Reducing payload scans for attack signature matching using rule classification

Sunghyun Kim, Heejo Lee

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.

    Original languageEnglish
    Title of host publicationInformation Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings
    PublisherSpringer Verlag
    Pages350-360
    Number of pages11
    ISBN (Print)3540699716, 9783540699712
    DOIs
    Publication statusPublished - 2008
    Event13th Australasian Conference on Information Security and Privacy, ACISP 2008 - Wollongong, NSW, Australia
    Duration: 2008 Jul 72008 Jul 9

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume5107 LNCS
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Other

    Other13th Australasian Conference on Information Security and Privacy, ACISP 2008
    Country/TerritoryAustralia
    CityWollongong, NSW
    Period08/7/708/7/9

    ASJC Scopus subject areas

    • Theoretical Computer Science
    • Computer Science(all)

    Fingerprint

    Dive into the research topics of 'Reducing payload scans for attack signature matching using rule classification'. Together they form a unique fingerprint.

    Cite this