless a risk analysis is performed for each alert. This means that as the number of detection targets of the IDS increases, the cost of the risk analysis for every alert also increases proportionally. In other words, as the number of detection targets continues to increase, it becomes difficult to effectively deal with network incidents by using the IDS. In this paper, the authors focus on the fact that by continuously monitoring communications after an attack, the success or failure of the attack can be determined from the responses. They define these continuous communications as a session and design and implement a session-based IDS that enables the risk to be evaluated immediately and automatically. They also evaluate the effectiveness of the session-based IDS in an actual operating network. The results showed that this research lowered the operational cost of the IDS and enabled network incidents to be dealt with effectively.

Original languageEnglish
Pages (from-to)46-58
Number of pages13
JournalElectronics and Communications in Japan, Part I: Communications (English translation of Denshi Tsushin Gakkai Ronbunshi)
Issue number3
Publication statusPublished - 2006 Mar


  • IDS false positive
  • Internet security
  • Risk evaluation


Dive into the research topics of 'The design and implementation of session-based IDS'. Together they form a unique fingerprint.

Cite this