Flow-Based Approach on Bro Intrusion Detection

Packet-based or Deep Packet Inspection (DPI) intrusion detection systems (IDSs) face challenges when coping with high volume of traffic. Processing every payload on the wire degrades the performance of intrusion detection. This paper aims to develop a model for reducing the amount of data to be processed by intrusion detection using flow-based approach. We investigated the detection accuracy of this approach via implementation of this model using Bro IDS. Bro was used to generate malicious features from several recent labeled datasets. Then, the model made use the machine learning classification algorithms for attribute evaluation and Bro policy scripts for detecting malicious flows. Based on our experiments, the findings showed that flow-based detection was able to identify the presence of all malicious activities. This verifies the capability of this approach to detect malicious flows with high accuracy. However, this approach generated a significant number of false positive alarms. This indicates that for detection purpose, it is difficult to make a complete behavior of the malicious activities from only limited data and flow-level.