Architecture of the Reconnaissance Intrusion Detection System (RIDS)

Document Type

Conference Proceeding

Publication Date

12-1-2004

Abstract

This paper describes the architecture and provides early test results of the Reconnaissance Intrusion Detection System (RIDS) prototype. RIDS is a session oriented, statistical tool, that relies on training to mold the parameters of its algorithms, capable of detecting even distributed stealthy reconnaissance attacks. It consists of two main functional modules or stages: the Reconnaissance Activity Profiler (RAP), followed by the Reconnaissance Alert Correlation (RAC), along with a Security Console. RAP is a session-oriented module capable of detecting stealthy scanning and probing attacks, while RAC is an alert-correlation module that fuses the RAP alerts into attack scenarios and discovers the distributed stealthy attack scenarios. RIDS has been evaluated against two data sets: (a) the DARPA '98 data, and (b) 3 weeks of experimental data generated using the CONEX testbed, running at average Ethernet speeds. RIDS has demonstrably achieved remarkable success; the false positive, false negative and mis classification rates found are low, less than 0.1%, for most reconnaissance attacks; they rise to about 6% for distributed highly stealthy attacks; the latter is a most challenging type of attack, which has been difficult to detect effectively until now. Thus, the RIDS system promises to provide an early warning by detecting the reconnaissance first phase of an impending attack, even if it is very stealthy and distributed. © 2004 IEEE.

Identifier

15944385611 (Scopus)

ISBN

[0780385721, 9780780385726]

Publication Title

Proceedings Fron the Fifth Annual IEEE System Man and Cybernetics Information Assurance Workshop Smc

First Page

187

Last Page

194

This document is currently not available here.

Share

COinS