Improving Signature-Based Intrusion Detection

The prevalent use of signature-based approach in modern intrusion detection systems (IDS) emphasizes the importance of two issues associated with the performance of the approach: the rigid requirements for signature processing and the quality of signature set. The focus of this research project is on improving performance of signature-based intrusion detection.

The signature-based intrusion detection is one of the most commonly used techniques implemented in modern intrusion detection systems (IDS). This method is based on matching incoming events against a set of rules, i.e., attack signatures, to identify known intrusions. One of the major advantages of signature-based approach and the primary reason for its widespread acceptance is the predictability of its behaviour and accuracy of detection. On the other hand, there are two issues associated with this approach in practice: the performance of the matching component and the quality of the signature set.

The performance has long become a critical operation in the signature-based intrusion detection systems. The rigid performance requirements are dictated not only by increasing network speeds but also by increasing complexity and quantity of intrusion detection signatures. Constant discovery of the software vulnerabilities and novel threats demands timely addition of new attack signatures. This results in a complex, overlapping and often redundant set of attack signatures.

The aim of this research project is therefore two-fold: to develop an efficient signature matching approach and tools for analysis of the signature set quality.

Santosh Ananthakrishnan
Faculty Supervisor: 
Dr. Ali Ghorbani
New Brunswick