The accuracy of current intrusion detection systems (IDSes) is hindered by the limited
capability of regular expressions (REs) to express the exact vulnerability. Recent advances have proposed vulnerability-based IDSes that parse traffic and retrieve protocol semantics to describe the vulnerability. Such a description of attacks is analogous to subscriptions that specify events of interest in event processing systems. However, the matching engine of state-of-the-art IDSes lacks efficient matching algorithms that can process many signatures simultaneously. In this work, we place event processing in the core of the IDS and propose novel algorithms to efficiently parse and match vulnerability
signatures. Also, we are among the first to detect complex attacks such as the Conficker
worm which requires correlating multiple protocol data units (MPDUs) while maintaining
a small memory footprint. Our approach incurs neglibile overhead when processing
clean traffic, is resilient to attacks, and is faster than existing systems.
| Identifer | oai:union.ndltd.org:TORONTO/oai:tspace.library.utoronto.ca:1807/25574 |
| Date | 31 December 2010 |
| Creators | Farroukh, Amer |
| Contributors | Jacobsen, Hans-Arno |
| Source Sets | University of Toronto |
| Language | en_ca |
| Detected Language | English |
| Type | Thesis |
Page generated in 0.0021 seconds