Abstract
Most intrusion detection systems deployed today apply misuse detection as detection procedure. Misuse detection compares the recorded audit data with predefined patterns, i.e. signatures. A signature is usually empirically developed based on experience and expert knowledge. Methods for a systematic development are scarcely reported yet. Automated approaches to reusing design and modeling decisions of available signatures also do not exist. This induces relatively long development times for signatures causing inappropriate vulner ability windows. In this paper we present an approach for systematic signature derivation. It is based on the reuse of existing signatures to exploit similarities with existing attacks for deriving a new signature. The approach is based on an iterative abstraction of signatures. Based on a weighted abstraction tree it selects those signatures or signature fragments, which are similar to the novel at tack. Finally, we present a practical application of the approach using the signature description language EDL.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Cheung, S., Lindqvist, U., Fong, M.: Modeling Multistep Cyber Attacks for Scenario Recognition. In: Proceedings of the 3rd DARPA Information Survivability Conference and Exposition, Washington, USA, pp. 284–292. IEEE Computer Society Press, Los Alamitos (2003)
Gamma, E., Helm, R., Johnson, E.R.: Design Patterns – Elements of Reusable Object-Oriented Software. Addison-Wesley Professional, Reading (1997)
Rubin, S., Jha, S., Miller, B.: Automatic Generation and Analysis of NIDS Attacks. In: Proceedings of the 20th Annual Computer Security Applications Conference, Tucson, AZ, USA, pp. 28–38. IEEE Computer Society Press, Los Alamitos (2004)
Rubin, S., Jha, S., Miller, P.B.: Language-based generation and evaluation of NIDS signatures. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp. 3–17. IEEE Computer Society Press, Los Alamitos (2005)
Schmerl, S.: Entwurf und Entwicklung einer effizienten Analyseeinheit für Intrusion-Detection-Systeme (in German). Master Thesis, Group Communication Systems, Brandenburg University of Technology Cottbus (2004)
Meier, M., Schmerl, S., König, H.: Improving the Efficiency of Misuse Detection. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 188–205. Springer, Heidelberg (2005)
Lippmann, R., Webster, S., Stetson, D.: The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 307–326. Springer, Heidelberg (2002)
Larson, U., Lundin-Barse, E., Jonsson, E.: METAL – A Tool for Extracting Attack Manifestations. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 85–102. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schmerl, S., Koenig, H., Flegel, U., Meier, M. (2006). Simplifying Signature Engineering by Reuse. In: Müller, G. (eds) Emerging Trends in Information and Communication Security. ETRICS 2006. Lecture Notes in Computer Science, vol 3995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11766155_31
Download citation
DOI: https://doi.org/10.1007/11766155_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34640-1
Online ISBN: 978-3-540-34642-5
eBook Packages: Computer ScienceComputer Science (R0)