A real-time network intrusion detection system for large-scale attacks based on an incremental mining approach

• Published in: Computers & security Vol. 28; no. 5; pp. 301 - 309
• Main Authors: Su, Ming-Yang, Yu, Gwo-Jong, Lin, Chun-Yuen
• Format: Journal Article
• Language: English
• Published: Amsterdam Elsevier Ltd 01.07.2009; Elsevier Sequoia S.A
• Subjects: Association rules; Data mining; Denial of service attacks; Fuzzy association rules; Fuzzy logic; Incremental mining; Intrusion detection systems; Network security; Online mining; Real time; Real-time NIDS; Studies; Denial-of-service attacks; Fuzzy association rules; Incremental mining; Network security; Real-time NIDS; Association rules; Online mining
• ISSN: 0167-4048; 1872-6208
• DOI: 10.1016/j.cose.2008.12.001

None of the previously proposed Network Intrusion Detection Systems (NIDSs), which are subject to fuzzy association rules, can meet real-time requirements because they all apply static mining approaches. This study proposed a real-time NIDS with incremental mining for fuzzy association rules. By consistently comparing the two rule sets, one mined from online packets and the other mined from training attack-free packets, the proposed system can render a decision every 2 seconds. Thus, compared with traditional static mining approaches, the proposed system can greatly improve efficiency from offline detection to real-time online detection. Since the proposed system derives features from packet headers only, like the previous works based on fuzzy association rules, large-scale attack types are focused. Many DoS attacks were experimented in this study. Experiments were performed to demonstrate the excellent effectiveness and efficiency of the proposed system. The system may not cause false alarms because normal programs supposedly would not generate enough mal-formatted packets, or packets that violate normal network protocols.