A comprehensive design for decision engine in network intrusion detection and prevention system

In order to utilize benefits and remove disadvantages of both misuse and anomaly based intrusion detection systems, hybrid architectures has been offered. In the case of parallel hybrid architecture, it´s necessary that a decision engine combines both outputs of misuse and anomaly based detection systems and infers the final result. Since there is no complete solution in literature, in this paper we present our novel and comprehensive design for decision engine in hybrid network intrusion detection and prevention Systems. The overall tasks of our decision engine is firstly combining and correlating input alerts and creating meta alert, secondly inferring proper reaction corresponding to created meta alert. In our architecture, there is the possibility to apply various types of reactions. Since real time reaction is very important for overall performance, and decision making for this type of reaction highly depends on attack type, in this paper we experiment the attack classification part of our design over labeled KDD´99 dataset by attack types. Results show that our used approach has 98.0484 % accuracy of attack classification in reasonable speed.