• DocumentCode
    2423136
  • Title

    Elephant: Network Intrusion Detection Systems that Don´t Forget

  • Author

    Merideth, Michael G. ; Narasimhan, Priya

  • Author_Institution
    Carnegie Mellon University, Pittsburgh, PA
  • fYear
    2005
  • fDate
    03-06 Jan. 2005
  • Abstract
    Modern Network Intrusion Detection Systems (NIDSs) maintain state that helps them accurately detect attacks. Because most NIDSs are signature-based, it is critical to update their rule-sets frequently; unfortunately, doing so can result in downtime that causes state to be lost, leading to vulnerabilities of attack misclassification. In this paper, we show that such vulnerabilities do exist and provide a way to avoid them. Using the open-source NIDS Snort, we present Elephant, an approach and implementation for updating rule-sets that provides a way to cause Snort to enter a safe quiescent point, load the new rules into memory, and remove the old rules from memory-all while preserving the state that is required to make sure that the NIDS does not miss attacks. We provide a critique and performance evaluation of our technique.
  • Keywords
    Computer science; Condition monitoring; Data security; Databases; Intrusion detection; Open source software; Performance analysis; Protocols; Target tracking; Telecommunication traffic;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    System Sciences, 2005. HICSS '05. Proceedings of the 38th Annual Hawaii International Conference on
  • ISSN
    1530-1605
  • Print_ISBN
    0-7695-2268-8
  • Type

    conf

  • DOI
    10.1109/HICSS.2005.230
  • Filename
    1385878
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2423136