State-driven stack-based network intrusion detection system

The function of a network intrusion detection system is to identify and react on any abnormal behavior determined as an attack to a network segment or a dedicated host. The proposed concept is based on a distributed network intrusion detection system (D-NIDS) integrated as a pump-in-the-stack process, based on a simplified open source network stack (light weight IP-lwIP). The small process-footprint (multi or single threaded) makes this solution suitable for all platforms and operating systems. Thus, embedded systems as well as high performance PCs or workstations may run this service without operating expense. The proposed solution differs from other solutions by a simple installation process-since no interactions are existing between the host- and the NIDS-stack- and the ability to run applications on top of the IDS (e.g. alluring-systems or sandbox systems). But the main idea is to take advantage of a mechanism known as "state-transition intrusion detection" and the integration of this mechanism into the network stack. The usage of state-transition based signatures can reduce large database entries and allows the reuse of already existing network stacks. Due to small database entries, this approach is highly scalable and can be a proper solution for small devices, PDAs, and embedded systems.