Abstract
Network Intrusion Detection Systems are tools used to monitor network traffic and alert to suspicious or harmful activity before it can cause harm. Signature-based versions of these systems are a foundation for intrusion detection, operating by finding common patterns and forming malicious signatures. However, three developments in modern network environments have greatly impacted the significance of Network Intrusion Detection Systems. These three developments are the near-complete adoption of end-to-end encryption, the use of sophisticated packet fragmentation techniques, and the processing demands of high-throughput networks. Encryption makes deep packet inspection practically infeasible by transforming inspectable payloads into ciphertext, forcing NIDS to rely mainly on metadata. High-volume traffic pushes systems past their computational limits, causing them to enter “fail-open” states. On top of all of those issues, increasingly complex rule sets introduce additional problems and create new areas for algorithmic complexity attacks. In response, the security industry combats by shifting toward more hybrid-based detection frameworks. These pair traditional signature-based NIDS with flow-based inspection and machine-learning driven metadata analysis. This paper argues that while signature-based NIDS remain valuable for common attacks and as a first line of defense, the future of network security depends on a defense-in-depth approach, as it becomes harder and harder to detect data while visibility continues to diminish.
Faculty Advisor/Mentor
Abhishek Phadke
Document Type
Paper
Disciplines
Cybersecurity | Digital Communications and Networking | Information Security
DOI
10.25776/n0m6-3p75
Upload File
wf_yes
Included in
Cybersecurity Commons, Digital Communications and Networking Commons, Information Security Commons
Limitations of Signature-Based Network Intrusion Detection Under Modern Traffic Conditions
Network Intrusion Detection Systems are tools used to monitor network traffic and alert to suspicious or harmful activity before it can cause harm. Signature-based versions of these systems are a foundation for intrusion detection, operating by finding common patterns and forming malicious signatures. However, three developments in modern network environments have greatly impacted the significance of Network Intrusion Detection Systems. These three developments are the near-complete adoption of end-to-end encryption, the use of sophisticated packet fragmentation techniques, and the processing demands of high-throughput networks. Encryption makes deep packet inspection practically infeasible by transforming inspectable payloads into ciphertext, forcing NIDS to rely mainly on metadata. High-volume traffic pushes systems past their computational limits, causing them to enter “fail-open” states. On top of all of those issues, increasingly complex rule sets introduce additional problems and create new areas for algorithmic complexity attacks. In response, the security industry combats by shifting toward more hybrid-based detection frameworks. These pair traditional signature-based NIDS with flow-based inspection and machine-learning driven metadata analysis. This paper argues that while signature-based NIDS remain valuable for common attacks and as a first line of defense, the future of network security depends on a defense-in-depth approach, as it becomes harder and harder to detect data while visibility continues to diminish.