Reducing payload inspection cost using rule classification for fast attack signature matching

Sunghyun Kim, Heejo Lee

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Network intrusion detection systems rely on a signaturebased detection engine. When under attack or during heavy traffic, the detection engines need to make a fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header, before executing their heavy operations of payload inspection. When payload inspection is necessary, it is better to compare a minimum number of attack patterns. In this paper, we propose new methods to classify attack signatures and make pre-computed multipattern groups. Based on IDS rule analysis, we grouped the signatures of attack rules by a multi-dimensional classification method adapted to a simplified address flow. The proposed methods reduce unnecessary payload scans and make light pattern groups to be checked. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set and university traffic show that the proposed methods outperform the most recent Snort by up to 33%.

Original languageEnglish
Pages (from-to)1971-1978
Number of pages8
JournalIEICE Transactions on Information and Systems
VolumeE92-D
Issue number10
DOIs
Publication statusPublished - 2009 Dec 1

Fingerprint

Inspection
Engines
Costs
Intrusion detection

Keywords

  • Intrusion detection system
  • Pattern matching
  • Rule classification
  • Signature matching

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Software
  • Artificial Intelligence
  • Hardware and Architecture
  • Computer Vision and Pattern Recognition

Cite this

Reducing payload inspection cost using rule classification for fast attack signature matching. / Kim, Sunghyun; Lee, Heejo.

In: IEICE Transactions on Information and Systems, Vol. E92-D, No. 10, 01.12.2009, p. 1971-1978.

Research output: Contribution to journalArticle

@article{cf7de90dfe6c4f8b85a94b91c62610ec,
title = "Reducing payload inspection cost using rule classification for fast attack signature matching",
abstract = "Network intrusion detection systems rely on a signaturebased detection engine. When under attack or during heavy traffic, the detection engines need to make a fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header, before executing their heavy operations of payload inspection. When payload inspection is necessary, it is better to compare a minimum number of attack patterns. In this paper, we propose new methods to classify attack signatures and make pre-computed multipattern groups. Based on IDS rule analysis, we grouped the signatures of attack rules by a multi-dimensional classification method adapted to a simplified address flow. The proposed methods reduce unnecessary payload scans and make light pattern groups to be checked. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set and university traffic show that the proposed methods outperform the most recent Snort by up to 33{\%}.",
keywords = "Intrusion detection system, Pattern matching, Rule classification, Signature matching",
author = "Sunghyun Kim and Heejo Lee",
year = "2009",
month = "12",
day = "1",
doi = "10.1587/transinf.E92.D.1971",
language = "English",
volume = "E92-D",
pages = "1971--1978",
journal = "IEICE Transactions on Information and Systems",
issn = "0916-8532",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "10",

}

TY - JOUR

T1 - Reducing payload inspection cost using rule classification for fast attack signature matching

AU - Kim, Sunghyun

AU - Lee, Heejo

PY - 2009/12/1

Y1 - 2009/12/1

N2 - Network intrusion detection systems rely on a signaturebased detection engine. When under attack or during heavy traffic, the detection engines need to make a fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header, before executing their heavy operations of payload inspection. When payload inspection is necessary, it is better to compare a minimum number of attack patterns. In this paper, we propose new methods to classify attack signatures and make pre-computed multipattern groups. Based on IDS rule analysis, we grouped the signatures of attack rules by a multi-dimensional classification method adapted to a simplified address flow. The proposed methods reduce unnecessary payload scans and make light pattern groups to be checked. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set and university traffic show that the proposed methods outperform the most recent Snort by up to 33%.

AB - Network intrusion detection systems rely on a signaturebased detection engine. When under attack or during heavy traffic, the detection engines need to make a fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header, before executing their heavy operations of payload inspection. When payload inspection is necessary, it is better to compare a minimum number of attack patterns. In this paper, we propose new methods to classify attack signatures and make pre-computed multipattern groups. Based on IDS rule analysis, we grouped the signatures of attack rules by a multi-dimensional classification method adapted to a simplified address flow. The proposed methods reduce unnecessary payload scans and make light pattern groups to be checked. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set and university traffic show that the proposed methods outperform the most recent Snort by up to 33%.

KW - Intrusion detection system

KW - Pattern matching

KW - Rule classification

KW - Signature matching

UR - http://www.scopus.com/inward/record.url?scp=77950202394&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77950202394&partnerID=8YFLogxK

U2 - 10.1587/transinf.E92.D.1971

DO - 10.1587/transinf.E92.D.1971

M3 - Article

AN - SCOPUS:77950202394

VL - E92-D

SP - 1971

EP - 1978

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 10

ER -