ABSTRACT
Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS bro, we provide low-level context by using regular expressions for matching, and high-level context by taking advantage of the semantic information made available by bro's protocol analysis and scripting language. Therewith, we greatly enhance the signature's expressiveness and hence the ability to reduce false positives. We present several examples such as matching requests with replies, using knowledge of the environment, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.To leverage existing efforts, we convert the comprehensive signature set of the popular freeware NIDS snort into bro's language. While this does not provide us with improved signatures by itself, we reap an established base to build upon. Consequently, we evaluate our work by comparing to snort, discussing in the process several general problems of comparing different NIDSs.
- arachNIDS. http://whitehats.com/ids/.]]Google Scholar
- Web archive of versions of software and signatures used in this paper. http://www.net.in.tum.de/~robin/ccs03.]]Google Scholar
- S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security, 3(3):186--205, August 2000.]] Google ScholarDigital Library
- R. G. Bace. Intrusion Detection. Macmillan Technical Publishing, Indianapolis, IN, USA, 2000.]] Google ScholarDigital Library
- Bro: A System for Detecting Network Intruders in Real-Time. http://www.icir.org/vern/bro-info.html.]]Google Scholar
- Bugtraq. http://www.securityfocus.com/bid/1187.]]Google Scholar
- CERT Advisory CA-2002-27 Apache/mod_ssl Worm. http://www.cert.org/advisories/CA-2002-27.html.]]Google Scholar
- C. J. Coit, S. Staniford, and J. McAlerney. Towards Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.]]Google ScholarCross Ref
- Common Vulnerabilities and Exposures. http://www.cve.mitre.org.]]Google Scholar
- H. Debar and B. Morin. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]Google Scholar
- R. F. et. al. Hypertext transfer protocol -- http/1.1. Request for Comments 2616, June 1999.]]Google Scholar
- M. Fisk and G. Varghese. Fast Content-Based Packet Handling for Intrusion Detection. Technical Report CS2001-0670, UC San Diego, May 2001.]] Google ScholarDigital Library
- Fyodor. Remote OS detection via TCP/IP Stack Finger Printing. Phrack Magazine, 8(54), 1998.]]Google Scholar
- J. Haines, L. Rossey, R. Lippmann, and R. Cunnigham. Extending the 1999 Evaluation. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.]]Google Scholar
- M. Hall and K. Wiley. Capacity Verification for High Speed Network Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]Google ScholarDigital Library
- M. Handley, C. Kreibich, and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proc. 10th USENIX Security Symposium, Washington, D.C., August 2001.]] Google ScholarDigital Library
- J. Heering, P. Klint, and J. Rekers. Incremental generation of lexical scanners. ACM Transactions on Programming Languages and Systems (TOPLAS), 14(4):490--520, 1992.]] Google ScholarDigital Library
- J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 1979.]] Google ScholarDigital Library
- K. Jackson. Intrusion detection system product survey. Technical Report LA-UR-99-3883, Los Alamos National Laboratory, June 1999.]]Google Scholar
- U. Lindqvist and P. A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proc. IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 1999.]]Google ScholarCross Ref
- R. Lippmann, R. K. Cunningham, D. J. Fried, I. Graf, K. R. Kendall, S. E. Webster, and M. A. Zissman. Results of the 1998 DARPA Offline Intrusion Detection Evaluation. In Proc. Recent Advances in Intrusion Detection, 1999.]] Google ScholarDigital Library
- R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579--595, October 2000.]] Google ScholarDigital Library
- R. Lippmann, S. Webster, and D. Stetson. The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]Google Scholar
- J. McHugh. Testing Intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security, 3(4):262--294, November 2000.]] Google ScholarDigital Library
- V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23--24):2435--2463, 1999.]] Google ScholarDigital Library
- P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.]]Google Scholar
- T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., January 1998.]]Google Scholar
- M. J. Ranum, K. Landfield, M. Stolarchuk, M. Sienkiewicz, A. Lambeth, and E. Wall. Implementing a generalized tool for network monitoring. In Proc. 11th Systems Administration Conference (LISA), 1997.]] Google ScholarDigital Library
- M. Roesch. Snort: Lightweight intrusion detection for networks. In Proc. 13th Systems Administration Conference (LISA), pages 229--238. USENIX Association, November 1999.]] Google ScholarDigital Library
- R. Sekar and P. Uppuluri. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In Proc. 8th USENIX Security Symposium. USENIX Association, August 1999.]] Google ScholarDigital Library
- U. Shankar and V. Paxson. Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In Proc. IEEE Symposium on Security and Privacy, 2003.]] Google ScholarDigital Library
- Steven T. Eckmann. Translating Snort rules to STATL scenarios. In Proc. Recent Advances in Intrusion Detection, October 2001.]]Google Scholar
- tcpdump. http://www.tcpdump.org.]]Google Scholar
- Valgrind. http://developer.kde.org/~sewardj.]]Google Scholar
- G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proc. 1st DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.]]Google Scholar
- G. Vigna and R. A. Kemmerer. Netstat: A network-based intrusion detection system. Journal of Computer Security, 7(1):37--71, 1999.]] Google ScholarDigital Library
- Whisker. http://www.wiretrip.net/rfp.]]Google Scholar
Recommendations
A Comparative study of Open Source IDSs according to their Ability to Detect Attacks
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & SecurityIn this paper, we focus on the important role of intrusion detection systems for detecting unauthorized actions initiated from both internal and external network by collecting and monitoring network traffic. We give a study of the open source Next-...
Overview of intrusion detection and intrusion prevention
InfoSecCD '08: Proceedings of the 5th annual conference on Information security curriculum developmentThis report provides an overview of IPS systems. In the first section a comparison of IDS and IPS is made, where an IPS system is defined as an integration of IDS and a firewall. The second section describes what is needed to set up an IPS system. In ...
A survey and taxonomy of techniques used for alerts of Intrusion Detection Systems
BDIoT '19: Proceedings of the 4th International Conference on Big Data and Internet of ThingsOver the years, Intrusion detection systems IDSs have evolved to handle many types of threats. Nowadays, network security administrators expect IDSs to monitor networks and hosts and identify suspicious activities. IDSs must be configured to recognize ...
Comments