One of the techniques for detecting malicious communications from network traffic is to use a network-based intrusion detection system (IDS). However, since an existing IDS handles a low-risk alert for which an attack failed and a high-risk alert for which an attack succeeded in a similar manner, malicious communications cannot be detected properly unless a risk analysis is performed for each alert. This means that as the number of detection targets of the IDS increases, the cost of the risk analysis for every alert also increases proportionally. In other words, as the number of detection targets continues to increase, it becomes difficult to effectively deal with network incidents by using the IDS. In this paper, the authors focus on the fact that by continuously monitoring communications after an attack, the success or failure of the attack can be determined from the responses. They define these continuous communications as a session and design and implement a session-based IDS that enables the risk to be evaluated immediately and automatically. They also evaluate the effectiveness of the session-based IDS in an actual operating network. The results showed that this research lowered the operational cost of the IDS and enabled network incidents to be dealt with effectively.
|Number of pages||13|
|Journal||Electronics and Communications in Japan, Part I: Communications (English translation of Denshi Tsushin Gakkai Ronbunshi)|
|Publication status||Published - 2006 Mar|
- IDS false positive
- Internet security
- Risk evaluation