Tuyển tập các báo cáo nghiên cứu về hóa học được đăng trên tạp chí hóa hoc quốc tế đề tài : Intrusion detection model based on selective packet sampling | Bakhoum EURASIP Journal on Information Security 2011 2011 2 http content 2011 1 2 o EURASIP Journal on Information Security a SpringerOpen Journal RESEARCH Open Access Intrusion detection model based on selective packet sampling Ezzat G Bakhoum Abstract Recent experimental work by Androulidakis and Papavassiliou IET Commun 2 3 399 2008 IEEE Netw 23 1 6 2009 has shown that it is possible to maintain a high level of network security while selectively inspecting packets for the existence of intrusive activity thereby resulting in a minimal amount of processing overhead. In this paper a statistical approach for the modeling of network intrusions as Markov processes is introduced. The theoretical findings presented here confirm the earlier experimental results of Androulidakis and Papavassiliou. A common notion about network intrusion detection systems is that every packet arriving into a network must be inspected in order to prevent intrusions. This investigation together with the earlier experimental results disproves that notion. Additional experimental testing of a corporate local area network is reported. Keywords Network Intrusion Intrusion Detection System IP Packets Markov Process Birth and Death Model 1. Introduction Network intrusion detection systems IDS perform a vital role in protecting networks connected to the World Wide Web from malicious attacks. Traditionally IDS software products such as SNORT 1 SecureNet 2 and Hogwash 3 work by monitoring traffic at the network choke-point where every incoming IP packet is analyzed for suspicious patterns that may indicate hostile activity. Because those software systems must match packets against thousands of known ominous patterns they must work extremely fast. Under heavy traffic however the IDS is usually forced to drop packets so that the IDS itself will not become the bottleneck of the network of course at the risk of allowing an attack to go undetected. Because of this deficiency .