NESG

Icono Icono

Icono Icono

Uso de Funciones Compendio en la Detección de Anomalías mediante N3

Rolando Salazar-Hernández; Jesús Esteban Díaz Verdejo; Pedro García-Teodoro; Gabriel Maciá-Fernández; Francisco de Toro Negro
Abstract:
The Nearest Normal Neighbor (N3) is an anomaly-based intrusion detection system which has demonstrated a good performance in terms of detection capabilities when applied to the HTTP protocol. Nevertheless, N3 presents a high computational cost, as it is based in the comparison of the target HTTP payload against every payload in the normality model. The cost is proportional to the length of the payloads and to the number of elements in the model. The present paper explores the use of the hash functions as a method to reduce the computational cost of the system by decreasing the average length of the payloads. The model is, therefore, composed by fixed length hashes of each payload in the original model, and the hash of the target payload is compared against this model. The results obtained for SHA256 and SHA512 show a big decrease in computational cost with a reduced impact in system’s performance.
Research areas:
Year:
2007
Type of Publication:
In Proceedings
Editor:
VI Jornadas Ingeniería Telemática, JITEL 2007
Hits: 984