Efficiency Issues of Rete-based Expert Systems for Misuse Detection

Michael Meier
University of Dortmund
Germany

Ulrich Flegel
University of Dortmund
Germany

Sebastian Schmerl
Brandenburg University of Technology Cottbus
Germany

This paper provides a general and comprehensive approach to implementing misuse detection on expert systems and an in-depth analysis of the effectiveness of the optimization strategies of the Rete algorithm wrt. the general implementation approach. General efficiency limits of Rete-based expert systems in the application domain of misuse detection are determined analytically and validated experimentally. We conclude that expert systems may still have their merit in rapid prototyping of misuse detection IDSs, but they should not be considered for modern production systems.

Keywords: Intrusion Detection, Misuse Detection, Expert Systems, Rete Match Algorithm, Efficiency

Read Paper Read Paper (in PDF)