Network-based intrusion detection systems go active!

Eitan Menahem, Gabi Nakibly, Yuval Elovici

Proceedings of the 2012 ACM conference on Computer and communications …, 2012

In this work we investigate a new approach for detecting network-wide attacks that aim to degrade the network’s Quality of Service (QoS). To this end, a new network-based intrusion detection system (NIDS) is proposed. In contrast to the passive approach which most contemporary NIDS follow and which relies solely on production traffic monitoring, the propose NIDS takes the active approach where special crafted probes are sent according to a known probability distribution in order to monitor the network for anomalous behavior. The proposed approach takes away much of the variability of network traffic that makes it so difficult to classify, and therefore can detect subtle attacks which would not be detected passively. Furthermore, the active probing approach allows the NIDS to be effectively trained using only examples of the network’s normal states, hence enabling an effective detection of zero-day attacks …