Return to search

Enhancing Performance of Vulnerability-based Intrusion Detection Systems

The accuracy of current intrusion detection systems (IDSes) is hindered by the limited
capability of regular expressions (REs) to express the exact vulnerability. Recent advances have proposed vulnerability-based IDSes that parse traffic and retrieve protocol semantics to describe the vulnerability. Such a description of attacks is analogous to subscriptions that specify events of interest in event processing systems. However, the matching engine of state-of-the-art IDSes lacks efficient matching algorithms that can process many signatures simultaneously. In this work, we place event processing in the core of the IDS and propose novel algorithms to efficiently parse and match vulnerability
signatures. Also, we are among the first to detect complex attacks such as the Conficker
worm which requires correlating multiple protocol data units (MPDUs) while maintaining
a small memory footprint. Our approach incurs neglibile overhead when processing
clean traffic, is resilient to attacks, and is faster than existing systems.

Identiferoai:union.ndltd.org:LACETR/oai:collectionscanada.gc.ca:OTU.1807/25574
Date31 December 2010
CreatorsFarroukh, Amer
ContributorsJacobsen, Hans-Arno
Source SetsLibrary and Archives Canada ETDs Repository / Centre d'archives des thèses électroniques de Bibliothèque et Archives Canada
Languageen_ca
Detected LanguageEnglish
TypeThesis

Page generated in 0.0017 seconds