Efficient decision tree for protocol analysis in intrusion detection

International Journal of Security and Networks

Volumn 5, Issue 4, 2010, Pages 220-235

  Abbes, T ^a   Bouhoula, A ^b   Rusinowitch, M ^c  

^a UNIVERSITY OF SFAX   (Tunisia)

^b UNIVERSITY OF CARTHAGE   (Tunisia)

^c INRIA   (France)

Author keywords

Decision tree; Inference system; Intrusion detection; Pattern matching; Protocol analysis

Indexed keywords

DECISION TREES; PATTERN MATCHING; SEMANTICS; TREES (MATHEMATICS);

APPLICATION LAYER PROTOCOLS; DATA SEMANTICS; DETECTION METHODS; FALSE POSITIVE; INFERENCE SYSTEMS; MULTI-PATTERN MATCHING; NETWORK INTRUSION DETECTION SYSTEMS; PROTOCOL ANALYSIS;

INTRUSION DETECTION;

EID: 78650634152     PISSN: 17478405     EISSN: 17478413     Source Type: Journal    
DOI: 10.1504/IJSN.2010.037661     Document Type: Article

References (32)

1. Abbes, T., Bouhoula, A. and Rusinowitch, M. (2004) 'On the fly pattern matching for intrusion detection with snort', Annals of Telecommunications, Vol. 59, Nos. 9-10, pp.941-967.
2. Aho, A. and Corasick, M. (1975) 'Efficient string matching: an aid to bibliographic search', Communications of the ACM, Vol. 18, No. 6, pp.333-340.
3. Albitz, P. and Liu, C. (2001) DNS and BIND, 4th ed., pub-OR, 981 Chestnut Street, Newton, MA 02164, USA, Covers BIND 9.
4. Anagnostakis, K.G., Markatos, E.P., Antonatos, S. and Polychronakis, M. (2003) 'E2xB: a domain-specific string matching algorithm for intrusion detection', Proceedings of the 18th IFIP International Information Security Conference (SEC2003), pp.217-228.
5. Boyer, R.S. and Moore, J.S. (1977) 'A fast string searching algorithm', Communications of the ACM, Vol. 20, No. 10, pp.762-772.
6. Coit, C., Staniford, S. and McAlerney, J. (2001) 'Towards faster string matching for intrusion detection or exceeding the speed of snort', DARPA Information Survivability Conference and Exposition, Vol. 1, p.0367.
7. Crochemore, M., Czumaj, A., Ga̧sieniec, L., Lecroq, T., Plandowski, T. and Rytter, W. (1999) 'Fast practical multi-pattern matching', Information Processing Letters, Vol. 71, pp.3-4.
8. Crochemore, M. and Rytter, W. (1994) Text Algorithms, Oxford University Press, New Yorksommer, ISBN 0-19-508609-0.
9. Dreger, H., Feldmann, A., Mai, M., Paxson, V. and Sommer, R. (2006) 'Dynamic application-layer protocol analysis for network intrusion detection', Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, Canada, USENIX Association, Berkeley, CA, USA, pp.257-272.
10. Elz, R. and Bush, R. (1997) RFC 2181: Clarifications to the DNS Specification, Updates RFC1034, RFC1035, RFC1123. Status: PROPOSED STANDARD.
11. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P. and Berners-Lee, T. (1999) Hypertext Transfer Protocol-HTTP/1.1, RFC 2616, The Internet Society.
12. Fisk, M. and Varghese, G. (2001) Fast Content-Based Packet Handling for Intrusion Detection, Technical Report CS 20001-0670, Department of Computer Science and Engineering, University of California, San Diego.
13. Frederick, K. (2002) Network Intrusion Detection Signatures, Part three, URL: http://www.securityfocus. com/printable/infocus/1544
14. Graham, R. (2002) Evolution of IDS, URL: http://www. robertgraham.com/ slides/0304-evolution-of-ids.ppt
15. Huang, S., Zhang, H. and Yao, G. (2009) 'Research of NIDS in IPV6 based on protocol analysis and pattern matching', International Workshop on Knowledge Discovery and Data Mining, IEEE Computer Society, Los Alamitos, CA, USA, Vol. 0, pp.542-545.
16. Internet Security Systems (2001) Realsecure Signature Reference Guide Version 6.5., Technical report, http:// www.iss.net
17. Internet Systems Consortium, Inc. (2004) URL: http://www.isc.org/index. pl?/sw/bind /bind-security.php
18. Kruegel, C., Toth, T. and Kirda, E. (2002) 'Service specific anomaly detection for network intrusion detection', SAC '02: Proceedings of the 2002 ACM symposium on Applied computing, ACM Press, New York, NY, USA, pp.201-208.
19. Kruegel, C. and Toth, T. (2003) 'Using decision trees to improves signature-based intrusion detection', Proceedings of the 6th International Workshop on the Recent Advances in Intrusion Detection (RAID'2003), LNCS, Vol. 2820, pp.173-191.
20. NFR Security Inc. (2002) NFR, Network Intrusion Detection, v3, URL: http://www.spectrum-systems.com/nfr-nid-datasheet.pdf
21. Paxson, V., Rothfuss, J. and Tierney, B. (2004) Bro User Manual, URL: http://www.bro-ids.org/
22. Postel, J. and Reynolds, J.K. (1985) RFC 959: File Transfer Protocol, Obsoletes RFC0765, Updated by RFC2228, Status: STANDARD.
23. Quinlan, J.R. (1990) 'Induction of decision trees', in Shavlik, J.W. and Dietterich, T.G. (Eds.): Readings in Machine Learning, Morgan Kaufmann, Originally published in Machine Learning, Vol. 1, pp.81-106.
24. Roesch, M. and Green, C. (2003) Snort Users Manual Snort Release: 2.0.1, Snort Documentation.
25. Sangeetha, S., Vaidehi, V., Srinivasan, N., Rajkumar, K., Pradeep, S., Ragavan, N., Lokesh, C., Subadeepak, I. and Prashanth, V. (2008) 'Implementation of application layer intrusion detection system using protocol analysis', International Conference on Signal Processing, Communications and Networking 2008. ICSCN '08., pp.279-284.
26. Sommer, R. and Paxson, V. (2003) 'Enhancing byte-level network intrusion detection signatures with context', Proceedings of the 10th ACM Conference on Computer and Communication Security, ACM Press, Washington DC, USA, pp.262-271.
27. TM Users Manual 2.6.1, Technical Report.
28. Srinivasan, R. (1995a) RFC 1831: RPC: Remote Procedure Call Protocol Specification Version 2, Status: PROPOSED STANDARD.
29. Srinivasan, R. (1995b) RFC 1832: XDR: External Data Representation Standard, Status: DRAFT STANDARD.
30. Srinivasan, R. (1995c) RFC 1833: Binding Protocols for ONC RPC Version 2, Status: PROPOSED STANDARD.
31. Tan, P., Steinbach, M. and Kumar, V. (2005) Introduction to Data Mining, 1st ed., Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.
32. Zhou, J., Carlson, A.J. and Bishop, M. (2005) 'Verify results of network intrusion alerts using lightweight protocol analysis', ACSAC '05: Proceedings of the 21st Annual Computer Security Applications Conference, IEEE Computer Society, Washington DC, USA, pp.117-126.