The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
Les systèmes de détection d'intrusion réseau s'appuient sur un moteur de détection basé sur les signatures. En cas d'attaque ou de trafic intense, les moteurs de détection doivent décider rapidement si un paquet ou une séquence de paquets est normal ou malveillant. Cependant, si les paquets ont une charge utile importante ou si le système présente de nombreux modèles d'attaque, le coût élevé de l'inspection de la charge utile diminue considérablement les performances de détection. Par conséquent, il serait préférable d’éviter les analyses inutiles de la charge utile en vérifiant les champs de protocole dans l’en-tête du paquet, avant d’exécuter leurs lourdes opérations d’inspection de la charge utile. Lorsqu’une inspection de la charge utile est nécessaire, il est préférable de comparer un nombre minimum de modèles d’attaque. Dans cet article, nous proposons de nouvelles méthodes pour classer les signatures d'attaque et créer des groupes multi-modèles pré-calculés. Sur la base de l'analyse des règles IDS, nous avons regroupé les signatures des règles d'attaque par une méthode de classification multidimensionnelle adaptée à un flux d'adresses simplifié. Les méthodes proposées réduisent les analyses de charge utile inutiles et permettent de vérifier des groupes de modèles de lumière. Bien que les améliorations des performances dépendent d'un environnement réseau donné, les résultats expérimentaux avec l'ensemble de données DARPA et le trafic universitaire montrent que les méthodes proposées surpassent jusqu'à 33 % le Snort le plus récent.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copier
Sunghyun KIM, Heejo LEE, "Reducing Payload Inspection Cost Using Rule Classification for Fast Attack Signature Matching" in IEICE TRANSACTIONS on Information,
vol. E92-D, no. 10, pp. 1971-1978, October 2009, doi: 10.1587/transinf.E92.D.1971.
Abstract: Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make a fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header, before executing their heavy operations of payload inspection. When payload inspection is necessary, it is better to compare a minimum number of attack patterns. In this paper, we propose new methods to classify attack signatures and make pre-computed multi-pattern groups. Based on IDS rule analysis, we grouped the signatures of attack rules by a multi-dimensional classification method adapted to a simplified address flow. The proposed methods reduce unnecessary payload scans and make light pattern groups to be checked. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set and university traffic show that the proposed methods outperform the most recent Snort by up to 33%.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.E92.D.1971/_p
Copier
@ARTICLE{e92-d_10_1971,
author={Sunghyun KIM, Heejo LEE, },
journal={IEICE TRANSACTIONS on Information},
title={Reducing Payload Inspection Cost Using Rule Classification for Fast Attack Signature Matching},
year={2009},
volume={E92-D},
number={10},
pages={1971-1978},
abstract={Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make a fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header, before executing their heavy operations of payload inspection. When payload inspection is necessary, it is better to compare a minimum number of attack patterns. In this paper, we propose new methods to classify attack signatures and make pre-computed multi-pattern groups. Based on IDS rule analysis, we grouped the signatures of attack rules by a multi-dimensional classification method adapted to a simplified address flow. The proposed methods reduce unnecessary payload scans and make light pattern groups to be checked. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set and university traffic show that the proposed methods outperform the most recent Snort by up to 33%.},
keywords={},
doi={10.1587/transinf.E92.D.1971},
ISSN={1745-1361},
month={October},}
Copier
TY - JOUR
TI - Reducing Payload Inspection Cost Using Rule Classification for Fast Attack Signature Matching
T2 - IEICE TRANSACTIONS on Information
SP - 1971
EP - 1978
AU - Sunghyun KIM
AU - Heejo LEE
PY - 2009
DO - 10.1587/transinf.E92.D.1971
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E92-D
IS - 10
JA - IEICE TRANSACTIONS on Information
Y1 - October 2009
AB - Network intrusion detection systems rely on a signature-based detection engine. When under attack or during heavy traffic, the detection engines need to make a fast decision whether a packet or a sequence of packets is normal or malicious. However, if packets have a heavy payload or the system has a great deal of attack patterns, the high cost of payload inspection severely diminishes detection performance. Therefore, it would be better to avoid unnecessary payload scans by checking the protocol fields in the packet header, before executing their heavy operations of payload inspection. When payload inspection is necessary, it is better to compare a minimum number of attack patterns. In this paper, we propose new methods to classify attack signatures and make pre-computed multi-pattern groups. Based on IDS rule analysis, we grouped the signatures of attack rules by a multi-dimensional classification method adapted to a simplified address flow. The proposed methods reduce unnecessary payload scans and make light pattern groups to be checked. While performance improvements are dependent on a given networking environment, the experimental results with the DARPA data set and university traffic show that the proposed methods outperform the most recent Snort by up to 33%.
ER -