Integrating More Intelligence into Your IDS - Part 2

Consider how a preprocessor can be used to introduce learning into our intrusion detection system (IDS). One can use the problem defined in Part I of this article, where the IDS is encouraged to adapt to changes in the type of traffic seen and alert administrators if the traffic is anomalous.

Before Snort, or any IDS, is able to identify what is considered anomalous, it has to learn what normal network traffic for the network it is deployed on should look like. In artificial intelligence (AI) it is called the baseline, or training. The IDS observes the traffic for some period of time and takes statistics to use later to compare the expected traffic to the seen traffic. If the network traffic is significantly different then usual traffic, an alert can be generated to indicate to the user that something strange is happening.

Since this is meant to be a proof of concept, let's consider an IDS that is monitoring Web traffic where traffic is expected to be coming in and out of one or more Web servers on port 80. This is a very trivial setup; however, it makes the preprocessor much easier to explain, test, and demonstrate.