Article

Enhancing byte-level network intrusion detection signatures with context

Authors:

Vern PaxsonAuthors Info & Claims

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

Pages 262 - 271

https://doi.org/10.1145/948109.948145

Published: 27 October 2003 Publication History

Abstract

Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS bro, we provide low-level context by using regular expressions for matching, and high-level context by taking advantage of the semantic information made available by bro's protocol analysis and scripting language. Therewith, we greatly enhance the signature's expressiveness and hence the ability to reduce false positives. We present several examples such as matching requests with replies, using knowledge of the environment, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.To leverage existing efforts, we convert the comprehensive signature set of the popular freeware NIDS snort into bro's language. While this does not provide us with improved signatures by itself, we reap an established base to build upon. Consequently, we evaluate our work by comparing to snort, discussing in the process several general problems of comparing different NIDSs.

References

[1]

arachNIDS. http://whitehats.com/ids/.]]

[2]

Web archive of versions of software and signatures used in this paper. http://www.net.in.tum.de/~robin/ccs03.]]

[3]

S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security, 3(3):186--205, August 2000.]]

Digital Library

[4]

R. G. Bace. Intrusion Detection. Macmillan Technical Publishing, Indianapolis, IN, USA, 2000.]]

Digital Library

[5]

Bro: A System for Detecting Network Intruders in Real-Time. http://www.icir.org/vern/bro-info.html.]]

[6]

Bugtraq. http://www.securityfocus.com/bid/1187.]]

[7]

CERT Advisory CA-2002-27 Apache/mod_ssl Worm. http://www.cert.org/advisories/CA-2002-27.html.]]

[8]

C. J. Coit, S. Staniford, and J. McAlerney. Towards Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.]]

[9]

Common Vulnerabilities and Exposures. http://www.cve.mitre.org.]]

[10]

H. Debar and B. Morin. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]

[11]

R. F. et. al. Hypertext transfer protocol -- http/1.1. Request for Comments 2616, June 1999.]]

[12]

M. Fisk and G. Varghese. Fast Content-Based Packet Handling for Intrusion Detection. Technical Report CS2001-0670, UC San Diego, May 2001.]]

Digital Library

[13]

Fyodor. Remote OS detection via TCP/IP Stack Finger Printing. Phrack Magazine, 8(54), 1998.]]

[14]

J. Haines, L. Rossey, R. Lippmann, and R. Cunnigham. Extending the 1999 Evaluation. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.]]

[15]

M. Hall and K. Wiley. Capacity Verification for High Speed Network Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]

Digital Library

[16]

M. Handley, C. Kreibich, and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proc. 10th USENIX Security Symposium, Washington, D.C., August 2001.]]

Digital Library

[17]

J. Heering, P. Klint, and J. Rekers. Incremental generation of lexical scanners. ACM Transactions on Programming Languages and Systems (TOPLAS), 14(4):490--520, 1992.]]

Digital Library

[18]

J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 1979.]]

Digital Library

[19]

K. Jackson. Intrusion detection system product survey. Technical Report LA-UR-99-3883, Los Alamos National Laboratory, June 1999.]]

[20]

U. Lindqvist and P. A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proc. IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 1999.]]

[21]

R. Lippmann, R. K. Cunningham, D. J. Fried, I. Graf, K. R. Kendall, S. E. Webster, and M. A. Zissman. Results of the 1998 DARPA Offline Intrusion Detection Evaluation. In Proc. Recent Advances in Intrusion Detection, 1999.]]

Digital Library

[22]

R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579--595, October 2000.]]

Digital Library

[23]

R. Lippmann, S. Webster, and D. Stetson. The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.]]

[24]

J. McHugh. Testing Intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security, 3(4):262--294, November 2000.]]

Digital Library

[25]

V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23--24):2435--2463, 1999.]]

Digital Library

[26]

P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.]]

[27]

T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., January 1998.]]

[28]

M. J. Ranum, K. Landfield, M. Stolarchuk, M. Sienkiewicz, A. Lambeth, and E. Wall. Implementing a generalized tool for network monitoring. In Proc. 11th Systems Administration Conference (LISA), 1997.]]

Digital Library

[29]

M. Roesch. Snort: Lightweight intrusion detection for networks. In Proc. 13th Systems Administration Conference (LISA), pages 229--238. USENIX Association, November 1999.]]

Digital Library

[30]

R. Sekar and P. Uppuluri. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In Proc. 8th USENIX Security Symposium. USENIX Association, August 1999.]]

Digital Library

[31]

U. Shankar and V. Paxson. Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In Proc. IEEE Symposium on Security and Privacy, 2003.]]

Digital Library

[32]

Steven T. Eckmann. Translating Snort rules to STATL scenarios. In Proc. Recent Advances in Intrusion Detection, October 2001.]]

[33]

tcpdump. http://www.tcpdump.org.]]

[34]

Valgrind. http://developer.kde.org/~sewardj.]]

[35]

G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proc. 1st DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.]]

[36]

G. Vigna and R. A. Kemmerer. Netstat: A network-based intrusion detection system. Journal of Computer Security, 7(1):37--71, 1999.]]

Digital Library

[37]

Whisker. http://www.wiretrip.net/rfp.]]

