Extracting attack sessions from real traffic with intrusion prevention systems

Authors:
I-Wei Chen;Po-Ching Lin;Chi-Chung Luo;Tsung-Huan Cheng;Ying-Dar Lin;Yuan-Cheng Lai;Frank C. Lin
Affiliations:
Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan;Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan;Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan;Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan;Department of Computer Science, National Chiao Tung University, Hsinchu, Taiwan;Department of Information and Management, National Taiwan University of Science and Technology, Taipei, Taiwan;Cisco, San Jose
Venue:
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Year:
2009

Citing 9
Cited 0

Introduction to algorithms

Introduction to algorithms
An analysis of using reflectors for distributed denial-of-service attacks

ACM SIGCOMM Computer Communication Review
Network Forensics Analysis

IEEE Internet Computing
Analysis of a Denial of Service Attack on TCP

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
TCPivo: a high-performance packet replay engine

MoMeTools '03 Proceedings of the ACM SIGCOMM workshop on Models, methods and tools for reproducible network research
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Divide and Conquer: PC-Based Packet Trace Replay at OC-48 Speeds

TRIDENTCOM '05 Proceedings of the First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities
The Blaster Worm: Then and Now

IEEE Security and Privacy
Software Vulnerability Analysis for Web Services Software Systems

ISCC '06 Proceedings of the 11th IEEE Symposium on Computers and Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

False Positive (FP) and False Negative (FN) happen to every Intrusion Prevention System (IPS). No one could do better judgment than others all the time. This work proposes a system of Attack Session Extraction (ASE) to create a pool of suspicious traffic traces which cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. Developers of IPSes can use these suspicious traffic traces to improve the accuracy of their products. Traffic traces are called suspicious since what they cause are P-FNs and P-FPs which need to be confirmed by the developers of IPSes whether P-FNs are FNs and P-FPs are FPs. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we can find that some attack logs are logged or not logged only at certain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract this suspicious traffic from replayed traffic traces. The extracted traffic traces can then be used for further analysis by IPS developers. Some of the traces may prove to be guilty, i.e. confirmed to be FNs and FPs. To completely extract a suspicious session, the ASE uses an association mechanism based on anchor packets, five-tuple and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract a suspicious session containing multiple connections. We define variation and completeness/purity as the performance indexes to evaluate ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%