Skip to main content
SpringerLink
Log in

Improving the Efficiency of Misuse Detection

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3548))

Abstract

In addition to preventive mechanisms intrusion detection systems (IDS) are an important instrument to protect computer systems. Most IDSs used today realize the misuse detection approach. These systems analyze monitored events for occurrences of defined patterns (signatures), which indicate security violations. Up to now only little attention has been paid to the analysis efficiency of these systems. In particular for systems that are able to detect complex, multi-step attacks not much work towards performance optimizations has been done. This paper discusses analysis techniques of IDSs used today and introduces a couple of optimizing strategies, which exploit structural properties of signatures to increase the analyze efficiency. A prototypical implementation has been used to evaluate these strategies experimentally and to compare them with currently deployed misuse detection techniques. Measurements showed that significant performance improvements can be gained by using the proposed optimizing strategies. The effects of each optimization strategy on the analysis efficiency are discussed in detail.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Roesch, M.: Snort – Lightweight Intrusion Detection for Networks. In: Proc. of the 13th System Administration Conference (LISA 1999), Seattle, WA, USA, pp. 229–238. USENIX Assoc. (1999)

    Google Scholar 

  2. Cisco Systems Inc.: NetFlow Services and Applications. White Paper, July 15 (2002), http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm

  3. McHugh, J.: Set, Bags and Rock and Roll – Analyzing Large Datasets of Network Data. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 407–422. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  4. Sommer, R., Feldmann, A.: NetFlow: Information Loss or Win? In: Proc. of the 2nd ACM SIG-COMM and USENIX Internet Measurement Workshop (IMW 2002), Marseille, France (2002)

    Google Scholar 

  5. Kruegel, C., Toth, T.: Using Decision Trees to Improve Signature-based Intrusion Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 173–191. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  6. Anagnostakis, K.G., Markatos, E.P., Antonatos, S., Polychronakis, M.: E2xB: A domain specific string matching algorithm for intrusion detection. In: Proc. of the 18th IFIP International Information Security Conference (SEC 2003), pp. 217–228. Kluwer Academic Publishing, Dordrecht (2003)

    Google Scholar 

  7. Meier, M.: A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 158–169. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  8. Flegel, U., Meier, M.: Towards a Scalable Approach to Tailoring the Disclosure of Pseu-donymous Audit Data to Misuse Detection Signatures. Internal discussion paper (2002)

    Google Scholar 

  9. Schmerl, S.: Entwurf und Entwicklung einer effizienten Analyseeinheit für Intrusion-Detection-Systeme (in German). Diploma Thesis, Chair Computer Networks and Communication Systems, Brandenburg University of Technology, Cottbus, Germany (2004)

    Google Scholar 

  10. Vigna, G., Eckmann, S.T., Kemmerer, R.A.: The STAT Tool Suite. In: Proc. of DARPA Information Survivability Conference and Exposition (DISCEX) 2000, vol. 2, pp. 46–55. IEEE Press, Hilton Head (2000)

    Chapter  Google Scholar 

  11. Kumar, S.: Classification and Detection of Computer Intrusions. PhD Thesis, Dept. of Computer Science, Purdue University, West Lafayette, IN (August 1995)

    Google Scholar 

  12. Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Securit 10(1/2), 71–104 (2002)

    Google Scholar 

  13. Puppe, F.: Einführung in Expertensysteme (in German). Springer, Berlin (1991) ISBN 3-540-54023-7

    Google Scholar 

  14. Neumann, P.G., Porras, A.P.: Experience with EMERALD to Date. In: Proc. of the First USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, USA, pp. 73–80 (1999)

    Google Scholar 

  15. Proctor, P.E.: Audit reduction and misuse detection in heterogeneous environments: Framework and application. In: Proc. of the 10th Annual Computer Security Applications Conference, Orlando, FL, pp. 117–125 (1994)

    Google Scholar 

  16. Sobirey, M., Richter, B., König, H.: The Intrusion Detection System AID. Architecture, and experiences in automated audit analysis. In: Proc. of the IFIP TC6/TC11 Conference on Commnications and Multimedia Security, Essen, Germany, pp. 278–290. Chapman & Hall, London (1996)

    Google Scholar 

  17. Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In: Proc. of the IEEE Symposium on Security and Privacy, Los Alamitos, CA, pp. 146–161. IEEE Press, Los Alamitos (1999)

    Google Scholar 

  18. Riley, G.: CLIPS – A Tool for Building Expert Systems (May 2004), http://www.ghg.net/clips/CLIPS.html

  19. Talarian Corporation: RTie Inference Engine. In: Talarian Corporation (eds.): RTworks 3.5. Mountain View, Ca, USA (1995)

    Google Scholar 

  20. Krauz, R.: Implementierung eines auf dem Expertensystem-Tool CLIPS basierenden Intrusion Detection Systems (in German). Student Research Thesis, Chair Computer Networks and Communication Systems, Brandenburg University of Technology, Cottbus, Germany (2004)

    Google Scholar 

  21. Forgy, C.L.: Rete: A Fast Algorithm for the Many Pattern/Many Object Pattern Match Problem. Artificial Intelligence 19(10), 17–37 (1982)

    Article  Google Scholar 

  22. Aho, A.V., Sethi, R., Ullman, J.D.: Compilers - Principles, Techniques and Tools. Addison-Wesley, Reading (1988)

    Google Scholar 

  23. Using RDTSC for benchmarking code on Pentium computers, http://www.midnightbeach.com/jon/pubs/rdtsc.htm

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Brandenburg University of Technology Cottbus, P.O. Box 10 13 44, 03013, Cottbus, Germany

    Michael Meier, Sebastian Schmerl & Hartmut Koenig

Authors
  1. Michael Meier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Schmerl
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hartmut Koenig
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research GmbH, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Klaus Julisch

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Meier, M., Schmerl, S., Koenig, H. (2005). Improving the Efficiency of Misuse Detection. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_12

Download citation

  • DOI: https://doi.org/10.1007/11506881_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26613-6

  • Online ISBN: 978-3-540-31645-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation