Efficient decision tree for protocol analysis in intrusion detection

Abstract

Pattern matching is a crucial factor for deriving efficient intrusion detection. However Network Intrusion Detection Systems (NIDSs) frequently ignore data semantics of captured packets and have to consider the whole payloads leading to false positives if attacks signatures are found in incorrect positions. Therefore NIDSs have to investigate in packets contents in order to determine how application layer protocols are used. We propose a combination of pattern matching and protocol analysis to better detect intrusions. While the first detection method relies on a multi-pattern matching algorithm, the second one benefits from a decision tree to select in each analysis step, the efficient test.