Characterizing and Improving Distributed Intrusion Detection Systems.

Due to ever-increasing quantities of information traversing networks, network administrators are developing greater reliance upon statistically sampled packet information as the source for their intrusion detection systems (IDS). Our research is aimed at understanding IDS performance when statistical packet sampling is used. Using the Snort IDS and a variety of data sets, we compared IDS results when an entire data set is used to the results when a statistically sampled subset of the data set is used. Generally speaking, IDS performance with statistically sampled information was shown to drop considerably even under fairly high sampling rates (such as 1:5). Characterizing and Improving Distributed Intrusion Detection Systems4AcknowledgementsThe authors wish to extend our gratitude to Matt Bishop and Chen-Nee Chuah of UC Davis for their guidance and support on this work. Our thanks are also extended to Jianning Mai of UC Davis and Tao Ye of Sprint Advanced Technology Labs for their generous assistance.We would also like to acknowledge our dataset sources, CRAWDAD and CAIDA, without which this work would not have been possible. Support for OC48 data collection is provided by DARPA, NSF, DHS, Cisco and CAIDA members.