Language-Based Generation and Evaluation of NIDS Signatures

S
SP
2005
2005 IEEE Symposium on Security and Privacy (S&P'05)
Abstract - Language-Based Generation and Evaluation of NIDS Signatures

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Shai Rubin Articles by Somesh Jha Articles by Barton P. Miller

2005 IEEE Symposium on Security and Privacy (S&P'05)

Oakland, California

May 08-May 11

ISBN: 0-7695-2339-0

	ASCII Text	x
	Shai Rubin, Somesh Jha, Barton P. Miller, "Language-Based Generation and Evaluation of NIDS Signatures," Security and Privacy, IEEE Symposium on, pp. 3-17, 2005 IEEE Symposium on Security and Privacy (S&P'05), 2005.

	BibTex	x
	@article{ 10.1109/SP.2005.10, author = {Shai Rubin and Somesh Jha and Barton P. Miller}, title = {Language-Based Generation and Evaluation of NIDS Signatures}, journal ={Security and Privacy, IEEE Symposium on}, volume = {0}, year = {2005}, issn = {1081-6011}, pages = {3-17}, doi = {http://doi.ieeecomputersociety.org/10.1109/SP.2005.10}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Security and Privacy, IEEE Symposium on TI - Language-Based Generation and Evaluation of NIDS Signatures SN - 1081-6011 SP3 EP17 A1 - Shai Rubin, A1 - Somesh Jha, A1 - Barton P. Miller, PY - 2005 KW - null VL - 0 JA - Security and Privacy, IEEE Symposium on ER -

Shai Rubin, University of Wisconsin, Madison

Somesh Jha, University of Wisconsin, Madison

Barton P. Miller, University of Wisconsin, Madison

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/SP.2005.10

We present a methodology to automatically construct robust signatures whose accuracy is based on formal reasoning so it can be systematically evaluated.

Our methodology is based on two formal languages that describe different properties of a given attack. The first language, called a session signature, describes temporal relations between the attack events. The second, called an attack invariant, describes semantic properties that hold in any instance of the attack. For example, an invariant may state that a given FTP attack must include a successful FTP login and can be launched only after the FTP representation mode has been set to ASCII. We iteratively eliminate false positives and negatives from an initial session signature by comparing the signature language to the language of the invariant.

We developed GARD, a tool for session-signature construction, and used it to construct session signatures for multi-step attacks. We show that a session signature is more accurate than existing signatures.

Citation:

Shai Rubin, Somesh Jha, Barton P. Miller, "Language-Based Generation and Evaluation of NIDS Signatures," sp, pp.3-17, 2005 IEEE Symposium on Security and Privacy (S&P'05), 2005

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.