The design and implementation of session-based IDS.

One of the techniques for detecting malicious communications from network traffic is to use a network-based intrusion detection system (IDS). However, since an existing IDS handles a low-risk alert for which an attack failed and a high-risk alert for which an attack succeeded in a similar manner, malicious communications cannot be detected properly unless a risk analysis is performed for each alert. This means that as the number of detection targets of the IDS increases, the cost of the risk analysis for every alert also increases proportionally. In other words, as the number of detection targets continues to increase, it becomes difficult to effectively deal with network incidents by using the IDS. In this paper, the authors focus on the fact that by continuously monitoring communications after an attack, the success or failure of the attack can be determined from the responses. They define these continuous communications as a session and design and implement a session-based IDS that enables the risk to be evaluated immediately and automatically. They also evaluate the effectiveness of the session-based IDS in an actual operating network. The results showed that this research lowered the operational cost of the IDS and enabled network incidents to be dealt with effectively. © 2005 Wiley Periodicals, Inc. Electron Comm Jpn Pt 1, 89(3): 46–58, 2006; Published online in Wiley InterScience (<URL>www.interscience.wiley.com</URL>). DOI 10.1002/ecja.20251 [ABSTRACT FROM AUTHOR]