Byte Level NIDS Improvement
نویسنده
چکیده
I. Abstract Byte sequences are used in multiple network intrusion detection systems (NIDS) as signatures to detect nasty activity. Though being highly competent, a high rate of false-positive rate is found. Here we suggest the concept of contextual signatures as an enhancement to string-based signaturematching. Instead of matching isolated fixed strings, we enhance the matching process with added context. While designing a proficient signature engine for the NIDS, we provide low-level perspective by using regular expressions for matching, and high-level perspective by taking advantage of the semantic information made available by protocol analysis and scripting language. Thereafter, we greatly augment the signature’s articulateness and hence the ability to reduce false positives. Multiple examples are presented such as matching request matching with replies, using environmental knowledge, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.
منابع مشابه
Viable network intrusion detection in high-performance environments
Network intrusion detection systems (NIDS) continuously monitor network traffic for malicious activity, raising alerts when they detect attacks. However, high-performance Gbps networks pose major challenges for these systems. Despite vendor promises, they often fail to work reliably in such environments. In this work, we set out to understand the trade-offs involved in network intrusion detecti...
متن کاملDesign and Evaluation of Parallel String Matching Algorithms for Network Intrusion Detection Systems
Network security is very important for Internet-connected hosts because of the widespread of worms, viruses, DoS attacks, etc. As a result, a network intrusion detection system (NIDS) is typically needed to detect network attacks by packet inspection. For an NIDS system, string matching is the computation-intensive task and hence the performance bottleneck, since every byte of the payload of pa...
متن کاملFast Packet Classification for Snort by Native Compilation of Rules
Signature matching, which includes packet classification and content matching, is the most expensive operation of a signature-based network intrusion detection system (NIDS). In this paper, we present a technique to improve the performance of packet classification of Snort, a popular open-source NIDS, based on generating native code from Snort signatures. An obvious way to generate native code ...
متن کاملCapacity Verification for High Speed Network Intrusion Detection Systems
Commercially available network intrusion detection systems (NIDS) came onto the market over six years ago. These systems have gained acceptance as a viable means of monitoring the security of consumer networks, yet no commercial standards exist to help consumers understand the capacity characteristics of these devices. Existing NIDS tests are flawed. These tests resemble the same tests used wit...
متن کاملPerformance Improvement by Coordinating Configurations of Independently-managed NIDS
Because of today's increased traffic volume and sophisticated attacks, implementing a network intrusion detection/prevention system (NIDS/NIPS) with a single workstation has been challenging. In this paper, we propose Brownie, a system for improving performance by coordinating configurations of alreadyexisting, independently-managed NIDSs in an organization. Instead of installing one expensive ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2012