A high-performance network intrusion detection system

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

A high-performance network intrusion detection system

Full text

Pdf (1.04 MB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 6th ACM conference on Computer and communications security table of contents

Kent Ridge Digital Labs, Singapore

Pages: 8 - 17

Year of Publication: 1999

ISBN:1-58113-148-8

Authors

R. Sekar	SUNY, Stony Brook, NY
Y. Guang	Iowa State University, Ames, IA
S. Verma	Iowa State University, Ames, IA
T. Shanbhag	Iowa State University, Ames, IA

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 12, Downloads (12 Months): 130, Citation Count: 10

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/319709.319712 What is a DOI?

ABSTRACT

In this paper we present a new approach for network intrusion detection based on concise specifications that characterize normal and abnormal network packet sequences. Our specification language is geared for a robust network intrusion detection by enforcing a strict type discipline via a combination of static and dynamic type checking. Unlike most previous approaches in network intrusion detection, our approach can easily support new network protocols as information relating to the protocols are not hard-coded into the system. Instead, we simply add suitable type definitions in the specifications and define intrusion patterns on these types. We compile these specifications into a high-performance network intrusion detection system. Important components of our approach include efficient algorithms for pattern-matching and information aggregation on sequences of network packets. In particular, our techniques ensure that the matching time is insensitive to the number of patterns characterizing different network intrusions, and that the aggregation operations typically take constant time per packet. Our system participated in an intrusion detection evaluation organized by MIT Lincoln Labs, where our system demonstrated its effectiveness (96% detection rate on low-level network attacks) and performance (real-time detection at 500Mbps), while producing very few false positives (0.05 to 0.1 per attack).

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	ALJTV95	D. Anderson, T. Lunt, H. Javitz, A. Tamaru, and A. Valdes, Next-generation Intrusion Detection Expert System (HIDES): A Summary, SRI-CSL-95-07, SKI lnt~amtional, 1995.
	Bates95	Peter C. Bates, Debugging heterogeneous distributed systems using event-based models of behavior, ACM Transactions on Computer Systems (TOCS), v.13 n.1, p.1-31, Feb. 1995 [doi>10.1145/200912.200913]
	CERT98	CERT Coordination Center Advisories 1988-1998, http : //www. cert. org/advisories / index, html.
	CM99	S. Chandra and E McCann, Packet Types, Workshop on Compilers Support for Systems Software.
	Denning87	Dorothy E. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, v.13 n.2, p.222-232, Feb. 1987 [doi>10.1109/TSE.1987.232894]
	FHS97	Stephanie Forrest , Steven A. Hofmeyr , Anil Somayaji, Computer immunology, Communications of the ACM, v.40 n.10, p.88-96, Oct. 1997 [doi>10.1145/262793.262811]
	GLCFKWZ98	I.Graf, R. Lippmann, R. Omningham, D. Fried, K. Kendall, S. Web. ster and M. Zissman, Results of DARPA 1998 Offline Intrusion Detection Evaluation, http: / /ideval. ll .mit. edu/results-ht/nl-dir, 1998.
	GM96	B. Guha and B. Mukherjee, Network Security via Reverse Engineering of TCP Code: Vulnerability Analysis and Proposed Solutions, Proc. of the ~ Infocom, March 1996.
	GSS99	Anup K. Ghosh , Aaron Schwartzbard , Michael Schatz, Learning Program Behavior Profiles for Intrusion Detection, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.51-62, April 09-12, 1999
	Guang98	Y. Guang, Real-time packet filtering module for network intrusion detection system, Department of Cornpeter Science, Iowa State University, July 1998.
	Heberlein90	L. Heberlein et al, A Network Security Monitor, Symposium on Researdl Sec~ty and Privacy, 1990.
	Hochberg93	Judith Hochberg , Kathleen Jackson , Cathy Stallings , J. F. McClary , David DuBois , Josephine Ford, NADIR: an automated system for detecting network intrusion and misuse, Computers and Security, v.12 n.3, p.235-248, May 1993 [doi>10.1016/0167-4048(93)90110-Q]
	Ilgun93	Koral Ilgun, USTAT: A Real-Time Intrusion Detection System for UNIX, Proceedings of the 1993 IEEE Symposium on Security and Privacy, p.16, May 24-26, 1993
	LBMC94	Carl E. Landwehr , Alan R. Bull , John P. McDermott , William S. Choi, A taxonomy of computer program security flaws, ACM Computing Surveys (CSUR), v.26 n.3, p.211-254, Sept. 1994 [doi>10.1145/185403.185412]
	LPS99	Wenke Lee , Christopher T. Park , Salvatore J. Stolfo, Automated Intrusion Detection Using NFR: Methods and Experiences, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.63-72, April 09-12, 1999
	LV95	David C. Luckham , James Vera, An Event-Based Architecture Definition Language, IEEE Transactions on Software Engineering, v.21 n.9, p.717-734, September 1995 [doi>10.1109/32.464548]
	LHMBH87	D C Luckham , D P Helmbold , D L Bryan , M A Haberler, Task sequencing language for specifying distributed Ada systems, Volume II: Parallel Languages on PARLE: Parallel Architectures and Languages Europe, p.44-53, March 1987, Eindhoven, The Netherlands
	Lunt92	T. Lunt et at, A Real-Time Intrusion Detection Exln~ System (IDES)- Final Report, SRI-CSL-92-05, SKI International, 1992.
	Lunt93	Teresa F. Lunt, A survey of intrusion detection techniques, Computers and Security, v.12 n.4, p.405-418, June 1993 [doi>10.1016/0167-4048(93)90029-5]
	MJ92	S. McCanne and V. jacobson, The BSD Packet Filtea': A New Atchitecttwe for User-level Packet Capture, Lawrence Berkeley Laboratory, Berkeley, CA, 1992.
	MHL94	B. Mukherjee, L. Heberlein and K. Levitt, Network Intrusion Detection, IEEE Network, May/June 1994.
	Paxson98	V. Paxson, Bro: A System for Detecting Network Intruders in Real-Tune, USENIX Security Symposium, 1998.
	PN97	E Porras and E Neumann, EMERALD: Event Monitoring Enabled Responses to Anomalous Live Disturbances, National Information Systems Security Conference, 1997.
	Ranum97	Marcus J. Ranum , Kent Landfield , Michael T. Stolarchuk , Mark Sienkiewicz , Andrew Lambeth , Eric Wall, Implementing a Generalized Tool for Network Monitoring, Proceedings of the 11th Conference on Systems Administration, p.1-8, October 26-31, 1997
	SBS99	R. Sekar , Thomas F. Bowen , Mark E. Segal, On Preventing Intrusions by Process Behavior Monitoring, Proceedings of the Workshop on Intrusion Detection and Network Monitoring, p.29-40, April 09-12, 1999
	SP99	R. Sekar and 1'. UpFaluri, Synthesizing fast intrusion de.tectio~~ention systems f~om high-level spedfications, USENIX Seoaity Symposium, 1999.
	SU99	R. Sekar and E Uppuluri, Synthesizing Fast Intrusion Prevention/Detection Systems from High-Lever Specifications, T~cal Report 99-03, Department of Computer Science, Iowa State University, Ames, IA 50014.
	VK98	G. Vigna , R. A. Kemmerer, NetSTAT: A Network-Based Intrusion Detection Approach, Proceedings of the 14th Annual Computer Security Applications Conference, p.25, December 07-11, 1998

