Detection of DoS attacks using intrusion detection sensors

Abstract

Intrusion detection systems have usually been developed using large host-based components. These components impose an extra load on the system where they run (sometimes even requiring a dedicated system) and are subject to tampering or disabling by an intruder. Additionally, intrusion detection systems have usually obtained information about host behavior through indirect means, such as audit trails or network packet traces. This potentially allows intruders to modify the information before the intrusion detection system obtains it and slows down the detection and prevention of DoS attacks, making it possible for an intruder to hide his activities. In this paper we propose work that will attempt to show that it is possible to perform intrusion detection mechanism of DoS attacks using small sensors embedded in a computer system. These sensors will look for signs of specific intrusions. They will perform target monitoring by observing the behavior of the through an audit trail or other indirect means in real time while the Snort IDS running. Furthermore, by being built into the computer system it could provide a flexible alert sensor which may not impose a considerable extra load on the host they monitor.