Skip to main content
SpringerLink
Log in

A game theoretic model for dynamic configuration of large-scale intrusion detection signatures

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

In this paper, we note that the signature-based intrusion detection system (S-IDS) can cause the low accuracy against mutants of intrusion packets. This is because the S-IDS commonly detects network intrusion in data flows by identifying the existence of the predefined intrusion signatures, which is called static intrusion signature configuration (SISC). To increase the accuracy, all intrusion signatures corresponding to all possible mutants of a pertinent attack may be activated. However, the static intrusion signature configuration with all possible intrusion signatures can largely increase the size of storage and the signature search time in the process of signature analysis. To solve the problems that occur when activating all possible intrusion signatures, we propose a two-player non-cooperative zero-sum game with incomplete information for dynamic intrusion signature configuration (DISC), where the various lengths of an intrusion signature have been activated in a time-shared manner. After formulating the problem into the game theoretic approach, we found the optimal strategy for DISC in the S-IDS. To the best of our knowledge, this work is the first approach that analyzes the optimal DISC strategy against the various mutants of intrusion packets. From evaluation results, we show that the DISC by the defender is more effective than the SISC against various mutants of intrusion packets by the intruder.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  1. Agah A, Das SK, Basu K, Asadi M (2004) Intrusion detection in sensor networks: a non-cooperative game approach.. In: Proceedings of the Third IEEE International Symposium on Network Computing and Applications (NCA04), pp 343–346

  2. Alpcan T, Basar T (2004) A game theoretic approach to decision and analysis in network intrusion detection.. In: Proceedings of 43rd IEEE Conference on Decision and Control (CDC). Paradise Island, Bahamas

  3. Cho YS, Moon SC (2013)Weighted mining frequent pattern based customer’s rfm score for personalized u-commerce recommendation system. J Converg 4(4):36–40

  4. Choi Y-H, Jung M-Y, Seo S-W (2011) A fast pattern matching algorithm with multi-byte search unit for high-speed network security. Elsevier Computer Communications (ComCom) 34(14):1750–1763

  5. Conitzer V, Sandholm T (2003) Complexity results about Nash equilibria.. In: Proceedings of the 18th International Joint Conference on Artificial Intelligence (IJCAI-03), pp 765–771

  6. DarkSeoul (2013) South Korea cyberattack. http://en.wikipedia.org/wiki/2013_South_Korea_cyberattack, March 2013

  7. Elsayed E, Eldahshan K, Tawfeek S (2013) Automatic evaluation technique for certain types of open questions in semantic learning systems. Human-centric Computing and Information Sciences, 3(19)

  8. Howard N, Cambria E (2013) Intention awareness: improving upon situation awareness in human-centric environments. Human-centric Computing and Information Sciences, 3(9)

  9. Hua N, Song H, Lakshman TV (2009) Variable-stride multi-pattern matching for scalable deep packet inspection.. In: The 28th Conference on Computer Communications (INFOCOM 2009)

  10. Kim H-A, Karp B (2004) Autograph: toward automated, distributed worm signature detection.. In: Proceedings of the 13th USENIX Security Symposium

  11. Kodialam M, Lakshman TV (2003) Detecting network intrusions via sampling: a game theoretic approach.. In: Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, vol 3, pp 1880–1889

  12. Kumar S, Turner J, Williams J (2006) Advanced algorithms for fast and scalable deep packet inspection.. In: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems (ANCS 2006)

  13. Kumar S, Dharmapurikar S, Yu F, Crowley P, Tuner J (2006) Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection. ACM SIGCOMM’06. Pisa, Italy

  14. Kreibich C, Crowcroft J (2003) Honeycomb-creating intrusion detection signatures using honeypots.. In: Proceedings of the Second Workshop on Hot Topics in Networks (HotNets- II)

  15. Liu Y, Man H, Comaniciu C (2006) A game theoretic approach to efficient mixed strategies for intrusion detection.. In: Proceedings of the 2006 IEEE International Conference on Communications (ICC 2006)

  16. Malkawi M (2013) The art of software systems development: Reliability, Availability, Maintainability, Performance (RAMP). Human-centric Computing and Information Sciences 3(22)

  17. Mehrandish M, Assi C, Debbabi M (June 2006) A game theoretic model to handle network intrusions over multiple packets.. In: Proceedings of the 2006 IEEE International Conference on Communications (ICC 2006)

  18. Newsome J, Karp B, Song D (2005) Polygraph: automatically generating signatures for polymorphic worms.. In: Proceedings of the IEEE Symposium on Security and Privacy

  19. Owen G (1995) Game theory (third edition). Academic Press, New York

  20. Patcha A, Park J-M (June 2004) A game theoretic approach to modeling intrusion detection in mobile Ad Hoc networks.. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004, pp 280–284

  21. Singh S, Estan C, Varghese G, Savage S (2003) The early- bird system for real-time detection of unknown worms. Tech. Rep. CS2003-0761, UCSD

  22. Smith R, Estan C, Jha S (2008) XFA: Faster signature matching with extended automata. IEEE Symposium on Security and Privacy. Oakland

  23. Verma OP, Jain V, Gumber R (2013) Simple fuzzy rule based edge detection. J Inf Process Syst 9(4):575–591

    Article  Google Scholar 

  24. von Neumann J, Morgenstern O (1947) The Theory of Games and Economic Behavior, 2nd edn. Princeton: Princeton University Press

  25. Weng MM, Shih TK, Hung JC (2013) A personal tutoring mechanism based on the cloud environment. J Converg 4(3):37–44

    Google Scholar 

  26. Yang X, Peng G, Cai Z, Zeng K (2013) Occluded and low resolution face detection with hierarchical deformable model. J Inf Process Syst 4(2):11–14

    Google Scholar 

  27. Yoon S-H, Min J (2013) An intelligent automatic early detection system of forest fire smoke signatures using gaussian mixture model. J Infn Process Syst 9(4):621–632

    Article  Google Scholar 

  28. Zhu C, Zhu Q, Zuzarte C, Ma W (2013) Developing a dynamic materialized view index for efficiently discovering usable views for progressive queries. J Inf Process Syst 9(4):511–537

    Article  Google Scholar 

Download references

Acknowledgments

This work was supported by the ICT R&D program of MSIP/IITP. [2014(1711021663) Research on Implementation Techniques of Realistic Experience-type Contents based Smart Street].

Author information

Authors and Affiliations

  1. School of Electrical and Computer Engineering, SNU, Seoul, South Korea

    Xaiver Jerald Punithan

  2. School of Computer Science and Engineering, PNU, Busan, South Korea

    Jong-Deok Kim & Yoon-Ho Choi

  3. Department of Mathematics, KGU, Suwon, South Korea

    Dongseok Kim

Authors
  1. Xaiver Jerald Punithan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jong-Deok Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dongseok Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yoon-Ho Choi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yoon-Ho Choi.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Punithan, X.J., Kim, JD., Kim, D. et al. A game theoretic model for dynamic configuration of large-scale intrusion detection signatures. Multimed Tools Appl 75, 15461–15477 (2016). https://doi.org/10.1007/s11042-015-2508-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-015-2508-6

Keywords

Search

Navigation