ABSTRACT
The techniques and supporting tools for signature based intrusion detection have reached a high level of maturity. They are well understood by the community and have hardware implementations capable of matching rules at high speed. Their major shortcomings involve handling "zero-day" attacks. Anomaly or protocol-adherence based sensors are capable of detecting zero-day attacks, but with high false alarm rates and at more limited speeds. The design proposed here combines the zero-day detection capabilities already supplied by anomaly detection front ends with the speed, hardware compatability and mature infrastructure of signature based systems. A unique capability of this proposed technology is that false alarm rates of matched rules can be reduced to arbitrarily low levels by increasing the amount of training on benign traffic. A goal of future work would be to produce an efficient and secure mechanism to distribute automatically generated signatures with the goal of broadening the perimeter of protection and blocking attacks farther away from sensitive servers and hosts.
- Rieck, K., Laskov, P. 2006. Detecting Unknown Network Attacks using Language Models. Third International Conference on Detection of intrusions and malware&vulnerability assessment, Berlin, Germany Google ScholarDigital Library
- Manning, C. D., Schutze H. 1999. Foundations of Statistical Natural Language Processing. MIT Press Google ScholarDigital Library
- http://www.metasploit.com.Google Scholar
- Newsome, J., Karp, B., Song, D. 2005 Polygraph: Automatically Generating Signatures for Polymorphic Worms. 2005 IEEE Symposium on Security and Privacy Google ScholarDigital Library
- http://www.osvdb.org/838Google Scholar
- http://www.osvdb.org//4469Google Scholar
Index Terms
- Using automatic signature generation as a sensor backend
Recommendations
A data mining approach for analysis of worm activity through automatic signature generation
AISec '08: Proceedings of the 1st ACM workshop on Workshop on AISecThis paper proposes a novel framework to automatically discover and analyze traffic generated by computer worms and other anomalous behaviors that interact with a non-solicited traffic monitoring system. Network packets are analyzed by an Intrusion ...
Allergy attack against automatic signature generation
RAID'06: Proceedings of the 9th international conference on Recent Advances in Intrusion DetectionResearch in systems that automatically generate signatures to filter out zero-day worm instances at perimeter defense has received a lot of attention recently. While a well known problem with these systems is that the signatures generated are usually ...
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityMany network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
Comments