Towards an Attack Signature Generation Framework for Intrusion Detection Systems

Shahriar, Hossain; Bond, William

doi:10.1109/dasc-picom-datacom-cyberscitec.2017.106

Cited by 6 publications

(3 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Shahriar and Bond proposed a method for automatically generating signatures [4]. The genetic algorithm generates them based on other signatures.…”

Section: A Idpsmentioning

confidence: 99%

“…and their IDs or URLs, which allow information related to the signature to be uniquely identified. For example, when referring to CVEs, information can be obtained by searching for an ID in web systems such as the National Vulnerability Database (NVD) 4 and RedHat's CVE Database 5 . Examples of signature-related information include the software targeted by the malicious communication indicated by the signature and its version information.…”

Section: Web Information and Message Featuresmentioning

confidence: 99%

“…(3) We explore the performance improvement due to the RO by using a robust machinelearning model for the RO (deep ensemble [25]), which is said to better represent uncertainty. (4) We analyze the importance of the proposed features to identify the signature elements that the experts regard as important for evaluating the signature. The results of these experiments are described in the form given in Sections V-B1,V-B2,V-B3,V-B4.…”

Section: A Experimental Setting 1) Outline Of the Experimentmentioning

confidence: 99%

See 2 more Smart Citations

IDPS Signature Classification with a Reject Option and the Incorporation of Expert Knowledge

Kawaguchi¹,

Nakatani²,

Okada³

2022

Preprint

View full text Add to dashboard Cite

As the importance of intrusion detection and prevention systems (IDPSs) increases, great costs are incurred to manually manage the signatures that are generated by malicious communication pattern files. Experts in network security management need to classify signatures by importance for an IDPS to work optimally. In this study, we propose and evaluate a machine learning signature classification model with a reject option to reduce the cost of setting up an IDPS. To train the proposed model, it is essential to design features that are effective for signature classification. Experts classify signatures with predefined if-then rules. An if-then rule returns a label of low, medium, high, or unknown importance based on keyword matching of the elements in the signature. Therefore, we first design two types of features, symbolic features (SFs) and keyword features (KFs), which are used in keyword matching for the if-then rules. Next, we design web information and message features (WMFs) to capture the properties of signatures that do not match the if-then rules. The WMFs are extracted as term frequency-inverse document frequency (TF-IDF) features of the message text in the signatures. The features are obtained by web scraping from the referenced external attack identification systems described in the signature. Because failure needs to be minimized in the classification of IDPS signatures, as in the medical field, we consider introducing a reject option in our proposed model. The effectiveness of the proposed classification model is evaluated in experiments with two real datasets composed of signatures labeled by experts: (i) a dataset that can be classified with if-then rules and (ii) a dataset with elements that do not match an if-then rule. In the experiment, the proposed model is evaluated from two perspectives: classification accuracy and reject option performance. In both cases, the combined SFs and WMFs performed better than the combined SFs and KFs. We also show that using an ensemble of neural networks improves the performance of the reject option. An analysis shows that experts refer to natural-language elements in the signatures and information from external information systems on the web.

show abstract

“…Shahriar and Bond proposed a method for automatically generating signatures [4]. The genetic algorithm generates them based on other signatures.…”

Section: A Idpsmentioning

confidence: 99%

Section: Web Information and Message Featuresmentioning

confidence: 99%

Section: A Experimental Setting 1) Outline Of the Experimentmentioning

confidence: 99%

See 1 more Smart Citation