Enhancing byte-level network intrusion detection signatures with context

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Enhancing byte-level network intrusion detection signatures with context

Full text

Pdf (218 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 10th ACM conference on Computer and communications security table of contents

Washington D.C., USA

SESSION: Intrusion detection table of contents

Pages: 262 - 271

Year of Publication: 2003

ISBN:1-58113-738-9

Authors

Robin Sommer	TU Munchen, Germany
Vern Paxson	International Computer Science Institute & Lawrence Berkeley National Laboratory, Berkeley, CA

Sponsor

ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 20, Downloads (12 Months): 162, Citation Count: 28

Additional Information:

abstract references cited by index terms collaborative colleagues peer to peer

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/948109.948145 What is a DOI?

ABSTRACT

Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS bro, we provide low-level context by using regular expressions for matching, and high-level context by taking advantage of the semantic information made available by bro's protocol analysis and scripting language. Therewith, we greatly enhance the signature's expressiveness and hence the ability to reduce false positives. We present several examples such as matching requests with replies, using knowledge of the environment, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.To leverage existing efforts, we convert the comprehensive signature set of the popular freeware NIDS snort into bro's language. While this does not provide us with improved signatures by itself, we reap an established base to build upon. Consequently, we evaluate our work by comparing to snort, discussing in the process several general problems of comparing different NIDSs.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	arachNIDS. http://whitehats.com/ids/.
	2	Web archive of versions of software and signatures used in this paper. http://www.net.in.tum.de/~robin/ccs03.
	3	Stefan Axelsson, The base-rate fallacy and the difficulty of intrusion detection, ACM Transactions on Information and System Security (TISSEC), v.3 n.3, p.186-205, Aug. 2000 [doi>10.1145/357830.357849]
	4	Rebecca Gurley Bace, Intrusion detection, Macmillan Publishing Co., Inc., Indianapolis, IN, 1999
	5	Bro: A System for Detecting Network Intruders in Real-Time. http://www.icir.org/vern/bro-info.html.
	6	Bugtraq. http://www.securityfocus.com/bid/1187.
	7	CERT Advisory CA-2002-27 Apache/mod_ssl Worm. http://www.cert.org/advisories/CA-2002-27.html.
	8	C. J. Coit, S. Staniford, and J. McAlerney. Towards Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.
	9	Common Vulnerabilities and Exposures. http://www.cve.mitre.org.
	10	H. Debar and B. Morin. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.
	11	R. F. et. al. Hypertext transfer protocol -- http/1.1. Request for Comments 2616, June 1999.
	12	Mike Fisk , George Varghese, Fast Content-Based Packet Handling for Intrusion Detection, University of California at San Diego, La Jolla, CA, 2001
	13	Fyodor. Remote OS detection via TCP/IP Stack Finger Printing. Phrack Magazine, 8(54), 1998.
	14	J. Haines, L. Rossey, R. Lippmann, and R. Cunnigham. Extending the 1999 Evaluation. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.
	15	M. Hall and K. Wiley. Capacity Verification for High Speed Network Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.
	16	M. Handley, C. Kreibich, and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proc. 10th USENIX Security Symposium, Washington, D.C., August 2001.
	17	J. Heering , P. Klint , J. Rekers, Incremental generation of lexical scanners, ACM Transactions on Programming Languages and Systems (TOPLAS), v.14 n.4, p.490-520, Oct. 1992 [doi>10.1145/133233.133240]
	18	John E. Hopcroft , Jeffrey D. Ullman, Introduction To Automata Theory, Languages, And Computation, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1990
	19	K. Jackson. Intrusion detection system product survey. Technical Report LA-UR-99-3883, Los Alamos National Laboratory, June 1999.
	20	U. Lindqvist and P. A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proc. IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 1999.
	21	Richard Lippmann , Joshua W. Haines , David J. Fried , Jonathan Korba , Kumar Das, Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation, Proceedings of the Third International Workshop on Recent Advances in Intrusion Detection, p.162-182, October 02-04, 2000
	22	Richard Lippmann , Joshua W. Haines , David J. Fried , Jonathan Korba , Kumar Das, The 1999 DARPA off-line intrusion detection evaluation, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.34 n.4, p.579-595, Oct. 2000 [doi>10.1016/S1389-1286(00)00139-0]
	23	R. Lippmann, S. Webster, and D. Stetson. The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.
	24	Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.262-294, Nov. 2000 [doi>10.1145/382912.382923]
	25	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999 [doi>10.1016/S1389-1286(99)00112-7]
	26	P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.
	27	T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., January 1998.
	28	Marcus J. Ranum , Kent Landfield , Michael T. Stolarchuk , Mark Sienkiewicz , Andrew Lambeth , Eric Wall, Implementing a Generalized Tool for Network Monitoring, Proceedings of the 11th Conference on Systems Administration, p.1-8, October 26-31, 1997
	29	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	30	R. Sekar and P. Uppuluri. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In Proc. 8th USENIX Security Symposium. USENIX Association, August 1999.
	31	Umesh Shankar , Vern Paxson, Active Mapping: Resisting NIDS Evasion without Altering Traffic, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.44, May 11-14, 2003
	32	Steven T. Eckmann. Translating Snort rules to STATL scenarios. In Proc. Recent Advances in Intrusion Detection, October 2001.
	33	tcpdump. http://www.tcpdump.org.
	34	Valgrind. http://developer.kde.org/~sewardj.
	35	G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proc. 1st DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.
	36	Giovanni Vigna , Richard A. Kemmerer, NetSTAT: a network-based intrusion detection system, Journal of Computer Security, v.7 n.1, p.37-71, Sept. 1999
	37	Whisker. http://www.wiretrip.net/rfp.

