JISAR

Journal of Information Systems Applied Research

Volume 12

V12 N1 Pages 17-25

April 2019


The use of Snap Length in Lossy Network Traffic Compression for Network Intrusion Detection Applications


Sidney Charles Smith
US Army Research Laboratory
Aberdeen Proving Ground, MD 21005, USA

Robert J. Hammell II
Towson University
Towson, MD 21252, USA


Abstract: In distributed network intrusion applications, it is necessary to transmit data from the remote sensors to the central analysis systems (CAS). Transmitting all the data captured by the sensor would place an unacceptable demand on the bandwidth available to the site. Most applications address this problem by sending only alerts or summaries; however, these alone do not always provide the analyst with enough information to truly understand what is happening on the network. Since lossless compression techniques alone are not sufficient to address the bandwidth demand, applications that send raw traffic to the CAS for analysis must employ some form of lossy compression. This lossy compression may take the form or dropping entire sessions, packets, or portions of packets. In this paper we explore impact of compressing network traffic by dropping portions of packets. This is accomplished by truncating packets through adjusting the snap length.

Keywords: compression, network intrustion detection, snap length, Snort, Tcpdump

Download this article: JISAR - V12 N1 Page 17.pdf


Recommended Citation: Smith, S. C., Hammell II, R. J. (2019). The use of Snap Length in Lossy Network Traffic Compression for Network Intrusion Detection Applications. Journal of Information Systems Applied Research, 12(1) pp 17-25. http://jisar.org/2019-12/ ISSN: 1946-1836. (A preliminary version appears in The Proceedings of CONISAR 2018)