Signature-based intrusion detection using NFR filter coding

Thumbnail Image
Date
2000-01-01
Authors
Mazhar, Nauman
Major Professor
Advisor
Committee Member
Journal Title
Journal ISSN
Volume Title
Publisher
Altmetrics
Authors
Research Projects
Organizational Units
Journal Issue
Is Version Of
Versions
Series
Department
Abstract

During the last decade, significant research effort has been made to develop Intrusion Detection Systems that offer the capability to detect network intrusions in real time. These systems employ various techniques for detecting intrusions, including Misuse Detection and Anomaly Detection. Misuse detection depends on the ability to codify known attack signatures, while anomaly detection compares current system activity with models of normal usage patterns. However, approximations in defining normal behavior raises the false alarm rate for anomaly detection systems as compared to misuse detection systems, which are fairly accurate. This implies that misuse detection should form an essential component for successful intrusion detection. In this thesis, we present an analysis of the two most commonly occurring attack types in the Internet; the distributed denial of service attacks and the buffer overflow attacks and demonstrate new misuse detection techniques to detect these attacks. We use a distributed denial of service attack tool "mstream" and the buffer overflow attack against an SMTP implementation.We carry out detection of these attacks using a commercial intrusion detection system Network Flight Recorder (NFR) augmented with new attack signatures. Attack signatures are developed and coded into NFR as rule sets, called filters, which are written in NFR's own language N-code. These filters can extract header information from various protocols as well as retrieve packet payload contents and then process this information using signature based analysis to determine intrusion scenarios. This is a step towards providing greater security systems connected to the Internet in an effort to allow internet users to conduct their businesses in an environment of enhanced confidence.

Comments
Description
Keywords
Citation
Source
Copyright
Sat Jan 01 00:00:00 UTC 2000