CITED BY 28

	Sailesh Kumar , Jonathan Turner , John Williams, Advanced algorithms for fast and scalable deep packet inspection, Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems, December 03-05, 2006, San Jose, California, USA
	Sailesh Kumar , Balakrishnan Chandrasekaran , Jonathan Turner , George Varghese, Curing regular expressions matching algorithms from insomnia, amnesia, and acalculia, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
	Sailesh Kumar , Sarang Dharmapurikar , Fang Yu , Patrick Crowley , Jonathan Turner, Algorithms to accelerate multiple regular expressions matching for deep packet inspection, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
	Miyuki Hanaoka , Makoto Shimamura , Kenji Kono, TCP Reassembler for Layer7-Aware Network Intrusion Detection/Prevention Systems, IEICE - Transactions on Information and Systems, v.E90-D n.12, p.2019-2032, December 2007
	Christian Kreibich, Brooery: a graphical environment for analysis of security-relevant network activity, Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference, p.47-47, April 10-15, 2005, Anaheim, CA
	Holger Dreger , Anja Feldmann , Vern Paxson , Robin Sommer, Predicting the resource consumption of network intrusion detection systems, ACM SIGMETRICS Performance Evaluation Review, v.36 n.1, June 2008
	Michela Becchi , Patrick Crowley, A hybrid finite automaton for practical deep packet inspection, Proceedings of the 2007 ACM CoNEXT conference, December 10-13, 2007, New York, New York
	Makoto Shimamura , Miyuki Hanaoka , Kenji Kono, Filtering False Positives Based on Server-Side Behaviors, IEICE - Transactions on Information and Systems, v.E91-D n.2, p.264-276, February 2008
	Alok Tongaonkar , Sreenaath Vasudevan , R. Sekar, Fast packet classification for Snort by native compilation of rules, Proceedings of the 22nd conference on Large installation system administration conference, p.159-165, November 09-14, 2008, San Diego, California
	Ramaswamy Ramaswamy , Lukas Kencl , Gianluca Iannaccone, Approximate fingerprinting to accelerate pattern matching, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Fang Yu , Zhifeng Chen , Yanlei Diao , T. V. Lakshman , Randy H. Katz, Fast and memory-efficient regular expression matching for deep packet inspection, Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems, December 03-05, 2006, San Jose, California, USA
	Anirban Majumder , Rajeev Rastogi , Sriram Vanama, Scalable regular expression matching on data streams, Proceedings of the 2008 ACM SIGMOD international conference on Management of data, June 09-12, 2008, Vancouver, Canada
	Bazara I. A. Barry , H. Anthony Chan, On the performance of a hybrid intrusion detection architecture for voice over IP systems, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey
	Shijin Kong , Randy Smith , Cristian Estan, Efficient signature matching with multiple alphabet compression tables, Proceedings of the 4th international conference on Security and privacy in communication netowrks, September 22-25, 2008, Istanbul, Turkey
	Michela Becchi , Patrick Crowley, An improved algorithm to accelerate regular expression evaluation, Proceedings of the 3rd ACM/IEEE Symposium on Architecture for networking and communications systems, December 03-04, 2007, Orlando, Florida, USA
	Domenico Ficara , Stefano Giordano , Gregorio Procissi, An improved DFA for fast regular expression matching, ACM SIGCOMM Computer Communication Review, v.38 n.5, October 2008
