Enhancing byte-level network intrusion detection signatures with context

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2003, Pages 262-271

  Sommer, Robin ^a   Paxson, Vern ^b  

^a TECHNICAL UNIVERSITY OF MUNICH   (Germany)

^b LAWRENCE BERKELEY NATIONAL LABORATORY   (United States)

Author keywords

Bro; Evaluation; Network Intrusion Detection; Pattern Matching; Security; Signatures; Snort

Indexed keywords

COMPUTER HARDWARE; COMPUTER NETWORKS; COMPUTER PROGRAMMING LANGUAGES; EVALUATION; NETWORK PROTOCOLS; PATTERN MATCHING; SEMANTICS; TELECOMMUNICATION TRAFFIC;

BRO; NETWORK INTRUSION DETECTION; SECURITY; SIGNATURES; SNORT;

SECURITY OF DATA;

EID: 14844324904     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/948109.948145     Document Type: Conference Paper

References (37)

1. arachNIDS. http://whitehats.com/ids/.
2. Web archive of versions of software and signatures used in this paper. http://www.net.in.tum.de/~robin/ccs03.
3. S. Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security, 3(3):186-205, August 2000.
4. R. G. Bace. Intrusion Detection. Macmillan Technical Publishing, Indianapolis, IN, USA, 2000.
5. Bro: A System for Detecting Network Intruders in Real-Time. http://www.icir.org/vern/bro-info.html.
6. Bugtraq. http://www.securityfocus.com/bid/1187.
7. CERT Advisory CA-2002-27 Apache/mod_ssl Worm. http://www.cert-org/ advisories/CA-2002-27.html.
8. C. J. Coit, S. Staniford, and J. McAlerney. Towards Faster Pattern Matching for Intrusion Detection or Exceeding the Speed of Snort. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.
9. Common Vulnerabilities and Exposures, http://www.cve.mitre.org.
10. H. Debar and B. Morin. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.
11. R. F. et. al. Hypertext transfer protocol - http/1.1. Request for Comments 2616, June 1999.
12. M. Fisk and G. Varghese. Fast Content-Based Packet Handling for Intrusion Detection. Technical Report CS2001-0670, UC San Diego, May 2001.
13. Fyodor. Remote OS detection via TCP/IP Stack Finger Printing. Phrack Magazine, 8(54), 1998.
14. J. Haines, L. Rossey, R. Lippmann, and R. Cunnigham. Extending the 1999 Evaluation. In Proc. 2nd DARPA Information Survivability Conference and Exposition, June 2001.
15. M. Hall and K. Wiley. Capacity Verification for High Speed Network Intrusion Detection Systems. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.
16. M. Handley, C. Kreibich, and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In Proc. 10th USENIX Security Symposium, Washington, D.C., August 2001.
17. J. Heering, P. Klint, and J. Rekers. Incremental generation of lexical scanners. ACM Transactions on Programming Languages and Systems (TOPLAS), 14(4):490-520, 1992.
18. J. E. Hopcroft and J. D. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison Wesley, 1979.
19. K. Jackson. Intrusion detection system product survey. Technical Report LA-UR-99-3883, Los Alamos National Laboratory, June 1999.
20. U. Lindqvist and P. A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proc. IEEE Symposium on Security and Privacy. IEEE Computer Society Press, May 1999.
21. R. Lippmann, R. K. Cunningham, D. J. Fried, I. Graf, K. R. Kendall, S. E. Webster, and M. A. Zissman. Results of the 1998 DARPA Offline Intrusion Detection Evaluation. In Proc. Recent Advances in Intrusion Detection, 1999.
22. R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. The 1999 DARPA off-line intrusion detection evaluation. Computer Networks, 34(4):579-595, October 2000.
23. R. Lippmann, S. Webster, and D. Stetson. The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection. In Proc. Recent Advances in Intrusion Detection, number 2516 in Lecture Notes in Computer Science. Springer-Verlag, 2002.
24. J. McHugh. Testing Intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Transactions on Information and System Security, 3(4):262-294, November 2000.
25. V. Paxson. Bro: A system for detecting network intruders in real-time. Computer Networks, 31(23-24):2435-2463, 1999.
26. P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In National Information Systems Security Conference, Baltimore, MD, October 1997.
27. T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, Inc., January 1998.
28. M. J. Ranum, K. Landfield, M. Stolarchuk, M. Sienkiewicz, A. Lambeth, and E. Wall. Implementing a generalised tool for network monitoring. In Proc. 11th Systems Administration Conference (USA), 1997.
29. M. Roesch. Snort: Lightweight intrusion detection for networks. In Proc. 13th Systems Administration Conference (LISA), pages 229-238. USENIX Association, November 1999.
30. R. Sekar and P. Uppuluri. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In Proc. 8th USENIX Security Symposium. USENIX Association, August 1999.
31. U. Shankar and V. Paxson. Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In Proc. IEEE Symposium on Security and Privacy, 2003.
32. Steven T. Eckmann. Translating Snort rules to STATL scenarios. In Proc. Recent Advances in Intrusion Detection, October 2001.
33. tcpdump. http://www.tcpdump.org.
34. Valgrind. http://developer.kde.org/~sewardj.
35. G. Vigna, S. Eckmann, and R. Kemmerer. The STAT Tool Suite. In Proc. 1st DARPA Information Survivability Conference and Exposition, Hilton Head, South Carolina, January 2000. IEEE Computer Society Press.
36. G. Vigna and R. A. Kemmerer. Netstat: A network-based intrusion detection system. Journal of Computer Security, 7(1):37-71, 1999.
37. Whisker, http://www.wiretrip.net/rfp.