Syntax vs. semantics: competing approaches to dynamic network intrusion detection

Authors:
Walter Scheirer;Mooi Choo Chuah
Affiliations:
Department of Computer Science, University of Colorado, Colorado Springs, CO 80918, USA.;Department of Computer Science and Engineering, Lehigh University, 19 Memorial Drive West, Bethlehem PA 18015, USA
Venue:
International Journal of Security and Networks
Year:
2008

Citing 8
Cited 4

Characteristics of internet background radiation

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Wireless telemedicine and m-health: technologies, applications and research issues

International Journal of Sensor Networks
A survey of cyber crimes

Security and Communication Networks
On effective sampling techniques in host-based intrusion detection in tactical MANET

International Journal of Security and Networks
Accountability and Q-Accountable Logging in Wireless Networks

Wireless Personal Communications: An International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-based approach can cope with sophisticated polymorphic and metamorphic worms better than the syntax-based approach. Our contribution in this work is threefold: our syntax-based scheme that uses variable-length partition with multiple breakmarks can detect many polymorphic worms; we believe our semantic-based prototype is the first NIDS that provides semantics-aware capability and our system is more efficient than what is reported by Christodorescu et al. (2005); our designed templates capture polymorphic shellcodes with added sequences of stack and mathematic operations.