	Holger Dreger , Anja Feldmann , Vern Paxson , Robin Sommer, Operational experiences with high-volume network intrusion detection, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
	Michela Becchi , Patrick Crowley, Efficient regular expression evaluation: theory to practice, Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, November 06-07, 2008, San Jose, California
	Jose M. Gonzalez , Vern Paxson , Nicholas Weaver, Shunting: a hardware/software architecture for flexible, high-performance network intrusion prevention, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Spyros Antonatos , Kostas G. Anagnostakis , Evangelos P. Markatos, Generating realistic workloads for network intrusion detection systems, ACM SIGSOFT Software Engineering Notes, v.29 n.1, January 2004
	Vinod Yegneswaran , Jonathon T. Giffin , Paul Barford , Somesh Jha, An architecture for generating semantics-aware signatures, Proceedings of the 14th conference on USENIX Security Symposium, p.7-7, July 31-August 05, 2005, Baltimore, MD
	Randy Smith , Cristian Estan , Somesh Jha , Shijin Kong, Deflating the big bang: fast and scalable deep packet inspection with extended finite automata, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
	Nong Ye , Bashettihalli Harish , Toni Farley, Attack profiles to derive data observations, features, and characteristics of cyber attacks, Information-Knowledge-Systems Management, v.5 n.1, p.23-47, January 2005
	Damiano Bolzoni , Bruno Crispo , Sandro Etalle, ATLANTIDES: an architecture for alert verification in network intrusion detection systems, Proceedings of the 21st conference on 21st Large Installation System Administration Conference, p.1-12, November 11-16, 2007, Dallas
	Shai Rubin , Somesh Jha , Barton P. Miller, Protomatching network traffic for high throughputnetwork intrusion detection, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
	Guofei Gu , Phillip Porras , Vinod Yegneswaran , Martin Fong , Wenke Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
	Tadeusz Pietraszek, Classification of intrusion detection alerts using abstaining classifiers, Intelligent Data Analysis, v.11 n.3, p.293-316, August 2007
	Yong Tang , Shigang Chen, An Automated Signature-Based Approach against Polymorphic Internet Worms, IEEE Transactions on Parallel and Distributed Systems, v.18 n.7, p.879-892, July 2007

INDEX TERMS

Primary Classification:
C. Computer Systems Organization
C.2 COMPUTER-COMMUNICATION NETWORKS
C.2.0 General
Subjects: Security and protection (e.g., firewalls)

General Terms:
Performance, Security

Keywords:
bro, evaluation, network intrusion detection, pattern matching, security, signatures, snort

Collaborative Colleagues:

Robin Sommer: colleagues

Vern Paxson: colleagues

Peer to Peer - Readers of this Article have also read:

Augmenting shared personal calendars Proceedings of the 15th annual ACM symposium on User interface software and technology
Joe Tullio , Jeremy Goecks , Elizabeth D. Mynatt , David H. Nguyen
Polymer simulation on the hypercube Proceedings of the third conference on Hypercube concurrent computers and applications
H-Q. Ding
Data structures for quadtree approximation and compression Communications of the ACM 28, 9
Hanan Samet
A hierarchical single-key-lock access control using the Chinese remainder theorem Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
Kim S. Lee , Huizhu Lu , D. D. Fisher
An intelligent component database for behavioral synthesis Proceedings of the 27th ACM/IEEE Design Automation Conference on
Gwo-Dong Chen , Daniel D. Gajski

Adobe Acrobat

QuickTime

Windows Media Player

Real Player