Adaptive Real Time Intrusion Detection Systems

Abstract

A real-time intrusion detection system (IDS) has several performance objectives: good detection coverage, economy in resource usage, resilience to stress, and resistance to attacks upon itself. In this thesis, we argue that these objectives are trade-offs that must be considered not only in IDS design and implementation, but also in deployment and in an adaptive manner. A real-time IDS should perform performance adaptation by optimizing its configuration at run-time. We use classical optimization techniques for determining an optimal configuration. We describe an IDS architecture with multiple dynamically configured front-end and back-end detection modules and a monitor. The front-end does the real-time analysis and detection and the less time-critical tasks may be executed at the backend. In order to do performance adaptation, the front-end is modified to have two modules: performance monitoring and dynamic reconfiguration. The IDS run-time performance is measured periodically, and detection strategies and workload are dynamically reconfigured among the detection modules according to the resource constraints and cost-benefit analysis. The back-end also performs scenario (or trend) analysis to recognize on-going attack sequences, so that the predictions of the likely forthcoming attacks can be used to pro-actively and optimally configure the IDS.

The adaptive IDS results showed better performance when the operating conditions changed and the IDS was stressed or overloaded. By reconfiguring, the adaptive IDS minimized packet drops and gave priority for critical attacks, with relatively higher damage cost, thereby ensuring maximum value for the IDS. The overheads involved for monitoring as well as reconfiguration was found to be negligible.