Article

Free access

A high-performance network intrusion detection system

Authors:

T. ShanbhagAuthors Info & Claims

CCS '99: Proceedings of the 6th ACM conference on Computer and communications security

Pages 8 - 17

https://doi.org/10.1145/319709.319712

Published: 01 November 1999 Publication History

Abstract

In this paper we present a new approach for network intrusion detection based on concise specifications that characterize normal and abnormal network packet sequences. Our specification language is geared for a robust network intrusion detection by enforcing a strict type discipline via a combination of static and dynamic type checking. Unlike most previous approaches in network intrusion detection, our approach can easily support new network protocols as information relating to the protocols are not hard-coded into the system. Instead, we simply add suitable type definitions in the specifications and define intrusion patterns on these types. We compile these specifications into a high-performance network intrusion detection system. Important components of our approach include efficient algorithms for pattern-matching and information aggregation on sequences of network packets. In particular, our techniques ensure that the matching time is insensitive to the number of patterns characterizing different network intrusions, and that the aggregation operations typically take constant time per packet. Our system participated in an intrusion detection evaluation organized by MIT Lincoln Labs, where our system demonstrated its effectiveness (96% detection rate on low-level network attacks) and performance (real-time detection at 500Mbps), while producing very few false positives (0.05 to 0.1 per attack).

References

[1]

D. Anderson, T. Lunt, H. Javitz, A. Tamaru, and A. Valdes, Next-generation Intrusion Detection Expert System (HIDES): A Summary, SRI-CSL-95-07, SKI lnt~amtional, 1995.

[2]

E Bates, Debugging Distributed Systems Using Event-Based Models of Behavior, ACM Transactions on Computer Systems, 1995.

Digital Library

[3]

CERT Coordination Center Advisories 1988-1998, http : //www. cert. org/advisories / index, html.

[4]

S. Chandra and E McCann, Packet Types, Workshop on Compilers Support for Systems Software.

[5]

D. Denning, An Intrusion Detection Model Trans. on Software Engineering, Feb 1987.

Digital Library

[6]

S. Forrest, S. Hofmeyr and A. Somayaji, Computer Immunology, Comnx of ACM 40(10), 1997.

Digital Library

[7]

I.Graf, R. Lippmann, R. Omningham, D. Fried, K. Kendall, S. Web. ster and M. Zissman, Results of DARPA 1998 Offline Intrusion Detection Evaluation, http: / /ideval. ll .mit. edu/results-ht/nl-dir, 1998.

[8]

B. Guha and B. Mukherjee, Network Security via Reverse Engineering of TCP Code: Vulnerability Analysis and Proposed Solutions, Proc. of the ~ Infocom, March 1996.

Digital Library

[9]

A.K. Ghosh, A. Schwartzbard and M. Schatz, Learning Program Behavior Profiles for Intrusion Detection, 1st USENIX Workshop on In~sion Deteaion and Network Monitoring, 1999.

Digital Library

[10]

Y. Guang, Real-time packet filtering module for network intrusion detection system, Department of Cornpeter Science, Iowa State University, July 1998.

[11]

L. Heberlein et al, A Network Security Monitor, Symposium on Researdl Sec~ty and Privacy, 1990.

[12]

L Hod~berg et al, NADIR: An Automamd System for Detecting Network Intrusion and Misuse, Computers and Sectary 12(3), May 1993.

Digital Library

[13]

K. llgun, A real-time intrusion ~on system for UNIX, ~ Symp. on Security and Privacy, 1993.

Digital Library

[14]

C. LandWebx, A. Bull, L McDermott and W. ChoL A Taxonomy of Computer Program Security Flaws, ACM Computing Surveys 26(3), 1994.

Digital Library

[15]

W. Lee, C. Park and S, Stolfo, Automated Intrusion Detection using NFR: Methods and Experiences, USENIX Intrusion Detex~on Workshop, 1999.

Digital Library

[16]

D. Luckham and J. Vera, An Event-Based Architecawe Definition Language, ~ Transactions on Software Engineering, 21(9), 1995.

