Optimizing the Observation Windows Size for Kernel Attack Signatures

In this paper we introduce a signature-based intrusion detection methodology which utilizes lowlevel kernel data in order to identify network attacks in real time. Different types of attacks have different behavior characteristics over time, and thus require observation intervals of different length to clearly identify attack data within a network data stream. Our technique involves a pseudocontinuous stream of network kernel data that is processed in order to identify attacks. An additional advantage of a pseudo-continuous system is that it allows dynamic adjustment to account for varying levels of network load. This allows a higher precision and lower false positive rate than in a fixedinterval system because only the data needed for identification is compared to the stored signature. Further, response time is near-immediate as only the minimum data needed in order to detect the attack must be sampled