Abstract
In this paper, we propose a novel intrusion detection technique with a fully automatic attack signatures generation capability. The proposed approach exploits a honeypot traffic data analysis to build an attack scenarios database, used to detect potential intrusions. Furthermore, for an effective and efficient intrusion detection mechanism, we introduce several new or adapted algorithms for signature generation, signature comparison, etc. Finally, we use DARPA’99 and UNSW-NB15 traffic to evaluate the proposed approach. The results indicate that the generated attack signatures are of high quality with low rates of false negatives and false positives.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Notes
For more detailed information on any of the attacks listed in the Table 3, just enter the signature ID (the number in brackets of the attack name) in the search area of the web site: https://www.snort.org/search?query=.
References
Web Site of MIT Lincoln Laboratory: DARPA intrusion detection data sets. Available on: http://www.ll.mit.edu/ideval/data/. Accessed on March 2016.
Aho, A. V., Hirschberg, D. S., & Ullman, J. D. (1976). Bounds on the complexity of the longest common subsequence problem. Journal of the ACM, 23(1), 1–12.
Baker, B. S., & Giancarlo, R. (2002). Sparse dynamic programming for longest common subsequence from fragments. Journal of Algorithms, 42(2), 231–254.
Elloumi, M. (1998). Comparison of strings belonging to the same family. Information Sciences, 111(1–4), 49–63.
Griffin, K., Schneider, S., Hu, X., & Chiueh, T. (2009). Automatic generation of string signatures for malware detection. In: Recent advances in intrusion detection, 12th international symposium, RAID 2009, Saint-Malo, France, September 23–25, 2009. Proceedings (pp. 101–120).
Hirschberg, D. S. (1977). Algorithms for the longest common subsequence problem. Journal of the ACM, 24(4), 664–675.
Hsu, W. J., & Du, M. W. (1984). Computing a longest common subsequence for a set of strings. BIT Numerical Mathematics, 24(1), 45–59.
Jain, P., & Sardana, A. (2012). Defending against internet worms using honeyfarm. In: Proceedings of the CUBE international information technology conference, CUBE ’12, Pune, India (pp. 795–800).
Kornblum, J. D. (2006). Identifying almost identical files using context triggered piecewise hashing. Digital Investigation, 3(Supplement–1), 91–97.
Kreibich, C., & Crowcroft, J. (2004). Honeycomb: Creating intrusion detection signatures using honeypots. Computer Communication Review, 34(1), 51–56.
Li, Z., Sanghi, M., Chen, Y., Kao, M., & Chavez, B. (2006). Hamsa: Fast signature generation for zero-day polymorphicworms with provable attack resilience. In: 2006 IEEE symposium on security and privacy (S&P 2006), May 21–24, 2006, Berkeley, CA, USA (pp. 32–47).
Mohammed, M. M. Z. E., & Chan, H. A. (2008). Fast automated signature generation for polymorphic worms using double-honeynet. In: 2008 Third international conference on broadband communications, information technology & biomedical applications, BroadCom 2008, November 23–26, 2008, Pretoria, Gauteng, South Africa (pp. 142–147).
Moustafa, N., & Slay, J. (2015). UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: 2015 Military communications and information systems conference, MilCIS 2015, Canberra, Australia, November 10–12, 2015 (pp. 1–6).
Moustafa, N., & Slay, J. (2016). The evaluation of network anomaly detection systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Information Security Journal: A Global Perspective, 25(1–3), 18–31.
Roesch, M. (1999). Snort: Lightweight intrusion detection for networks. In: Proceedings of the 13th conference on systems administration (LISA-99), Seattle, WA, November 7–12, 1999 (pp. 229–238).
Roussev, V. (2009). Hashing and data fingerprinting in digital forensics. IEEE Security & Privacy, 7(2), 49–55.
Roussev, V. (2010). Data fingerprinting with similarity digests. In: Advances in digital forensics VI: Sixth IFIP WG 11.9 international conference on digital forensics, Hong Kong, China, January 4–6, 2010. Revised selected papers (pp. 207–226).
Snort. (2017). The open source network intrusion detection system. Available on: http://www.ll.mit.edu/ideval/data/. Accessed on July.
Spitzner, L. (2002). Honeypots: Tracking hackers. Boston, MA: Addison-Wesley Longman Publishing Co. Inc.
Tahan, G., Glezer, C., Elovici, Y., & Rokach, L. (2010). Auto-sign: An automatic signature generator for high-speed malware filtering devices. Journal in Computer Virology, 6(2), 91–103.
Tang, Y., Xiao, B., & Lu, X. (2011). Signature tree generation for polymorphic worms. IEEE Transactions on Computers, 60(4), 565–579.
Wang, Y., Xiang, Y., Zhou, W., & Yu, S. (2012). Generating regular expression signatures for network traffic classification in trusted network management. Journal of Network and Computer Applications, 35(3), 992–1000.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Boulaiche, A., Adi, K. An auto-learning approach for network intrusion detection. Telecommun Syst 68, 277–294 (2018). https://doi.org/10.1007/s11235-017-0395-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-017-0395-z