Reducing payload scans for attack signature matching using rule classification

Sunghyun Kim, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.

Original languageEnglish
Title of host publicationLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Pages350-360
Number of pages11
Volume5107 LNCS
DOIs
Publication statusPublished - 2008 Dec 1
Event13th Australasian Conference on Information Security and Privacy, ACISP 2008 - Wollongong, NSW, Australia
Duration: 2008 Jul 72008 Jul 9

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume5107 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other13th Australasian Conference on Information Security and Privacy, ACISP 2008
CountryAustralia
CityWollongong, NSW
Period08/7/708/7/9

Fingerprint

Classification Rules
Inspection
Signature
Attack
Engine
Engines
Network Intrusion Detection
Heavy Traffic
Intrusion detection
Networking
Traffic
Necessary
Dependent
Costs
Experimental Results
Processing

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Kim, S., & Lee, H. (2008). Reducing payload scans for attack signature matching using rule classification. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 5107 LNCS, pp. 350-360). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5107 LNCS). https://doi.org/10.1007/978-3-540-70500-0-26

Reducing payload scans for attack signature matching using rule classification. / Kim, Sunghyun; Lee, Heejo.

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5107 LNCS 2008. p. 350-360 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5107 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kim, S & Lee, H 2008, Reducing payload scans for attack signature matching using rule classification. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). vol. 5107 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5107 LNCS, pp. 350-360, 13th Australasian Conference on Information Security and Privacy, ACISP 2008, Wollongong, NSW, Australia, 08/7/7. https://doi.org/10.1007/978-3-540-70500-0-26
Kim S, Lee H. Reducing payload scans for attack signature matching using rule classification. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5107 LNCS. 2008. p. 350-360. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-540-70500-0-26
Kim, Sunghyun ; Lee, Heejo. / Reducing payload scans for attack signature matching using rule classification. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Vol. 5107 LNCS 2008. pp. 350-360 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{3454772823bc458da7858377787de55b,
title = "Reducing payload scans for attack signature matching using rule classification",
abstract = "Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5{\%} for web traffic.",
author = "Sunghyun Kim and Heejo Lee",
year = "2008",
month = "12",
day = "1",
doi = "10.1007/978-3-540-70500-0-26",
language = "English",
isbn = "3540699716",
volume = "5107 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "350--360",
booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

}

TY - GEN

T1 - Reducing payload scans for attack signature matching using rule classification

AU - Kim, Sunghyun

AU - Lee, Heejo

PY - 2008/12/1

Y1 - 2008/12/1

N2 - Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.

AB - Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.

UR - http://www.scopus.com/inward/record.url?scp=70349849802&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70349849802&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-70500-0-26

DO - 10.1007/978-3-540-70500-0-26

M3 - Conference contribution

AN - SCOPUS:70349849802

SN - 3540699716

SN - 9783540699712

VL - 5107 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 350

EP - 360

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

ER -