TY - GEN
T1 - Reducing payload scans for attack signature matching using rule classification
AU - Kim, Sunghyun
AU - Lee, Heejo
N1 - Copyright:
Copyright 2021 Elsevier B.V., All rights reserved.
PY - 2008
Y1 - 2008
N2 - Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.
AB - Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.
UR - http://www.scopus.com/inward/record.url?scp=70349849802&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=70349849802&partnerID=8YFLogxK
U2 - 10.1007/978-3-540-70500-0_26
DO - 10.1007/978-3-540-70500-0_26
M3 - Conference contribution
AN - SCOPUS:70349849802
SN - 3540699716
SN - 9783540699712
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 350
EP - 360
BT - Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings
PB - Springer Verlag
T2 - 13th Australasian Conference on Information Security and Privacy, ACISP 2008
Y2 - 7 July 2008 through 9 July 2008
ER -