Variable-length signatures for intrusion detection
نویسندگان
چکیده
Intrusion detection has become a basic infrastructure to guarantee the security of most internetworking applications. With more internetworking applications in the Internet nowadays, enormous volume of audit trails are produced for the analysis within intrusion detection. For this reason, it is critical to reduce the detection computation of intrusion detection to meet the realtime detection requirement. In this paper, using a formal intrusion detection framework, we propose a new concept of variable-length signature, along with feature selection, to compress the behavior models of our intrusion detection system, USAID[7], that achieves promising detection performance. Intuitively, compact behavior models will make the detection process computationally much cheaper. Our experimental results show that the proposed technique will degrade the detection rate of unknown intrusions, and fortunately, that it achieves a high detection rate for known intrusions with a significantly reduced false alarm rate. As a result, compared to USAID, the size of the behavior model is decreased by 99.52%, and the detection computation is cut down by 81.15% at least.
منابع مشابه
تولید خودکار الگوهای نفوذ جدید با استفاده از طبقهبندهای تک کلاسی و روشهای یادگیری استقرایی
In this paper, we propose an approach for automatic generation of novel intrusion signatures. This approach can be used in the signature-based Network Intrusion Detection Systems (NIDSs) and for the automation of the process of intrusion detection in these systems. In the proposed approach, first, by using several one-class classifiers, the profile of the normal network traffic is established. ...
متن کاملIntrusion Detection Using Variable-Length Audit Trail Patterns
Audit trail patterns generated on behalf of a Unix process can be used to model the process behavior. Most of the approaches proposed so far use a table of fixed-length patterns to represent the process model. However, variable-length patterns seem to be more naturally suited to model the process behavior, but they are also more difficult to construct. In this paper, we present a novel techniqu...
متن کاملSyntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to Internet-connected networks and hosts. In this paper, we consider two competing approaches to dynamic network intrusion detection: syntax based and semantics based approaches. For the syntax driven approach, we propose two sliding window based schemes to generate potential worm signatures automatically. Since ...
متن کاملAn Intrusion-Detection System Based on the Teiresias Pattern- Discovery Algorithm
This paper addresses the problem of creating a pattern table that can be used to model the normal behavior of a given process. The model can be used for intrusiondetection purposes. So far, most of the approaches proposed have been based on fixed-length patterns, although variable-length patterns seem to be more naturally suited to model the normal process behavior. We have developed a novel te...
متن کاملAn Experience Developing an IDS Stimulator for the Black-Box Testing of Network Intrusion Detection Systems
Signature-based intrusion detection systems use a set of attack descriptions to analyze event streams, looking for evidence of malicious behavior. If the signatures are expressed in a well-defined language, it is possible to analyze the attack signatures and automatically generate events or series of events that conform to the attack descriptions. This approach has been used in tools whose goal...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Comput. Syst. Sci. Eng.
دوره 23 شماره
صفحات -
تاریخ انتشار 2008