Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Visualizing and Identifying Intrusion Context from System Calls Trace
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Privacy-Preserving Alert Correlation: A Concept Hierarchy Based Approach
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
MisleadingWorm Signature Generators Using Deliberate Noise Injection
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Privacy-preserving sharing and correction of security alerts
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
| Hi-index | 0.00 |
Intrusion signatures are used to detect and/or prevent fast-spreading worms or exploits, and usually, constructing these signatures is an automatic process without human intervention for the sake of speed. In principle, the automatic signature construction process can produce not only true-positive intrusion signatures but also false-positive ones, the latter of which poses a grave problem because they can be misused to disclose privacy information. Manual signature checking (for a whitelist) can solve the problem, but it slows down the reaction time for an attack dramatically. In this paper, we propose a mechanism to generate signatures automatically while preserving the privacy information. Essentially, we transform the original feature values within an audit trail instance into feature ranges, and then use these feature ranges to construct a privacy-preserved intrusion signature. Our current focus is on the methods constructing feature ranges, and for this purpose, several methods are proposed to discover feature ranges. The experimental results are quite encouraging: the transformation from values to ranges leads not only to the preservation of privacy but also to the enhancement of the detection performance.