Foundations of statistical natural language processing
Foundations of statistical natural language processing
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Detecting unknown network attacks using language models
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
| Hi-index | 0.00 |
The techniques and supporting tools for signature based intrusion detection have reached a high level of maturity. They are well understood by the community and have hardware implementations capable of matching rules at high speed. Their major shortcomings involve handling "zero-day" attacks. Anomaly or protocol-adherence based sensors are capable of detecting zero-day attacks, but with high false alarm rates and at more limited speeds. The design proposed here combines the zero-day detection capabilities already supplied by anomaly detection front ends with the speed, hardware compatability and mature infrastructure of signature based systems. A unique capability of this proposed technology is that false alarm rates of matched rules can be reduced to arbitrarily low levels by increasing the amount of training on benign traffic. A goal of future work would be to produce an efficient and secure mechanism to distribute automatically generated signatures with the goal of broadening the perimeter of protection and blocking attacks farther away from sensitive servers and hosts.