Introduction to algorithms
An analysis of using reflectors for distributed denial-of-service attacks
ACM SIGCOMM Computer Communication Review
IEEE Internet Computing
Analysis of a Denial of Service Attack on TCP
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
TCPivo: a high-performance packet replay engine
MoMeTools '03 Proceedings of the ACM SIGCOMM workshop on Models, methods and tools for reproducible network research
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Divide and Conquer: PC-Based Packet Trace Replay at OC-48 Speeds
TRIDENTCOM '05 Proceedings of the First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities
The Blaster Worm: Then and Now
IEEE Security and Privacy
Software Vulnerability Analysis for Web Services Software Systems
ISCC '06 Proceedings of the 11th IEEE Symposium on Computers and Communications
Hi-index | 0.00 |
False Positive (FP) and False Negative (FN) happen to every Intrusion Prevention System (IPS). No one could do better judgment than others all the time. This work proposes a system of Attack Session Extraction (ASE) to create a pool of suspicious traffic traces which cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. Developers of IPSes can use these suspicious traffic traces to improve the accuracy of their products. Traffic traces are called suspicious since what they cause are P-FNs and P-FPs which need to be confirmed by the developers of IPSes whether P-FNs are FNs and P-FPs are FPs. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we can find that some attack logs are logged or not logged only at certain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract this suspicious traffic from replayed traffic traces. The extracted traffic traces can then be used for further analysis by IPS developers. Some of the traces may prove to be guilty, i.e. confirmed to be FNs and FPs. To completely extract a suspicious session, the ASE uses an association mechanism based on anchor packets, five-tuple and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract a suspicious session containing multiple connections. We define variation and completeness/purity as the performance indexes to evaluate ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%