Title: Efficient decision tree for protocol analysis in intrusion detection

Authors: T. Abbes, A. Bouhoula, M. Rusinowitch

Addresses: Higher Institute of Electronics and Telecommunication of Sfax, University of Sfax, Tunisia, Route Menzel Chaker, Sfax 3000, Tunisia. ' Higher School of Communication of Tunis (Sup'Com), University of 7th November at Carthage, Tunisia, City of Communication Technologies 2083 – ARIANA. ' INRIA Nancy – Grand Est, CS 20101 – 54603 Villers les Nancy Cedex, France

Abstract: Pattern matching is a crucial factor for deriving efficient intrusion detection. However Network Intrusion Detection Systems (NIDSs) frequently ignore data semantics of captured packets and have to consider the whole payloads leading to false positives if attacks signatures are found in incorrect positions. Therefore NIDSs have to investigate in packets contents in order to determine how application layer protocols are used. We propose a combination of pattern matching and protocol analysis to better detect intrusions. While the first detection method relies on a multi-pattern matching algorithm, the second one benefits from a decision tree to select in each analysis step, the efficient test.

Keywords: intrusion detection systems; protocol analysis; pattern matching; decision trees; inference systems; network security; data semantics; packet contents.

DOI: 10.1504/IJSN.2010.037661

International Journal of Security and Networks, 2010 Vol.5 No.4, pp.220 - 235

Accepted: 22 Jan 2010
Published online: 23 Dec 2010 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article