Adaptive context-aware packet filter scheme using statistic-based blacklist generation in network intrusion detection

By using string matching, signature-based network intrusion detection systems (NIDSs) can achieve a higher accuracy and lower false alarm rate than the anomaly-based systems. But the matching process is very expensive regarding to the performance of a signature-based NIDS in which the cost is at least linear to the size of the input string and the CPU occupancy rate can reach more than 80 percent in the worst case. This problem greatly limits the high performance of a signature-based NIDS in a large operational network. In this paper, we present a context-aware packet filter scheme aiming to mitigate this problem. In particular, our scheme incorporates a list technique, namely the blacklist to help filter network packets based on the confidence of the IP domains. Moreover, our scheme will adapt and update the blacklist contents by using the method of statistic-based blacklist generation according to the actual network environment. In the experiment, we implemented our scheme and showed the first experimental evaluation of its effectiveness.