Enhancing byte-level network intrusion detection signatures with context

Sommer, Robin; Paxson, Vern

doi:10.1145/948109.948145

Cited by 190 publications

(72 citation statements)

References 16 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, Carrie Gates et al [8] used a distributed sensor system to detect network scans albeit showing limited success. Finally, there has been extensive work in signature-based intrusion detection schemes [19] [16]. These systems make use of packet payload identification techniques that are based on string and regular expression matching for NIDS [28] [11] [14].…”

Section: Related Workmentioning

confidence: 99%

Cross-Domain Collaborative Anomaly Detection: So Far Yet So Close

Boggs

Hiremagalore²,

Stavrou³

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Web applications have emerged as the primary means of access to vital and sensitive services such as online payment systems and databases storing personally identifiable information. Unfortunately, the need for ubiquitous and often anonymous access exposes web servers to adversaries. Indeed, network-borne zero-day attacks pose a critical and widespread threat to web servers that cannot be mitigated by the use of signature-based intrusion detection systems. To detect previously unseen attacks, we correlate web requests containing user submitted content across multiple web servers that is deemed abnormal by local Content Anomaly Detection (CAD) sensors. The cross-site information exchange happens in real-time leveraging privacy preserving data structures. We filter out high entropy and rarely seen legitimate requests reducing the amount of data and time an operator has to spend sifting through alerts. Our results come from a fully working prototype using eleven weeks of real-world data from production web servers. During that period, we identify at least three application-specific attacks not belonging to an existing class of web attacks as well as a wide-range of traditional classes of attacks including SQL injection, directory traversal, and code inclusion without using human specified knowledge or input.

show abstract

Section: Related Workmentioning

confidence: 99%

Cross-Domain Collaborative Anomaly Detection: So Far Yet So Close

Boggs

Hiremagalore²,

Stavrou³

et al. 2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Intrusion detection systems Snort [21] and Bro [24] maintain per flow state and match packets to a pre-defined set of rules, making them unscalable to high-speed links. To speed up rule matching, some vendors (such as NetScreen [17] and Fortinet [8]) have implemented detection rules in hardware.…”

Section: Related Workmentioning

confidence: 99%

Online detection of network traffic anomalies using behavioral distance

Sengar¹,

Wang

et al. 2009

2009 17th International Workshop on Quality of Service

View full text Add to dashboard Cite

Abstract-While network-wide anomaly analysis has been well studied, the on-line detection of network traffic anomalies at a vantage point inside the Internet still poses quite a challenge to network administrators. In this paper, we develop a behavioral distance based anomaly detection mechanism with the capability of performing on-line traffic analysis. To construct accurate online traffic profiles, we introduce horizontal and vertical distance metrics between various traffic features (i.e., packet header fields) in the traffic data streams. The significant advantages of the proposed approach lie in four aspects: (1) it is efficient and simple enough to process on-line traffic data; (2) it facilitates protocol behavioral analysis without maintaining per-flow state; (3) it is scalable to high speed traffic links because of the aggregation, and (4) using various combinations of packet features and measuring distances between them, it is capable for accurate on-line anomaly detection. We validate the efficacy of our proposed detection system by using network traffic traces collected at Abilene and MAWI high-speed links.

show abstract

“…Researchers have suggested using regular expressions so that users can easily write rules. Sommar and Paxson used regular expressions for Bro and built a DFA [13]. They noticed that DFA may consume too much memory so Bro computes a new state in DFA whenever the DFA needs to transit into the state and the states that are not transited are removed to maintain the overall memory size small.…”

Section: Related Workmentioning

confidence: 99%