The space complexity of approximating the frequency moments
Journal of Computer and System Sciences
Space-efficient online computation of quantile summaries
SIGMOD '01 Proceedings of the 2001 ACM SIGMOD international conference on Management of data
A low-bandwidth network file system
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Finding hierarchical heavy hitters in data streams
VLDB '03 Proceedings of the 29th international conference on Very large data bases - Volume 29
Distinguishing between FE and DDoS Using Randomness Check
ISC '08 Proceedings of the 11th international conference on Information Security
Finding frequent items in data streams
Proceedings of the VLDB Endowment
Automatic Generation of String Signatures for Malware Detection
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Sublinear time, measurement-optimal, sparse recovery for all
Proceedings of the twenty-third annual ACM-SIAM symposium on Discrete Algorithms
Efficient computation of frequent and top-k elements in data streams
ICDT'05 Proceedings of the 10th international conference on Database Theory
Approximate frequency counts over data streams
Proceedings of the VLDB Endowment
ℓ2/ℓ2-Foreach sparse recovery with low risk
ICALP'13 Proceedings of the 40th international conference on Automata, Languages, and Programming - Volume Part I
| Hi-index | 0.00 |
We present a basic tool for zero day attack signature extraction. Given two large sets of messages, P of messages captured in the network at peacetime (i.e., mostly legitimate traffic) and $A$ captured during attack time (i.e., contains many attack messages), we present a tool for extracting a set $S$ of strings, that are frequently found in A and not in P. Therefore, a packet containing one of the strings from S is likely to be an attack packet. This is an important tool in protecting sites on the Internet from Worm attacks, and Distributed Denial of Service (DDoS) attacks. It may also be useful for other problems, including command and control identification, DNA-sequences analysis, etc. which are beyond the scope of this work. Two contributions of this paper are the system we developed to extract the required signatures together with the problem definition and the string-heavy hitters algorithm. This algorithm finds popular strings of variable length in a set of messages, using, in a tricky way, the classic heavy-hitter algorithm as a building block. This algorithm is then used by our system to extract the desired signatures. Using our system a yet unknown attack can be detected and stopped within minutes from attack start time.