Language-Based Generation and Evaluation of NIDS Signatures

Rubin, Shai; Jha, Somesh; Miller, Barton P.

doi:10.1109/sp.2005.10

Cited by 27 publications

(16 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…al. [34,35] do not distinguish between what the exploit looks like on the network and what it looks like when it is processed on the host, as our Epsilon-Gamma-Pi model does. These works were also intended for generating exploits based on known vulnerabilities and not for analyzing zero-day exploits to derive protection for unknown vulnerabilities.…”

Section: Modeling Polymorphismmentioning

confidence: 95%

See 1 more Smart Citation

On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Crandall

et al. 2005

Proceedings of the 12th ACM Conference on Computer and Communications Security

124

View full text Add to dashboard Cite

Vulnerabilities that allow worms to hijack the control flow of each host that they spread to are typically discovered months before the worm outbreak, but are also typically discovered by third party researchers. A determined attacker could discover vulnerabilities as easily and create zero-day worms for vulnerabilities unknown to network defenses. It is important for an analysis tool to be able to generalize from a new exploit observed and derive protection for the vulnerability.Many researchers have observed that certain predicates of the exploit vector must be present for the exploit to work and that therefore these predicates place a limit on the amount of polymorphism and metamorphism available to the attacker. We formalize this idea and subject it to quantitative analysis with a symbolic execution tool called DACODA. Using DACODA we provide an empirical analysis of 14 exploits (seven of them actual worms or attacks from the Internet, caught by Minos with no prior knowledge of the vulnerabilities and no false positives observed over a period of six months) for four operating systems.Evaluation of our results in the light of these two models leads us to conclude that 1) single contiguous byte string signatures are not effective for content filtering, and tokenbased byte string signatures composed of smaller substrings are only semantically rich enough to be effective for content filtering if the vulnerability lies in a part of a protocol that is not commonly used, and that 2) practical exploit analysis must account for multiple processes, multithreading, and kernel processing of network data necessitating a focus on primitives instead of vulnerabilities.

show abstract

Section: Modeling Polymorphismmentioning

confidence: 95%

“…The focus of this paper is on polymorphism and metamorphism of . Other papers have focused on [10,28,34,35,43,44], all of which have already been discussed in this section except for Shield [43]. Shields are a host-based solution which are an alternative to patches.…”

Section: Polymorphic Worm Detectionmentioning

confidence: 99%

On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Crandall

et al. 2005

Proceedings of the 12th ACM Conference on Computer and Communications Security

124

View full text Add to dashboard Cite

show abstract

“…Such IDSes are the most widely used approach in the commercial IDS technology today. Moreover, abundant research efforts such as [17,30,3,6,24,21] also fall into this category.…”

Section: Limitations Of Existing Approachesmentioning

confidence: 99%

Enhancing Intrusion Detection System with proximity information

Zhuang¹,

Li²,

Chen³

2010

IJSN

View full text Add to dashboard Cite

Abstract:The wide spread of worms poses serious challenges to today's Internet. Various IDSes (Intrusion Detection Systems) have been proposed to identify or prevent such spread. These IDSes can be largely classified as signature-based or anomaly-based ones depending on what type of knowledge the system knows. Signature-based IDSes are unable to detect the outbreak of new and unidentified worms when the worms' characteristic patterns are unknown. In addition, new worms are often sufficiently intelligent to hide their activities and evade anomaly detection. Moreover, modern worms tend to spread more quickly, and the outbreak period lasts in the order of hours or even minutes. Such characteristics render existing detection mechanisms less effective.In this work, we consider the drawbacks of current detection approaches and propose PAIDS, a proximity-assisted IDS approach for identifying the outbreak of unknown worms. PAIDS does not rely on signatures. Instead, it takes advantage of the proximity information of compromised hosts. PAIDS operates on an orthogonal dimension with existing IDS approaches and can thus work collaboratively with existing IDSes to achieve better performance. We test the effectiveness of PAIDS with trace-driven simulations and observe that PAIDS has a high detection rate and a low false positive rate. We also build a proof-of-concept prototype using Google Maps APIs and libpcap library.

show abstract

“…If a signature for an attack mutant is supposed to be developed the signature of the basis attack could be reused, if available. Rubin et al further describe in [11] a refinement of signatures based on formal languages. This approach can help the signature developer to remove triggers for false positives caused by imprecise signatures.…”

Section: On the Derivation Of Signaturesmentioning

confidence: 99%

Towards Systematic Signature Testing

Schmerl

Koenig

2007

Testing of Software and Communicating Systems

View full text Add to dashboard Cite

Abstract. The success and the acceptance of intrusion detection systems essentially depend on the accuracy of their analysis. Inaccurate signatures strongly trigger false alarms. In practice several thousand false alarms per month are reported which limit the successful deployment of intrusion detection systems. Most today deployed intrusion detection systems apply misuse detection as detection procedure. Misuse detection compares the recorded audit data with predefined patterns, the signatures. These are mostly empirically developed based on experience and knowledge of experts. Methods for a systematic development have been scarcely reported yet. A testing and correcting phase is required to improve the quality of the signatures. Signature testing is still a rather empirical process like signature development itself. There exists no test methodology so far. In this paper we present first approaches for a systematic test of signatures. We characterize the test objectives and present different test methods. MotivationThe increasing dependence of human society on information technology (IT) systems requires appropriate measures to cope with their misuse. The enlarging technological complexity of IT systems increases the range of threats to endanger them. Besides preventive security measures reactive approaches are more and more applied to counter these threats. Reactive approaches allow responses and counter measures when security violations happened to prevent further damage. Complementary to preventive measures intrusion detection and prevention systems have proved as important means to protect IT resources. Meanwhile a wide range of commercial intrusion detection products is offered, especially for misuse detection. Nevertheless intrusion detection systems (IDSs) are not still deployed in a large scale. The reason is that the technology is considered not matured enough. Lacking reliability often resulting in high false alarm rates questions the practicability of intrusion detection systems [9].The security function intrusion detection deals with the monitoring of IT systems to detect security violations. The decision which activities have to be considered as security violations in a given context is defined by the applied security policy. Two main complementary approaches are applied: anomaly and misuse detection. Anomaly detection aims at the exposure of abnormal user behavior. It requires a comprehensive

show abstract

Language-Based Generation and Evaluation of NIDS Signatures

Abstract: We present a methodology to automatically construct robust signatures whose accuracy is based on formal reasoning so it can be systematically evaluated.Our

Cited by 27 publications

References 18 publications

On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits

Enhancing Intrusion Detection System with proximity information

Towards Systematic Signature Testing

Contact Info

Product

Resources

About