Conference Paper

Implementing a Generalized Tool for Network Monitoring.

Conference: Proceedings of the 11th Conference on Systems Administration (LISA-97), San Diego, California, USA, October 26-31, 1997
Source: DBLP

Full-text preview

Available from:
  • Source
    • "Also, most of the commercial NIDSs are signaturebased [19], although there are systems that use more powerful concepts to express signatures than just specifying byte patterns. NFR [28], for example, uses a flexible language called N-Code to declare its signatures. In this sense, Bro already provides sophisticated signatures by means of its policy language. "
    [Show abstract] [Hide abstract]
    ABSTRACT: Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS bro, we provide low-level context by using regular expressions for matching, and high-level context by taking advantage of the semantic information made available by bro's protocol analysis and scripting language. Therewith, we greatly enhance the signature's expressiveness and hence the ability to reduce false positives. We present several examples such as matching requests with replies, using knowledge of the environment, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.To leverage existing efforts, we convert the comprehensive signature set of the popular freeware NIDS snort into bro's language. While this does not provide us with improved signatures by itself, we reap an established base to build upon. Consequently, we evaluate our work by comparing to snort, discussing in the process several general problems of comparing different NIDSs.
    Preview · Conference Paper · Jan 2003
  • Source
    • "Collecting data for our task is similar to the collection of measurements undertaken during system performance tuning [Ousterhout et al. 1985; Loukides 1990; Urner 1997], except that the aim is not to improve performance, only to monitor activity and characterize it."
    [Show abstract] [Hide abstract]
    ABSTRACT: A comparative analysis of transaction time-series is made, for light to moderately loaded hosts, motivated by the problem of anomaly detection in computers. Criteria for measuring the statistical state of hosts are examined. Applying a scaling transformation to the measured data, it is found that the distribution of fluctuations about the mean is closely approximated by a steady-state, maximum-entropy distribution, modulated by a periodic variation. The shape of the distribution, under these conditions, depends on the dimensionless ratio of the daily/weekly periodicity and the correlation length of the data. These values are persistent or even invariant. We investigate the limits of these conclusions, and how they might be applied in anomaly detection.
    Full-text · Article · May 2002 · ACM Transactions on Computer Systems
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Network-based intrusion detection systems analyze network traffic looking for evidence of attacks. The analysis is usually performed using signatures, which are rules that describe what traffic should be considered as malicious. If the signatures are known, it is possible to either craft an attack to avoid detection or to send synthetic traffic that will match the signature to over-stimulate the network sensor causing a denial of service attack. To prevent these attacks, commercial systems usually do not publish their signature sets and their analysis algorithms. This paper describes a reverse engineering process and a reverse engineering tool that are used to analyze the way signatures are matched by network-based intrusion detection systems. The results of the analysis are used to either generate variations of attacks that evade detection or produce non-malicious traffic that over-stimulates the sensor. This shows that security through obscurity does not work. That is, keeping the signatures secret does not necessarily increase the resistance of a system to evasion and over-stimulation attacks.
    Preview · Article ·
Show more