Automatic generation of HTTP intrusion signatures by selective identification of anomalies

García-Teodoro, Pedro; Díaz-Verdejo, Jesús E.; Tapiador, Juan E.; Hernández, Rolando Salazar

doi:10.1016/j.cose.2015.09.007

Cited by 23 publications

(10 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…There has been research on how to automatically feed-in a NIDS with signatures and thus to avoid manual work in this regard. To this end authors in Garcia-Teodoro and et al (2015) have shown a hybrid anomaly and signature based IDSs using the former to feed the new signatures to the latter. A comprehensive list of tools currently being used for attack detection and signature generation is given in Kaur and Singh (2013).…”

Section: Related Workmentioning

confidence: 99%

Dynamical analysis of diversity in rule-based open source network intrusion detection systems

Asad

Gashi

2021

Empir Software Eng

View full text Add to dashboard Cite

Diverse layers of defence play an important role in the design of defence-in-depth architectures. The use of Intrusion Detection Systems (IDSs) are ubiquitous in this design. But the selection of the “right” IDSs in various configurations is an important decision that the security architects need to make. Additionally, the ability of these IDSs to adapt to the evolving threat-landscape also needs to be investigated. To help with these decisions, we need rigorous quantitative analysis. In this paper, we present a diversity analysis of open-source IDSs, Snort and Suricata, to help security architects tune/deploy these IDSs. We analyse two types of diversities in these IDSs; configurational diversity and functional diversity. In the configurational diversity analysis, we investigate the diversity in the sets of rules and the Blacklisted IP Addresses (BIPAs) these IDSs use in their configurations. The functional diversity analysis investigates the differences in alerting behaviours of these IDSs when they analyse real network traffic, and how these differences evolve. The configurational diversity experiment utilises snapshots of the rules and BIPAs collected over a period of 5 months, from May to October 2017. The snapshots have been collected for three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. The functional diversity investigates the alerting behaviour of these two IDSs for a sample of the real network traffic collected in the same time window. Analysing the differences in these systems allows us to get insights into where the diversity in the behaviour of these systems comes from, how does it evolve and whether this has any effect on the alerting behaviour of these IDSs. This analysis gives insight to security architects on how they can combine and layer these systems in a defence-in-depth deployment.

show abstract

Section: Related Workmentioning

confidence: 99%

Dynamical analysis of diversity in rule-based open source network intrusion detection systems

Asad

Gashi

2021

Empir Software Eng

View full text Add to dashboard Cite

show abstract

“…Similarly, solutions for generating rules are often limited to a certain type of software or a specific protocol. For instance, Nivethan and Papa (Nivethan & Papa, 2016) identified rules for SCADA-software, Nadler et al (2019)) focus on rules for the DNS protocol , and Garcia-Teodoro et al (2015) generate rules for the HTTP protocol. These proposals occasionally make use of knowledge related to the software and identify events that would be potential threats.…”

Section: Variables Related Of Software and Protocolmentioning

confidence: 99%

Variables influencing the effectiveness of signature-based network intrusion detection systems

Sommestad

Holm

Steinvall

2021

Information Security Journal: A Global Perspective

View full text Add to dashboard Cite

Contemporary organizations often employ signature-based network intrusion detection systems to increase the security of their computer networks. The effectiveness of a signature-based system primarily depends on the quality of the rules used to associate system events to known malicious behavior. However, the variables that determine the quality of rulesets is relatively unknown. This paper empirically analyzes the detection probability in a test involving Snort for 1143 exploitation attempts and 12 Snort rulesets created by the Emerging Threats Labs and the Sourcefire Vulnerability Research Team. The default rulesets from Emerging Threats raised priority-1-alerts for 39% of the exploit attempts compared to 31% for rulesets from the Vulnerability Research Team. The following features predict detection probability: if the exploit is publicly known, if the ruleset references the exploited vulnerability, the payload, the type of software targeted, and the operating system of the targeted software. The importance of these variables depends on the ruleset used and whether default rules are used. A logistic regression model with these variables classifies 69-92% of the cases correctly for the different rulesets.

show abstract

“…Within the first category of IDSs for web applications, most research focuses on monitoring the HTTP packets and methods to infer the web-based attacks over payload of network traffic [11]- [14] and [15]. The payload request and response are part of web application behaviors, hence there are relationships between its features.…”

Section: Related Workmentioning

confidence: 99%

O-ADPI: Online Adaptive Deep-Packet Inspector Using Mahalanobis Distance Map for Web Service Attacks Classification

et al. 2019

View full text Add to dashboard Cite

Most active research in Host and Network Intrusion Detection Systems are only able to detect attacks on the computer systems and at the network layer, which are not sufficient to counteract SOAP/REST or XML/JSON-related attacks. In dealing with the problem of anomaly detection in web service message datasets, this paper proposes an anomaly detection system called the Online Adaptive Deep-Packet Inspector (O-ADPI) for web service message attacks classification. The proposed approach relies on multiple statistical methods which use Unigram-based Weighting Scheme (UWS) that combines text mining techniques with a set of different statistical criteria for Feature Selection Engine (FSE) to effectively and efficiently explore optimal subspaces in detecting anomalies embedded deep in the high dimensional feature subspaces. We utilize a supervised intrusion detection algorithm based on Mahalanobis Distance Map classifier. As web service attacks can be classified into anomaly and normal, the task of anomaly detection can be modeled as a classification problem. The O-ADPI model was assessed for F-value, true positive rate (TPR), and false positive rate (FPR) in order to evaluate the detection performance of O-ADPI against different type of feature selections engines with corresponding PCs for each message-specific service. The experiments were performed using the REST-IDS Dataset 2015 and the results demonstrated that the proposed O-ADPI model achieved the best results in each message-specific service.

show abstract

Automatic generation of HTTP intrusion signatures by selective identification of anomalies

Cited by 23 publications

References 36 publications

Dynamical analysis of diversity in rule-based open source network intrusion detection systems

Dynamical analysis of diversity in rule-based open source network intrusion detection systems

Variables influencing the effectiveness of signature-based network intrusion detection systems

O-ADPI: Online Adaptive Deep-Packet Inspector Using Mahalanobis Distance Map for Web Service Attacks Classification

Contact Info

Product

Resources

About