CITED BY 10

	Steven T. Eckmann , Giovanni Vigna , Richard A. Kemmerer, STATL: an attack language for state-based intrusion detection, Journal of Computer Security, v.10 n.1-2, p.71-103, 2002
	R. Sekar , A. Gupta , J. Frullo , T. Shanbhag , A. Tiwari , H. Yang , S. Zhou, Specification-based anomaly detection: a new approach for detecting network intrusions, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA
	Diomidis Spinellis , Dimitris Gritzalis, Panoptis: intrusion detection using a domain-specific language, Journal of Computer Security, v.10 n.1-2, p.159-176, 2002
	Klaus Julisch, Clustering intrusion detection alarms to support root cause analysis, ACM Transactions on Information and System Security (TISSEC), v.6 n.4, p.443-471, November 2003
	Marina Bykova , Shawn Ostermann, Statistical analysis of malformed packets and their origins in the modern internet, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France
	Vivek Haldar , Michael Franz, Towards trusted systems from the ground up, Proceedings of the 10th workshop on ACM SIGOPS European workshop: beyond the PC, July 01-01, 2002, Saint-Emilion, France
	Jesper H. Spring , Jean Privat , Rachid Guerraoui , Jan Vitek, Streamflex: high-throughput stream programming in java, ACM SIGPLAN Notices, v.42 n.10, October 2007
	Animesh Patcha , Jung-Min Park, Network anomaly detection with incomplete audit data, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.13, p.3935-3955, September, 2007
	Zeng-quan Wang , Hui-qiang Wang , Rui-jie Zhang, Analysis of an Intelligent Agent Intrusion Response System, Proceedings of the 2006 IEEE/WIC/ACM international conference on Web Intelligence and Intelligent Agent Technology, p.53-56, December 18-22, 2006
	Alok Tongaonkar , Sreenaath Vasudevan , R. Sekar, Fast packet classification for Snort by native compilation of rules, Proceedings of the 22nd conference on Large installation system administration conference, p.159-165, November 09-14, 2008, San Diego, California