Skip to main content
SpringerLink
Log in

Using Decision Trees to Improve Signature-Based Intrusion Detection

  • Conference paper
Book cover Recent Advances in Intrusion Detection (RAID 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2820))

Included in the following conference series:

Abstract

Most deployed intrusion detection systems (IDSs) follow a signature-based approach where attacks are identified by matching each input event against predefined signatures that model malicious activity. This matching process accounts for the most resource intensive task of an IDS. Many systems perform the matching by comparing each input event to all rules sequentially. This is far from being optimal. Although sometimes ad-hoc optimizations are utilized, no general solution to this problem has been proposed so far.

This paper describes an approach where machine learning clustering techniques are applied to improve the matching process. Given a set of signatures (each dictating a number of constraints the input data must fulfill to trigger it) an algorithm generates a decision tree that is used to find malicious events using as few redundant comparisons as possible.

This general idea has been applied to a network-based IDS. In particular, a system has been implemented that replaces the detection engine of Snort [14,16]. Experimental evaluation shows that the speed of the detection process has been significantly improved, even compared to Snort’s recently released, fully revised detection engine.

This work has been supported by the FWF (Fonds zur Förderung der wissenschaftlichen Forschung), under contract number P13731-MAT. The views expressed in this article are those of the authors and do not necessarily reflect the opinions or positions of the FWF.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aho, A., Corasick, M.: Efficient string matching: An aid to bibliographic search. Communications of the Association for Computing Machinery 18, 333–340 (1975)

    MATH  MathSciNet  Google Scholar 

  2. Cisco IDS - formerly NetRanger (2002), http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/index.shtml

  3. Jason Coit, C., Staniford, S., McAlerney, J.: Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort. In: Proceedings of DISCEX 2001 (2001)

    Google Scholar 

  4. Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for State-based Intrusion Detection. In: Proceedings of the ACM Workshop on Intrusion Detection Systems, Athens, Greece (November 2000)

    Google Scholar 

  5. Fisk, M., Varghese, G.G.: An analysis of fast string matching applied to contentbased forwarding and intrusion detection. Technical Report UCSD TR CS2001- 0670, UC San Diego (2001)

    Google Scholar 

  6. Hartmeier, D.: Design and Performance of the OpenBSD Stateful Packet Filter (pf). In: USENIX Annual Technical Conference – FREENIX Track (2002)

    Google Scholar 

  7. Lee, W., Stolfo, S., Mok, K.: A Data Mining Framework for Building Intrusion Detection Models. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 1999)

    Google Scholar 

  8. MIT Lincoln Labs. DARPA Intrusion Detection Evaluation (1999), http://www.ll.mit.edu/IST/ideval

  9. Moore, J.S., Boyer, R.S.: A Fast String Searching Algorithm. Communications of the Association for Computing Machinery 20, 762–772 (1977)

    Google Scholar 

  10. Paxson, V.: Bro: A system for detecting network intruders in real-time. In: 7th USENIX Security Symposium, San Antonio, TX, USA (January 1998)

    Google Scholar 

  11. Quinlan, J.R.: Discovering rules by induction from large collections of examples. In: Expert Systems in the Micro-Electronic Age, Edinburgh University Press (1979)

    Google Scholar 

  12. Quinlan, J.R.: Induction of decision trees. Machine Learning 1(1), 81–106 (1986)

    Google Scholar 

  13. RealSecure., http://www.iss.net/products_services/enterprise_protection

  14. Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: USENIX Lisa 1999 (1999)

    Google Scholar 

  15. Snort-NG. Snort - Next Generation: Network Intrusion Detection System, http://www.infosys.tuwien.ac.at/snort-ng

  16. Snort. Open-source Network Intrusion Detection System, http://www.snort.org

  17. Sourcefire. Snort 2.0, http://www.sourcefire.com/technology/whitepapers.htm

  18. Swatch: Simple Watchdog, http://swatch.sourceforge.net

  19. Symantec - NetProwler and Intruder Alert (2002), http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=%50

  20. Vigna, G., Eckmann, S., Kemmerer, R.A.: The STAT Tool Suite. In: Proceedings of DISCEX 2000, Hilton Head, South Carolina, January 2000, IEEE Computer Society Press, Los Alamitos (2000)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Reliable Software Group, University of California, Santa Barbara

    Christopher Kruegel

  2. Distributed Systems Group, Technical University Vienna,  

    Thomas Toth

Authors
  1. Christopher Kruegel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thomas Toth
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of California Santa Barbara, 93106-5110, Santa Barbara, CA, USA

    Giovanni Vigna

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

  3. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kruegel, C., Toth, T. (2003). Using Decision Trees to Improve Signature-Based Intrusion Detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds) Recent Advances in Intrusion Detection. RAID 2003. Lecture Notes in Computer Science, vol 2820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45248-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-45248-5_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40878-9

  • Online ISBN: 978-3-540-45248-5

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation