Abstract
In addition to preventive mechanisms intrusion detection systems (IDS) are an important instrument to protect computer systems. Most IDSs used today realize the misuse detection approach. These systems analyze monitored events for occurrences of defined patterns (signatures), which indicate security violations. Up to now only little attention has been paid to the analysis efficiency of these systems. In particular for systems that are able to detect complex, multi-step attacks not much work towards performance optimizations has been done. This paper discusses analysis techniques of IDSs used today and introduces a couple of optimizing strategies, which exploit structural properties of signatures to increase the analyze efficiency. A prototypical implementation has been used to evaluate these strategies experimentally and to compare them with currently deployed misuse detection techniques. Measurements showed that significant performance improvements can be gained by using the proposed optimizing strategies. The effects of each optimization strategy on the analysis efficiency are discussed in detail.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Roesch, M.: Snort – Lightweight Intrusion Detection for Networks. In: Proc. of the 13th System Administration Conference (LISA 1999), Seattle, WA, USA, pp. 229–238. USENIX Assoc. (1999)
Cisco Systems Inc.: NetFlow Services and Applications. White Paper, July 15 (2002), http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm
McHugh, J.: Set, Bags and Rock and Roll – Analyzing Large Datasets of Network Data. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 407–422. Springer, Heidelberg (2004)
Sommer, R., Feldmann, A.: NetFlow: Information Loss or Win? In: Proc. of the 2nd ACM SIG-COMM and USENIX Internet Measurement Workshop (IMW 2002), Marseille, France (2002)
Kruegel, C., Toth, T.: Using Decision Trees to Improve Signature-based Intrusion Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 173–191. Springer, Heidelberg (2003)
Anagnostakis, K.G., Markatos, E.P., Antonatos, S., Polychronakis, M.: E2xB: A domain specific string matching algorithm for intrusion detection. In: Proc. of the 18th IFIP International Information Security Conference (SEC 2003), pp. 217–228. Kluwer Academic Publishing, Dordrecht (2003)
Meier, M.: A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 158–169. Springer, Heidelberg (2004)
Flegel, U., Meier, M.: Towards a Scalable Approach to Tailoring the Disclosure of Pseu-donymous Audit Data to Misuse Detection Signatures. Internal discussion paper (2002)
Schmerl, S.: Entwurf und Entwicklung einer effizienten Analyseeinheit für Intrusion-Detection-Systeme (in German). Diploma Thesis, Chair Computer Networks and Communication Systems, Brandenburg University of Technology, Cottbus, Germany (2004)
Vigna, G., Eckmann, S.T., Kemmerer, R.A.: The STAT Tool Suite. In: Proc. of DARPA Information Survivability Conference and Exposition (DISCEX) 2000, vol. 2, pp. 46–55. IEEE Press, Hilton Head (2000)
Kumar, S.: Classification and Detection of Computer Intrusions. PhD Thesis, Dept. of Computer Science, Purdue University, West Lafayette, IN (August 1995)
Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Securit 10(1/2), 71–104 (2002)
Puppe, F.: Einführung in Expertensysteme (in German). Springer, Berlin (1991) ISBN 3-540-54023-7
Neumann, P.G., Porras, A.P.: Experience with EMERALD to Date. In: Proc. of the First USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, USA, pp. 73–80 (1999)
Proctor, P.E.: Audit reduction and misuse detection in heterogeneous environments: Framework and application. In: Proc. of the 10th Annual Computer Security Applications Conference, Orlando, FL, pp. 117–125 (1994)
Sobirey, M., Richter, B., König, H.: The Intrusion Detection System AID. Architecture, and experiences in automated audit analysis. In: Proc. of the IFIP TC6/TC11 Conference on Commnications and Multimedia Security, Essen, Germany, pp. 278–290. Chapman & Hall, London (1996)
Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In: Proc. of the IEEE Symposium on Security and Privacy, Los Alamitos, CA, pp. 146–161. IEEE Press, Los Alamitos (1999)
Riley, G.: CLIPS – A Tool for Building Expert Systems (May 2004), http://www.ghg.net/clips/CLIPS.html
Talarian Corporation: RTie Inference Engine. In: Talarian Corporation (eds.): RTworks 3.5. Mountain View, Ca, USA (1995)
Krauz, R.: Implementierung eines auf dem Expertensystem-Tool CLIPS basierenden Intrusion Detection Systems (in German). Student Research Thesis, Chair Computer Networks and Communication Systems, Brandenburg University of Technology, Cottbus, Germany (2004)
Forgy, C.L.: Rete: A Fast Algorithm for the Many Pattern/Many Object Pattern Match Problem. Artificial Intelligence 19(10), 17–37 (1982)
Aho, A.V., Sethi, R., Ullman, J.D.: Compilers - Principles, Techniques and Tools. Addison-Wesley, Reading (1988)
Using RDTSC for benchmarking code on Pentium computers, http://www.midnightbeach.com/jon/pubs/rdtsc.htm
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Meier, M., Schmerl, S., Koenig, H. (2005). Improving the Efficiency of Misuse Detection. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_12
Download citation
DOI: https://doi.org/10.1007/11506881_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26613-6
Online ISBN: 978-3-540-31645-9
eBook Packages: Computer ScienceComputer Science (R0)