Article

Enhancing byte-level network intrusion detection signatures with context

Authors:
Robin Sommer

TU Munchen, Germany

TU Munchen, Germany
View Profile

,
Vern Paxson

International Computer Science Institute & Lawrence Berkeley National Laboratory, Berkeley, CA

International Computer Science Institute & Lawrence Berkeley National Laboratory, Berkeley, CA
View Profile

CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityOctober 2003Pages 262–271https://doi.org/10.1145/948109.948145

Published:27 October 2003Publication History

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Pages 262–271

ABSTRACT

Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS bro, we provide low-level context by using regular expressions for matching, and high-level context by taking advantage of the semantic information made available by bro's protocol analysis and scripting language. Therewith, we greatly enhance the signature's expressiveness and hence the ability to reduce false positives. We present several examples such as matching requests with replies, using knowledge of the environment, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.To leverage existing efforts, we convert the comprehensive signature set of the popular freeware NIDS snort into bro's language. While this does not provide us with improved signatures by itself, we reap an established base to build upon. Consequently, we evaluate our work by comparing to snort, discussing in the process several general problems of comparing different NIDSs.

References

arachNIDS. http://whitehats.com/ids/.]]Google Scholar
Web archive of versions of software and signatures used in this paper. http://www.net.in.tum.de/~robin/ccs03.]]Google Scholar
S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security, 3(3):186--205, August 2000.]] Google ScholarDigital Library
R. G. Bace. Intrusion Detection. Macmillan Technical Publishing, Indianapolis, IN, USA, 2000.]] Google ScholarDigital Library
Bro: A System for Detecting Network Intruders in Real-Time. http://www.icir.org/vern/bro-info.html.]]Google Scholar
Bugtraq. http://www.securityfocus.com/bid/1187.]]Google Scholar
CERT Advisory CA-2002-27 Apache/mod_ssl Worm. http://www.cert.org/advisories/CA-2002-27.html.]]Google Scholar
C. J. Coit, S. Staniford, and J. McAlerney. Towards Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.]]Google ScholarCross Ref
Common Vulnerabilities and Exposures. http://www.cve.mitre.org.]]Google Scholar
H. Debar and B. Morin. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]Google Scholar
R. F. et. al. Hypertext transfer protocol -- http/1.1. Request for Comments 2616, June 1999.]]Google Scholar
M. Fisk and G. Varghese. Fast Content-Based Packet Handling for Intrusion Detection. Technical Report CS2001-0670, UC San Diego, May 2001.]] Google ScholarDigital Library
Fyodor. Remote OS detection via TCP/IP Stack Finger Printing. Phrack Magazine, 8(54), 1998.]]Google Scholar
J. Haines, L. Rossey, R. Lippmann, and R. Cunnigham. Extending the 1999 Evaluation. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.]]Google Scholar
M. Hall and K. Wiley. Capacity Verification for High Speed Network Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]Google ScholarDigital Library
M. Handley, C. Kreibich, and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proc. 10th USENIX Security Symposium, Washington, D.C., August 2001.]] Google ScholarDigital Library
J. Heering, P. Klint, and J. Rekers. Incremental generation of lexical scanners. ACM Transactions on Programming Languages and Systems (TOPLAS), 14(4):490--520, 1992.]] Google ScholarDigital Library
J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 1979.]] Google ScholarDigital Library
K. Jackson. Intrusion detection system product survey. Technical Report LA-UR-99-3883, Los Alamos National Laboratory, June 1999.]]Google Scholar
U. Lindqvist and P. A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proc. IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 1999.]]Google ScholarCross Ref
R. Lippmann, R. K. Cunningham, D. J. Fried, I. Graf, K. R. Kendall, S. E. Webster, and M. A. Zissman. Results of the 1998 DARPA Offline Intrusion Detection Evaluation. In Proc. Recent Advances in Intrusion Detection, 1999.]] Google ScholarDigital Library
R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579--595, October 2000.]] Google ScholarDigital Library
R. Lippmann, S. Webster, and D. Stetson. The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]Google Scholar
J. McHugh. Testing Intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security, 3(4):262--294, November 2000.]] Google ScholarDigital Library
V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23--24):2435--2463, 1999.]] Google ScholarDigital Library
P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.]]Google Scholar
T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., January 1998.]]Google Scholar
M. J. Ranum, K. Landfield, M. Stolarchuk, M. Sienkiewicz, A. Lambeth, and E. Wall. Implementing a generalized tool for network monitoring. In Proc. 11th Systems Administration Conference (LISA), 1997.]] Google ScholarDigital Library
M. Roesch. Snort: Lightweight intrusion detection for networks. In Proc. 13th Systems Administration Conference (LISA), pages 229--238. USENIX Association, November 1999.]] Google ScholarDigital Library
R. Sekar and P. Uppuluri. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In Proc. 8th USENIX Security Symposium. USENIX Association, August 1999.]] Google ScholarDigital Library
U. Shankar and V. Paxson. Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In Proc. IEEE Symposium on Security and Privacy, 2003.]] Google ScholarDigital Library
Steven T. Eckmann. Translating Snort rules to STATL scenarios. In Proc. Recent Advances in Intrusion Detection, October 2001.]]Google Scholar
tcpdump. http://www.tcpdump.org.]]Google Scholar
Valgrind. http://developer.kde.org/~sewardj.]]Google Scholar
G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proc. 1st DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.]]Google Scholar
G. Vigna and R. A. Kemmerer. Netstat: A network-based intrusion detection system. Journal of Computer Security, 7(1):37--71, 1999.]] Google ScholarDigital Library
Whisker. http://www.wiretrip.net/rfp.]]Google Scholar

Recommendations

A Comparative study of Open Source IDSs according to their Ability to Detect Attacks
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & Security

In this paper, we focus on the important role of intrusion detection systems for detecting unauthorized actions initiated from both internal and external network by collecting and monitoring network traffic. We give a study of the open source Next-...
Read More
Overview of intrusion detection and intrusion prevention
InfoSecCD '08: Proceedings of the 5th annual conference on Information security curriculum development

This report provides an overview of IPS systems. In the first section a comparison of IDS and IPS is made, where an IPS system is defined as an integration of IDS and a firewall. The second section describes what is needed to set up an IPS system. In ...
Read More
A survey and taxonomy of techniques used for alerts of Intrusion Detection Systems
BDIoT '19: Proceedings of the 4th International Conference on Big Data and Internet of Things

Over the years, Intrusion detection systems IDSs have evolved to handle many types of threats. Nowadays, network security administrators expect IDSs to monitor networks and hosts and identify suspicious activities. IDSs must be configured to recognize ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '03: Proceedings of the 10th ACM conference on Computer and communications security
October 2003
374 pages
ISBN:1581137389
DOI:10.1145/948109
General Chair:
Sushil Jajodia
George Mason University
,
Program Chairs:
Vijay Atluri
Rutgers University
,
Trent Jaeger
IBM Watson
Copyright © 2003 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 27 October 2003
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
bro
evaluation
network intrusion detection
pattern matching
security
signatures
snort
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 180
  Total Citations
  View Citations
- 5,423
  Total Downloads
- Downloads (Last 12 months)23
- Downloads (Last 6 weeks)4
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Enhancing byte-level network intrusion detection signatures with context

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Recommendations

A Comparative study of Open Source IDSs according to their Ability to Detect Attacks

Overview of intrusion detection and intrusion prevention

A survey and taxonomy of techniques used for alerts of Intrusion Detection Systems