Enhancing network intrusion detection with integrated sampling and filtering

The structure of many standalone network intrusion detection systems (NIDSs) centers around a chain of analysis that begins with packets captured by a packet filter, where the filter describes the protocols (TCP/UDP port numbers) and sometimes hosts or subnets to include or exclude from the analysis. In this work we argue for augmenting such analysis with an additional, separately filtered stream of packets. This "Secondary Path" supplements the "Main Path" by integrating sampling and richer forms of filtering into a NIDS's analysis. We discuss an implementation of a secondary path for the Bro intrusion detection system and enhancements we developed to the Berkeley Packet Filter to work in concert with the secondary path. Such an additional packet stream provides benefits in terms of both efficiency and ease of expression, which we illustrate by applying it to three forms of NIDS analysis: tracking very large individual connections, finding "heavy hitter" traffic streams, and implementing backdoor detectors (developed in previous work) with particular ease.