Reducing payload scans for attack signature matching using rule classification

Sunghyun Kim; Heejo Lee

doi:10.1007/978-3-540-70500-0_26

Reducing payload scans for attack signature matching using rule classification

Sunghyun Kim, Heejo Lee

Department of Computer and Radio Communications Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.

Original language	English
Title of host publication	Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings
Publisher	Springer Verlag
Pages	350-360
Number of pages	11
ISBN (Print)	3540699716, 9783540699712
DOIs	https://doi.org/10.1007/978-3-540-70500-0_26
Publication status	Published - 2008
Event	13th Australasian Conference on Information Security and Privacy, ACISP 2008 - Wollongong, NSW, Australia Duration: 2008 Jul 7 → 2008 Jul 9

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	5107 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	13th Australasian Conference on Information Security and Privacy, ACISP 2008
Country	Australia
City	Wollongong, NSW
Period	08/7/7 → 08/7/9

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-540-70500-0_26

Fingerprint Dive into the research topics of 'Reducing payload scans for attack signature matching using rule classification'. Together they form a unique fingerprint.

Cite this

Kim, S., & Lee, H. (2008). Reducing payload scans for attack signature matching using rule classification. In Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings (pp. 350-360). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5107 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-540-70500-0_26

Reducing payload scans for attack signature matching using rule classification. / Kim, Sunghyun; Lee, Heejo.

Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings. Springer Verlag, 2008. p. 350-360 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 5107 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kim, S & Lee, H 2008, Reducing payload scans for attack signature matching using rule classification. in Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 5107 LNCS, Springer Verlag, pp. 350-360, 13th Australasian Conference on Information Security and Privacy, ACISP 2008, Wollongong, NSW, Australia, 08/7/7. https://doi.org/10.1007/978-3-540-70500-0_26

Kim S, Lee H. Reducing payload scans for attack signature matching using rule classification. In Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings. Springer Verlag. 2008. p. 350-360. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-540-70500-0_26

Kim, Sunghyun ; Lee, Heejo. / Reducing payload scans for attack signature matching using rule classification. Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings. Springer Verlag, 2008. pp. 350-360 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{3454772823bc458da7858377787de55b,

title = "Reducing payload scans for attack signature matching using rule classification",

abstract = "Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.",

author = "Sunghyun Kim and Heejo Lee",

year = "2008",

doi = "10.1007/978-3-540-70500-0_26",

language = "English",

isbn = "3540699716",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "350--360",

booktitle = "Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings",

}

TY - GEN

T1 - Reducing payload scans for attack signature matching using rule classification

AU - Kim, Sunghyun

AU - Lee, Heejo

PY - 2008

Y1 - 2008

N2 - Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.

AB - Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes the detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header first, before executing their heavy operations of payload inspection. Furthermore, when payload inspection is necessary, it is better to compare attack patterns as few as possible. In this paper, we propose a method which reduces payload scans by an integration of processing protocol fields and classifying payload signatures. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set show that the proposed method outperforms the latest Snort over 6.5% for web traffic.

UR - http://www.scopus.com/inward/record.url?scp=70349849802&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=70349849802&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-70500-0_26

DO - 10.1007/978-3-540-70500-0_26

M3 - Conference contribution

AN - SCOPUS:70349849802

SN - 3540699716

SN - 9783540699712

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 350

EP - 360

BT - Information Security and Privacy - 13th Australasian Conference, ACISP 2008, Proceedings

PB - Springer Verlag

T2 - 13th Australasian Conference on Information Security and Privacy, ACISP 2008

Y2 - 7 July 2008 through 9 July 2008

ER -