Design of a Hybrid Network Intrusion Detection System (A Hybrid NIDS)

Abstract

Network Intrusion Detection Systems (NIDSs) are widely-deployed security tools for detecting cyber-attacks and activities conducted by intruders for observing network traffic. There are two methods basis on the source of data to be analyzed in NIDSs: packet-based NIDSs and flow-based NIDSs. Packet-based NIDS has to analyze the whole payload content beside headers. In flow NIDS, rather than looking at all packets going through a network link, it looks at aggregated information of related packets of network traffic in the form of flow, so the amount of data to be analyzed is reduced.In this research, Snort -the most famous and successful NIDS- is used to detect various network attacks. The traffic which Snort worked upon is DARPA1999 benchmark dataset.Firstly, Snort was configured to detect only packet-based attacks. Then it was configured to detect both packet-based and flow-based attacks (Hybrid NIDS). The results proved the capability of Snort to detect all packet-level attacks in DARPA1999 dataset.Rest of the attacks that wasn't detected in the packet-level configuration is detectedat flow-level of the hybrid configuration. These results demonstrated the efficiency of Snort as a powerful NIDS and the efficiency of the hybrid approach to detect attacks