Digital Library

[17]

D. Luckham, D. Hdmbold, S. Meldal, D. Bryan, and M. Raberler, Task Sequencing Language for Specifying Distributed Aria Systems: TSL- 1, PARLE: Conf. on Parallel Axehitecaa'es and Languages, LNCS 259-2, 1987.

Digital Library

[18]

T. Lunt et at, A Real-Time Intrusion Detection Exln~ System (IDES)- Final Report, SRI-CSL-92-05, SKI International, 1992.

[19]

T. Lunt, A survey of Intrusion Detection Techniques, Computers and Security, 12(4), June 1993.

Digital Library

[20]

S. McCanne and V. jacobson, The BSD Packet Filtea': A New Atchitecttwe for User-level Packet Capture, Lawrence Berkeley Laboratory, Berkeley, CA, 1992.

[21]

B. Mukherjee, L. Heberlein and K. Levitt, Network Intrusion Detection, IEEE Network, May/June 1994.

[22]

V. Paxson, Bro: A System for Detecting Network Intruders in Real-Tune, USENIX Security Symposium, 1998.

Digital Library

[23]

E Porras and E Neumann, EMERALD: Event Monitoring Enabled Responses to Anomalous Live Disturbances, National Information Systems Security Conference, 1997.

[24]

M. Ranum et al, Implementing A Generalized Tool For Network Monitoring, LISA, 1997.

Digital Library

[25]

R. Sekar, T. Bowen and M. Segal, On Preventing Intrusions by Process Behavior Monitoring, USENIX Intrusion Detection Workshop, 1999.

Digital Library

[26]

R. Sekar and 1'. UpFaluri, Synthesizing fast intrusion de.tectio~~ention systems f~om high-level spedfications, USENIX Seoaity Symposium, 1999.

Digital Library

[27]

R. Sekar and E Uppuluri, Synthesizing Fast Intrusion Prevention/Detection Systems from High-Lever Specifications, T~cal Report 99-03, Department of Computer Science, Iowa State University, Ames, IA 50014.

[28]

G. Vigna and R. Kemmeter, HetSTAT: A Networkbased Intrusion Deteotion Approach,. Computer Security Applications Conf~~mce, 1998.

Digital Library

Cited By

Chen YHu TLou FYin MZeng TWu GWang H(2024)A Knowledge Graph-Based Consistency Detection Method for Network Security PoliciesApplied Sciences10.3390/app1418841514:18(8415)Online publication date: 19-Sep-2024
https://doi.org/10.3390/app14188415
Ahmed MNeamtiu I(2024)Quantifying the Vulnerability of Anomaly Detection Implementations to Nondeterminism-based Attacks2024 IEEE International Conference on Artificial Intelligence Testing (AITest)10.1109/AITest62860.2024.00013(37-46)Online publication date: 15-Jul-2024
https://doi.org/10.1109/AITest62860.2024.00013
Yadav PPandey SAgrawal DBiswas PPandey P(2023)Hyper Parameter Optimized NIDS via Machine Learning in IoT Ecosystem2023 IEEE 2nd International Conference on Industrial Electronics: Developments & Applications (ICIDeA)10.1109/ICIDeA59866.2023.10295218(499-504)Online publication date: 29-Sep-2023
https://doi.org/10.1109/ICIDeA59866.2023.10295218
Show More Cited By

Index Terms

A high-performance network intrusion detection system

Recommendations

Network intrusion detection

Intrusion detection is a new, retrofit approach for providing a sense of security in existing computers and data networks, while allowing them to operate in their current "open" mode. The goal of intrusion detection is to identify unauthorized use, ...
A hybrid intrusion detection system design for computer network security

Intrusions detection systems (IDSs) are systems that try to detect attacks as they occur or after the attacks took place. IDSs collect network traffic information from some point on the network or computer system and then use this information to secure ...
Network intrusion detection: stepping-stone and masquerader detections

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '99: Proceedings of the 6th ACM conference on Computer and communications security

November 1999

160 pages

ISBN:1581131488

DOI:10.1145/319709

Chairmen:
Juzar Motiwalla
Kent Ridge Digital Labs, Singapore
,
Gene Tsudik
USC Information Sciences Institute, USA

