Detection and update method for attack behavior models in intrusion detection systems

摘要

Intrusion Detection Systems (IDSes) are very essential in network monitoring. Most IDSes store a large number of attack signatures and produce various alert logs. There are two problems in detection and update method of current IDSes. First, it is hard to decide which alerts will lead to real intrusion in the network systems because of massive amount of log data sent to the administrator. Second, it is known that signatures for bad network packets are stored in the database. As new attacks are recorded, the size of the database increases. In this paper, we proposed a Petri net-based method to detect attack behavior that leads to intrusion thus reducing number of alerts. Then, we proposed an update method by fusing two or more similar attack behavior models. Finally, we showed the effectiveness of those methods with an example and experiment.