Surging network traffic is pushing signature-based Network Intrusion Detection Systems (NIDSs) to their limits, as they struggle to inspect every incoming packet. The high computational cost of analyzing each packet and matching it against large rulesets can lead to system saturation and missed attacks. Rule-based pre-filtering can reduce this cost by forwarding only potentially malicious packets to the NIDS. However, existing work has largely overlooked the impact of pre-filtering on the NIDS’s attack detection performance. Our analysis shows that current methods disrupt attack detection because they discard packets that do not match the pre-filtering rules, ignoring the fact that NIDSs require additional flow information (e.g., the TCP handshake) beyond the malicious packets to process flows and detect attacks properly. To address this, we propose eRBF, a new rule-based pre-filtering approach that pre-filters traffic not only according to the rules but also based on the NIDSs’ flow processing requirements. Experimental results with Snort demonstrate that eRBF achieves the desired balance, forwarding less than 22% of all packets across two well-known datasets while maintaining the attack detection above 95%.
Rethinking NIDS Rule-Based Pre-Filtering / Brum, Henrique; Knob, Luis; Ferreto, Tiago; Siracusa, Domenico. - (2025), pp. 1-5. ( CNSM Bologna 27 - 31 October 2025) [10.23919/cnsm67658.2025.11297559].
Rethinking NIDS Rule-Based Pre-Filtering
Henrique Brum;Luis Knob;Domenico Siracusa
2025-01-01
Abstract
Surging network traffic is pushing signature-based Network Intrusion Detection Systems (NIDSs) to their limits, as they struggle to inspect every incoming packet. The high computational cost of analyzing each packet and matching it against large rulesets can lead to system saturation and missed attacks. Rule-based pre-filtering can reduce this cost by forwarding only potentially malicious packets to the NIDS. However, existing work has largely overlooked the impact of pre-filtering on the NIDS’s attack detection performance. Our analysis shows that current methods disrupt attack detection because they discard packets that do not match the pre-filtering rules, ignoring the fact that NIDSs require additional flow information (e.g., the TCP handshake) beyond the malicious packets to process flows and detect attacks properly. To address this, we propose eRBF, a new rule-based pre-filtering approach that pre-filters traffic not only according to the rules but also based on the NIDSs’ flow processing requirements. Experimental results with Snort demonstrate that eRBF achieves the desired balance, forwarding less than 22% of all packets across two well-known datasets while maintaining the attack detection above 95%.| File | Dimensione | Formato | |
|---|---|---|---|
|
BrumRethinkingNIDSPrefiltering2025[VoR].pdf
Solo gestori archivio
Descrizione: VoR
Tipologia:
Versione editoriale (Publisher’s layout)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
1.45 MB
Formato
Adobe PDF
|
1.45 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
