Language-based generation and evaluation of NIDS signatures

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2005, Pages 3-17

  Rubin, Shai ^a   Jha, Somesh ^a   Miller, Barton P ^a  

^a University of Wisconsin Madison   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

FORMAL REASONING; NIDS SIGNATURES;

FORMAL LANGUAGES; NETWORK PROTOCOLS;

DIGITAL LIBRARIES;

EID: 27544472436     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (36)

1. A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques and Tools. Addison-Wesley, 1986.
2. R. Alur and M. Yannakakis. Model checking of hierarchical state machines. In Foundations of Software Engineering, Lake Buena Vista, FL, Nov. 1998.
3. A. R. Baker, Barnyard, B. Caswell, M. Poor, R. Alder, J. Babbin, J. Beale, A. Doxtater, J. C. Foster, T. Kohlenberg, and M. Rash. Snort 2.1 Intrusion Detection. Syngress, 2 edition, May 2004.
4. Beyond Security Inc. ProFTPD ASCII file remote root exploit. Available at http://www.securiteam.com/exploits/.
5. BlackMoon Inc. BlackMoon FTP Server. Available at www.blackmoonftpserver. com.
6. F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In International Symposium on Recent Advances in Intrusion Detection, Toulouse, France, Oct. 2001.
7. M. Dacier, editor. Design of an Intrusion-Tolerant Intrusion Detection System. IBM Zurich Research Laboratory, Aug. 2002. Deliverable D10, Project MAFTIA IST-1999-11583, Available at www.maftia.org.
8. S. T. Eckmann, G. Vigna, and R. A. Kemmerer. STATL: An attack language for state-based intrusion detection. J. Computer Security, 10(1/2), 2002.
9. S. Ginsburg. The Mathematical Theory of Context Free Languages. McGraw Hill, 1966.
10. M. Handley and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In USENIX Security Symposium, Washington, DC, Aug. 2001.
11. G. J. Holzmann. The Spin Model Checker: Primer and Reference Manual. Addison-Wesley, 2003.
12. J. Hopcroft, R. Motwani, and J. Ullman. Introduction to Automata Theory, Languages, and Computation. Addison-Wesley, 2 edition, 2001.
13. L. Kari, S. Konstantinidis, S. Perron, G. Wozniak, and J. Xu. Finite-state error/edit-systems and difference-measures for languages and words. Technical Report 2003_001, Saint Mary's University Department of Mathematics and Computing Science, 2003.
14. R. Lippmann, J. W. Haines, D. J. Fried, J. Korba, and K. Das. Analysis and results of the 1999 DARPA off-line intrusion detection evaluation. In International Symposium on Recent Advances in Intrusion Detection, Toulouse, France, Oct. 2000.
15. R. Marti. THOR: A tool to test intrusion detection systems by variations of attacks. Master's thesis, Swiss Federal Institute of Technology, Mar. 2002.
16. C. Michel and L. Mé. ADeLe: An attack description language for knowledge-based intrusion detection. In International Conference on Information Security, Paris, France, June 2001.
17. MITRE Corporation. CVE: Common Vulnerabilities and Exposures. Available at www.cve.mitre.org.
18. J. Morrissey, T. Saunders, M. Lowes, D. Roesen, and M. Renner. ProFTPD: Highly configurable GPL-licensed FTP server software. Available at www.proftpd.org.
19. D. Mutz, G. Vigna, and R. A. Kemmerer. An experience developing an IDS stimulator for the black-box testing of network intrusion detection systems. In Annual Computer Security Applications Conference, Las Vegas, NV, Dec. 2003.
20. V. Paxson. Flex, version 2.5, A fast scanner generator. Free Software Foundation, Mar. 1995.
21. V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, 31(23/24), Dec. 1999.
22. J. Postel and J. Reynolds. RFC 959 - File Transfer Protocol. The Internet Engineering Task Force, 1985.
23. J.-P. Pouzol and M. Ducassé. From declarative signatures to misuse IDS. In International Symposium on Recent Advances in Intrusion Detection, Davis, CA, Oct. 2001.
24. J.-P. Pouzol and M. Ducassé. Formal specification of intrusion signatures and detection rules. In IEEE Computer Security Foundations Workshop, Nova Scotia, Canada, June 2002.
25. T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical Report T2R-0Y6, Secure Networks, Inc., Calgary, Alberta, Canada, 1998.
26. M. Roesch. Snort: the Open Source Network Intrusion Detection System. Available at www.snort.org.
27. S. Rubin, S. Jha, and B. P. Miller. Automatic generation and analysis of NIDS attacks. In Annual Computer Security Applications Conference, Tucson, AZ, Dec. 2004.
28. Security Administrator Newsletter. Instant poll: Do you use Snort to implement an intrusion detection system (IDS) on your network?, Oct. 2002. Available at http://www.winnetmag.com/Poll/.
29. R. Sekar, Y. Guang, S. Verma, and T. Shanbhag. A high-performance network intrusion detection system. In ACM Conference on Computer and Communications Security, Singapore, Nov. 1999.
30. R. Sekar and P. Uppuluri. Synthesizing fast intrusion prevention/detection systems from high-level specifications. In USENIX Security Symposium, Washington, DC, Aug. 1999.
31. R. Sommer and V. Paxson. Enhancing byte-level network intrusion detection signatures with context. In ACM Conference on Computer and Communications Security, Washington, DC, Oct. 2003.
32. R. Teitelbaum. Minimal Distance Analysis of Syntax Errors in Computer Programs. PhD thesis, Computer Science Department, Carnegie-Mellon University, Sep. 1975.
33. The NSS Group. Intrusion detection systems (IDS) group test (Edition 4), 2003. Available at www.nss.co.uk/ids/edition4/index.htm.
34. G. Vigna and R. A. Kemmerer. NetSTAT: A Network-based Intrusion Detection System. J. Computer Security, 7(1), 1999.
35. G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutant exploits. In ACM Conference on Computer and Communications Security, Washington, DC, Oct. 2004.
36. D. Wagner and P. Soto. Mimicry attacks on host-based intrusion detection systems. In ACM Conference on Computer and Communications Security, Washington, DC, Nov. 2002.