Cited By

Yang RWang XLuo KLei XLi KXin JLau WLuo BLiao XXu JKirda ELie D(2024)SWIDE: A Semantic-aware Detection Engine for Successful Web Injection AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670304(540-554)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670304
Lyu MHabibi Gharakheili HSivaraman V(2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3419068
Mallikarachchi DWong KLim J(2023)An authentication scheme for FANET packet payload using data hidingJournal of Information Security and Applications10.1016/j.jisa.2023.10355977(103559)Online publication date: Sep-2023
https://doi.org/10.1016/j.jisa.2023.103559
Show More Cited By

Index Terms

Enhancing byte-level network intrusion detection signatures with context
1. Security and privacy
  1. Network security

Recommendations

A Comparative study of Open Source IDSs according to their Ability to Detect Attacks
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & Security

In this paper, we focus on the important role of intrusion detection systems for detecting unauthorized actions initiated from both internal and external network by collecting and monitoring network traffic. We give a study of the open source Next-...
Overview of intrusion detection and intrusion prevention
InfoSecCD '08: Proceedings of the 5th annual conference on Information security curriculum development

This report provides an overview of IPS systems. In the first section a comparison of IDS and IPS is made, where an IPS system is defined as an integration of IDS and a firewall. The second section describes what is needed to set up an IPS system. In ...
A survey and taxonomy of techniques used for alerts of Intrusion Detection Systems
BDIoT '19: Proceedings of the 4th International Conference on Big Data and Internet of Things

Over the years, Intrusion detection systems IDSs have evolved to handle many types of threats. Nowadays, network security administrators expect IDSs to monitor networks and hosts and identify suspicious activities. IDSs must be configured to recognize ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '03: Proceedings of the 10th ACM conference on Computer and communications security

October 2003

374 pages

ISBN:1581137389

DOI:10.1145/948109

General Chair:
Sushil Jajodia
George Mason University
,
Program Chairs:
Vijay Atluri
Rutgers University
,
Trent Jaeger
IBM Watson

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2003

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS03

Sponsor:

SIGSAC

CCS03: Tenth ACM Conference on Computer and Communications Security 2003

October 27 - 30, 2003

Washington D.C., USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

183
Total Citations
View Citations
5,434
Total Downloads

Downloads (Last 12 months)25
Downloads (Last 6 weeks)2

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yang RWang XLuo KLei XLi KXin JLau WLuo BLiao XXu JKirda ELie D(2024)SWIDE: A Semantic-aware Detection Engine for Successful Web Injection AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670304(540-554)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670304
Lyu MHabibi Gharakheili HSivaraman V(2024)A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack DetectionIEEE Access10.1109/ACCESS.2024.341906812(89363-89383)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3419068
Mallikarachchi DWong KLim J(2023)An authentication scheme for FANET packet payload using data hidingJournal of Information Security and Applications10.1016/j.jisa.2023.10355977(103559)Online publication date: Sep-2023
https://doi.org/10.1016/j.jisa.2023.103559
Millar SPodgurskii DKuykendall DMartínez del Rincón JMiller PDemontis AChen XTramèr F(2022)Optimising Vulnerability Triage in DAST with Deep LearningProceedings of the 15th ACM Workshop on Artificial Intelligence and Security10.1145/3560830.3563724(137-147)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560830.3563724
Vermeer Mvan Eeten MGañán CSuga YSakurai KDing XSako K(2022)Ruling the RulesProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517412(799-814)Online publication date: 30-May-2022
https://dl.acm.org/doi/10.1145/3488932.3517412
Pokuri SDevarakonda N(2022)Anomaly Detection Using Hybrid Neuro Genetic ModelJournal of Interconnection Networks10.1142/S021926592141037122:Supp01Online publication date: 10-Feb-2022
https://doi.org/10.1142/S0219265921410371
Kumar K V(2021)Network Intrusion Detection System in Latest DFA Compression Methods for Deep Packet ScrutingDesign, Applications, and Maintenance of Cyber-Physical Systems10.4018/978-1-7998-6721-0.ch010(219-243)Online publication date: 25-Jun-2021
https://doi.org/10.4018/978-1-7998-6721-0.ch010
Qiu HDong TZhang TLu JMemmi GQiu M(2021)Adversarial Attacks Against Network Intrusion Detection in IoT SystemsIEEE Internet of Things Journal10.1109/JIOT.2020.30480388:13(10327-10335)Online publication date: 1-Jul-2021
https://doi.org/10.1109/JIOT.2020.3048038
van Oorschot Pvan Oorschot P(2021)Intrusion Detection and Network-Based AttacksComputer Security and the Internet10.1007/978-3-030-83411-1_11(309-338)Online publication date: 14-Oct-2021
https://doi.org/10.1007/978-3-030-83411-1_11
Le Jeune LGoedemé TMentens N(2021)Towards Real-Time Deep Learning-Based Network Intrusion Detection on FPGAApplied Cryptography and Network Security Workshops10.1007/978-3-030-81645-2_9(133-150)Online publication date: 22-Jul-2021
https://doi.org/10.1007/978-3-030-81645-2_9
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents