Signature Detection in Sampled Packets
نویسندگان
چکیده
Deep packet inspection and payload analysis is required for various purposes such as the detection and identification of attacks as well as service and application-level analysis of packet streams. However, network-wide deployment of fullfledged network analyzers and intrusion detection systems is a very costly solution, especially in large networks and at high link speeds. On the other hand, modern routers, switches and monitoring probes are equipped with the capability to capture and export selected packet data to a remote collector. We developed and implemented a traffic analysis system which is able to apply online pattern matching to the received packet data, e.g. in order to detect known attack signatures. As bandwidth and computational resources are limited, it is necessary to restrict the amount of packet data that is captured and exported. Therefore, we analyzed rule sets of the popular Snort intrusion detection systems and determined which parts of a packet are relevant for signature detection and which parts can be removed without impairing the detection quality.
منابع مشابه
Improvement and parallelization of Snort network intrusion detection mechanism using graphics processing unit
Nowadays, Network Intrusion Detection Systems (NIDS) are widely used to provide full security on computer networks. IDS are categorized into two primary types, including signature-based systems and anomaly-based systems. The former is more commonly used than the latter due to its lower error rate. The core of a signature-based IDS is the pattern matching. This process is inherently a computatio...
متن کاملتولید خودکار الگوهای نفوذ جدید با استفاده از طبقهبندهای تک کلاسی و روشهای یادگیری استقرایی
In this paper, we propose an approach for automatic generation of novel intrusion signatures. This approach can be used in the signature-based Network Intrusion Detection Systems (NIDSs) and for the automation of the process of intrusion detection in these systems. In the proposed approach, first, by using several one-class classifiers, the profile of the normal network traffic is established. ...
متن کاملA New Algorithm for Voice Activity Detection Based on Wavelet Packets (RESEARCH NOTE)
Speech constitutes much of the communicated information; most other perceived audio signals do not carry nearly as much information. Indeed, much of the non-speech signals maybe classified as ‘noise’ in human communication. The process of separating conversational speech and noise is termed voice activity detection (VAD). This paper describes a new approach to VAD which is based on the Wavelet ...
متن کاملA Novel Signature-based Traffic Classification Engine to Reduce False Alarms in Intrusion Detection Systems
Pattern matching plays a significant role in ascertaining network attacks and the foremost prerequisite for a trusted intrusion detection system (IDS) is accurate pattern matching. During the pattern matching process packets are scanned against a pre-defined rule sets. After getting scanned, the packets are marked as alert or benign by the detection system. Sometimes the detection system genera...
متن کاملA Method to Obtain Signatures from Honeypots Data
Building intrusion detection model in an automatic and online way is worth discussing for timely detecting new attacks. This paper gives a scheme to automatically construct snort rules based on data captured by honeypots on line. Since traffic data to honeypots represent abnormal activities, activity patterns extracted from those data can be used as attack signatures. Packets captured by honeyp...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2007