Apart from the modeling techniques, the development and deployment of anomaly-based intrusion detection systems still faces two main problems. The first one is related to the acquisition and handling of real traffic to be used for training purposes. The second one concerns the better performance of signature-based IDS for known attacks. In this paper the authors propose the use of a modified version of Snort which results in a hybrid detector/classifier. This version can be used both during the training phase of the anomaly-based system and as a deployed hybrid detector and traffic sniffer. Furthermore, it can be adjusted to work just as signature-based, anomaly-based or both (hybrid) detector. On the other hand, this version can be used to directly sniff, classify and split the network traffic according to its malicious nature, which eases the problems related to the acquisition and handling of training traffic.
Financed by the National Centre for Research and Development under grant No. SP/I/1/77065/10 by the strategic scientific research and experimental development program:
SYNAT - “Interdisciplinary System for Interactive Scientific and Scientific-Technical Information”.