Abstract
In this paper, we note that the signature-based intrusion detection system (S-IDS) can cause the low accuracy against mutants of intrusion packets. This is because the S-IDS commonly detects network intrusion in data flows by identifying the existence of the predefined intrusion signatures, which is called static intrusion signature configuration (SISC). To increase the accuracy, all intrusion signatures corresponding to all possible mutants of a pertinent attack may be activated. However, the static intrusion signature configuration with all possible intrusion signatures can largely increase the size of storage and the signature search time in the process of signature analysis. To solve the problems that occur when activating all possible intrusion signatures, we propose a two-player non-cooperative zero-sum game with incomplete information for dynamic intrusion signature configuration (DISC), where the various lengths of an intrusion signature have been activated in a time-shared manner. After formulating the problem into the game theoretic approach, we found the optimal strategy for DISC in the S-IDS. To the best of our knowledge, this work is the first approach that analyzes the optimal DISC strategy against the various mutants of intrusion packets. From evaluation results, we show that the DISC by the defender is more effective than the SISC against various mutants of intrusion packets by the intruder.
Similar content being viewed by others
References
Agah A, Das SK, Basu K, Asadi M (2004) Intrusion detection in sensor networks: a non-cooperative game approach.. In: Proceedings of the Third IEEE International Symposium on Network Computing and Applications (NCA04), pp 343–346
Alpcan T, Basar T (2004) A game theoretic approach to decision and analysis in network intrusion detection.. In: Proceedings of 43rd IEEE Conference on Decision and Control (CDC). Paradise Island, Bahamas
Cho YS, Moon SC (2013)Weighted mining frequent pattern based customer’s rfm score for personalized u-commerce recommendation system. J Converg 4(4):36–40
Choi Y-H, Jung M-Y, Seo S-W (2011) A fast pattern matching algorithm with multi-byte search unit for high-speed network security. Elsevier Computer Communications (ComCom) 34(14):1750–1763
Conitzer V, Sandholm T (2003) Complexity results about Nash equilibria.. In: Proceedings of the 18th International Joint Conference on Artificial Intelligence (IJCAI-03), pp 765–771
DarkSeoul (2013) South Korea cyberattack. http://en.wikipedia.org/wiki/2013_South_Korea_cyberattack, March 2013
Elsayed E, Eldahshan K, Tawfeek S (2013) Automatic evaluation technique for certain types of open questions in semantic learning systems. Human-centric Computing and Information Sciences, 3(19)
Howard N, Cambria E (2013) Intention awareness: improving upon situation awareness in human-centric environments. Human-centric Computing and Information Sciences, 3(9)
Hua N, Song H, Lakshman TV (2009) Variable-stride multi-pattern matching for scalable deep packet inspection.. In: The 28th Conference on Computer Communications (INFOCOM 2009)
Kim H-A, Karp B (2004) Autograph: toward automated, distributed worm signature detection.. In: Proceedings of the 13th USENIX Security Symposium
Kodialam M, Lakshman TV (2003) Detecting network intrusions via sampling: a game theoretic approach.. In: Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE, vol 3, pp 1880–1889
Kumar S, Turner J, Williams J (2006) Advanced algorithms for fast and scalable deep packet inspection.. In: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems (ANCS 2006)
Kumar S, Dharmapurikar S, Yu F, Crowley P, Tuner J (2006) Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection. ACM SIGCOMM’06. Pisa, Italy
Kreibich C, Crowcroft J (2003) Honeycomb-creating intrusion detection signatures using honeypots.. In: Proceedings of the Second Workshop on Hot Topics in Networks (HotNets- II)
Liu Y, Man H, Comaniciu C (2006) A game theoretic approach to efficient mixed strategies for intrusion detection.. In: Proceedings of the 2006 IEEE International Conference on Communications (ICC 2006)
Malkawi M (2013) The art of software systems development: Reliability, Availability, Maintainability, Performance (RAMP). Human-centric Computing and Information Sciences 3(22)
Mehrandish M, Assi C, Debbabi M (June 2006) A game theoretic model to handle network intrusions over multiple packets.. In: Proceedings of the 2006 IEEE International Conference on Communications (ICC 2006)
Newsome J, Karp B, Song D (2005) Polygraph: automatically generating signatures for polymorphic worms.. In: Proceedings of the IEEE Symposium on Security and Privacy
Owen G (1995) Game theory (third edition). Academic Press, New York
Patcha A, Park J-M (June 2004) A game theoretic approach to modeling intrusion detection in mobile Ad Hoc networks.. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004, pp 280–284
Singh S, Estan C, Varghese G, Savage S (2003) The early- bird system for real-time detection of unknown worms. Tech. Rep. CS2003-0761, UCSD
Smith R, Estan C, Jha S (2008) XFA: Faster signature matching with extended automata. IEEE Symposium on Security and Privacy. Oakland
Verma OP, Jain V, Gumber R (2013) Simple fuzzy rule based edge detection. J Inf Process Syst 9(4):575–591
von Neumann J, Morgenstern O (1947) The Theory of Games and Economic Behavior, 2nd edn. Princeton: Princeton University Press
Weng MM, Shih TK, Hung JC (2013) A personal tutoring mechanism based on the cloud environment. J Converg 4(3):37–44
Yang X, Peng G, Cai Z, Zeng K (2013) Occluded and low resolution face detection with hierarchical deformable model. J Inf Process Syst 4(2):11–14
Yoon S-H, Min J (2013) An intelligent automatic early detection system of forest fire smoke signatures using gaussian mixture model. J Infn Process Syst 9(4):621–632
Zhu C, Zhu Q, Zuzarte C, Ma W (2013) Developing a dynamic materialized view index for efficiently discovering usable views for progressive queries. J Inf Process Syst 9(4):511–537
Acknowledgments
This work was supported by the ICT R&D program of MSIP/IITP. [2014(1711021663) Research on Implementation Techniques of Realistic Experience-type Contents based Smart Street].
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Punithan, X.J., Kim, JD., Kim, D. et al. A game theoretic model for dynamic configuration of large-scale intrusion detection signatures. Multimed Tools Appl 75, 15461–15477 (2016). https://doi.org/10.1007/s11042-015-2508-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-015-2508-6