Copyright © 1999 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 1999

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Article

Conference

CCS99

Sponsor:

SIGSAC

CCS99: Sixth ACM Conference on Computer and Communication Security

November 1 - 4, 1999

Kent Ridge Digital Labs, Singapore

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
3,498
Total Downloads

Downloads (Last 12 months)432
Downloads (Last 6 weeks)65

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen YHu TLou FYin MZeng TWu GWang H(2024)A Knowledge Graph-Based Consistency Detection Method for Network Security PoliciesApplied Sciences10.3390/app1418841514:18(8415)Online publication date: 19-Sep-2024
https://doi.org/10.3390/app14188415
Ahmed MNeamtiu I(2024)Quantifying the Vulnerability of Anomaly Detection Implementations to Nondeterminism-based Attacks2024 IEEE International Conference on Artificial Intelligence Testing (AITest)10.1109/AITest62860.2024.00013(37-46)Online publication date: 15-Jul-2024
https://doi.org/10.1109/AITest62860.2024.00013
Yadav PPandey SAgrawal DBiswas PPandey P(2023)Hyper Parameter Optimized NIDS via Machine Learning in IoT Ecosystem2023 IEEE 2nd International Conference on Industrial Electronics: Developments & Applications (ICIDeA)10.1109/ICIDeA59866.2023.10295218(499-504)Online publication date: 29-Sep-2023
https://doi.org/10.1109/ICIDeA59866.2023.10295218
Ahmed NNgadi ASharif JHussain SUddin MRathore MIqbal JAbdelhaq MAlsaqour RUllah SZuhra F(2022)Network Threat Detection Using Machine/Deep Learning in SDN-Based Platforms: A Comprehensive Analysis of State-of-the-Art Solutions, Discussion, Challenges, and Future Research DirectionSensors10.3390/s2220789622:20(7896)Online publication date: 17-Oct-2022
https://doi.org/10.3390/s22207896
Alam MSingla PPhursule R(2022)Design of Detection System using Deep Learning Algorithm for Attack on Network2022 IEEE 7th International conference for Convergence in Technology (I2CT)10.1109/I2CT54291.2022.9824150(1-5)Online publication date: 7-Apr-2022
https://doi.org/10.1109/I2CT54291.2022.9824150
Fotiadou KVelivassaki TVoulkidis ASkias DTsekeridou SZahariadis T(2021)Network Traffic Anomaly Detection via Deep LearningInformation10.3390/info1205021512:5(215)Online publication date: 19-May-2021
https://doi.org/10.3390/info12050215
Kim TKwon TLee JSong J(2021)F/Wvis: Hierarchical Visual Approach for Effective Optimization of Firewall PolicyIEEE Access10.1109/ACCESS.2021.31001419(105989-106004)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3100141
Pandey S(2019)Design and performance analysis of various feature selection methods for anomaly‐based techniques in intrusion detection systemSECURITY AND PRIVACY10.1002/spy2.562:1Online publication date: 13-Jan-2019
https://doi.org/10.1002/spy2.56
Sharma PGupta AChakraborty DMondal PBanerjee SChakraborty KDey DChakraborty RDas DGhoshal TSinha AMondal SPal SSharma RGorai SRoy SDas BDey ASarker SSaha SPoddar RSaha NDubey SSingh RDas SHazra DDas S(2017)A brief study of intrusion detection techniques to overcome cyber attacks2017 8th Annual Industrial Automation and Electromechanical Engineering Conference (IEMECON)10.1109/IEMECON.2017.8079622(354-358)Online publication date: Aug-2017
https://doi.org/10.1109/IEMECON.2017.8079622
Bhuyan MBhattacharyya DKalita JBhuyan MBhattacharyya DKalita J(2017)Evaluation CriteriaNetwork Traffic Anomaly Detection and Prevention10.1007/978-3-319-65188-0_7(243-252)Online publication date: 5-Sep-2017
https://doi.org/10.1007/978-3-319-65188-0_7
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents