As the number of network-based attacks continue to increase, network operations and management tasks become more and more complex. As we have come to depend on reliable operations of networked systems, it is important to be able to provide security measures that both efficient in terms of processing speed as well as in detecting attacks that are not in the database. To this end, anomaly-based intrusion detection systems allow detection of previously unknown and never seen attacks, and effectively complement signature-based detection schemes. In this paper, we evaluate a robust intrusion detection scheme with the goal of developing stand-alone devices that can be deployed in a plug-and-play manner to existing systems. Such devices are attractive as it allows an added security feature to quickly be deployed without adding to the management complexity of existing systems. Our system is robust in that it is resilient to contaminated traffic that may be included in real-time training. Leveraging this advantage, we show that our detection system can self-train without the need for a large, sanitized training data set typically required for many anomaly-based detection schemes. This feature naturally lends itself to faster deployment and for managing systems in changing environments. We demonstrate this concept by developing a physical prototype using an embedded platform. Our results show that amount of delay introduced by the device is small. Another attractive feature of the stand alone device is that it is impossible to temper with without physical access to the device, even if host systems are compromised.
展开▼