Improving Cyber security Intrusion Detection

By Sidney Smith, Computer Scientist, CCDC Army Research Laboratory

With billions of people affected by data breaches last year, cybersecurity has become one of the nation’s top security concerns and government and businesses are spending more time and money defending against it.

One of the challenges with today’s cybersecurity is that many protection systems use distributed network intrusion detection, which allows a small number of highly trained analysts to monitor several networks at the same time, reducing cost through economies of scale and more efficiently leveraging limited cybersecurity expertise. The problem with this approach is that it requires the data to be transmitted from network intrusion detection sensors on the defended network to central analysis servers. Transmitting all of the data captured by sensors requires too much bandwidth for systems to manage, and bandwidth is extremely costly.

Because of this, most distributed network intrusion detection systems only send alerts or summaries of activities back to the security analyst. With only summaries, cyber-attacks either can go undetected because the analyst did not have enough information to understand the network activity, or, alternatively, time may be wasted chasing down false positives.

I, along with my research team, wanted to figure out a way that we could compress network traffic without losing the ability to detect and investigate the malicious activity. Using this strategy in a distributed network intrusion detection system, we would bring back more, but not all of the data, so the analysts can make a better determination about the activity that they’re investigating.

Working with researchers at the U.S. Army Combat Capabilities Development Command’s Army Research Laboratory and Towson University, our team conducted research that identified a new way to improve network security. The findings were presented at the 10th International Multi-Conference on Complexity, Informatics, and Cybernetics.

Working on the theory that malicious network activity would manifest its maliciousness early, we developed a tool that would stop transmitting traffic after a given number of messages had been transmitted.

We analyzed and compared the resulting compressed network traffic to the analysis performed on the original network traffic.

As suspected, we found cyber-attacks often do manifest maliciousness early in the transmission process. When we identified malicious activity later in the transmission process, it was usually not the first occurrence of malicious activity in that network flow.

Based on these findings, we determined that using our strategy to truncate flows should be effective in reducing the amount of network traffic sent from the sensor to central analyst system, and ultimately could be used to increase the reliability and security of Army networks.

For the next phase, we want to integrate this technique with network classification and lossless compression techniques to reduce the amount of traffic that needs to be transmitted to the central analysis systems to less than 10% of the original traffic volume while losing no more than 1% of cybersecurity alerts.

The future of intrusion detection is in machine learning and other artificial intelligence techniques; however, many of these techniques are too resource intensive to run on the remote sensors, and all of them require large amounts of data. A cybersecurity system incorporating our research technique will allow the data most likely to be malicious to be gathered for further analysis.

About the Author

Sidney Smith, Computer Scientist, U.S. Army Combat Capabilities Development Command Army Research Laboratory ( began his career with the Army in 1990. He graduated from Towson University with a bachelor of science in computer science in 1990 and a master of science from Towson University in 2013. He is expected to earn his doctorate on May 24, 2019.  Smith holds professional certifications including, CISSP, CISA, and CAP. He can be reached at

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase