Proceedings of the 10th ACM Conference on Computer and Communications Security 2003
DOI: 10.1145/948109.948145
|View full text |Cite
|
Sign up to set email alerts
|

Enhancing byte-level network intrusion detection signatures with context

Abstract: Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS Bro, we provide low-level context by using regular expr… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
72
0

Year Published

2007
2007
2016
2016

Publication Types

Select...
4
4
1

Relationship

2
7

Authors

Journals

citations
Cited by 191 publications
(72 citation statements)
references
References 16 publications
(21 reference statements)
0
72
0
Order By: Relevance
“…Furthermore, Carrie Gates et al [8] used a distributed sensor system to detect network scans albeit showing limited success. Finally, there has been extensive work in signature-based intrusion detection schemes [19] [16]. These systems make use of packet payload identification techniques that are based on string and regular expression matching for NIDS [28] [11] [14].…”
Section: Related Workmentioning
confidence: 99%
“…Furthermore, Carrie Gates et al [8] used a distributed sensor system to detect network scans albeit showing limited success. Finally, there has been extensive work in signature-based intrusion detection schemes [19] [16]. These systems make use of packet payload identification techniques that are based on string and regular expression matching for NIDS [28] [11] [14].…”
Section: Related Workmentioning
confidence: 99%
“…Intrusion detection systems Snort [21] and Bro [24] maintain per flow state and match packets to a pre-defined set of rules, making them unscalable to high-speed links. To speed up rule matching, some vendors (such as NetScreen [17] and Fortinet [8]) have implemented detection rules in hardware.…”
Section: Related Workmentioning
confidence: 99%
“…Researchers have suggested using regular expressions so that users can easily write rules. Sommar and Paxson used regular expressions for Bro and built a DFA [13]. They noticed that DFA may consume too much memory so Bro computes a new state in DFA whenever the DFA needs to transit into the state and the states that are not transited are removed to maintain the overall memory size small.…”
Section: Related Workmentioning
confidence: 99%