Fast hashing of variable-length text strings
Communications of the ACM
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
The base-rate fallacy and the difficulty of intrusion detection
ACM Transactions on Information and System Security (TISSEC)
ACM Transactions on Information and System Security (TISSEC)
Code red worm propagation modeling and analysis
Proceedings of the 9th ACM conference on Computer and communications security
Mimicry attacks on host-based intrusion detection systems
Proceedings of the 9th ACM conference on Computer and communications security
Aggregation and Correlation of Intrusion-Detection Alerts
RAID '00 Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection
Detecting Anomalous and Unknown Intrusions Against Programs
ACSAC '98 Proceedings of the 14th Annual Computer Security Applications Conference
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Learning attack strategies from intrusion alerts
Proceedings of the 10th ACM conference on Computer and communications security
Enhancing byte-level network intrusion detection signatures with context
Proceedings of the 10th ACM conference on Computer and communications security
Operational experiences with high-volume network intrusion detection
Proceedings of the 11th ACM conference on Computer and communications security
A Comprehensive Approach to Intrusion Detection Alert Correlation
IEEE Transactions on Dependable and Secure Computing
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Towards Automatic Generation of Vulnerability-Based Signatures
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Automatic Evaluation of Intrusion Detection Systems
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Creating Vulnerability Signatures Using Weakest Preconditions
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
ATLANTIDES: an architecture for alert verification in network intrusion detection systems
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Toward Automatic Generation of Intrusion Detection Verification Rules
ACSAC '08 Proceedings of the 2008 Annual Computer Security Applications Conference
Network protocol interoperability testing based on contextual signatures and passive testing
Proceedings of the 2009 ACM symposium on Applied Computing
Using Contextual Information for IDS Alarm Classification (Extended Abstract)
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Beyond heuristics: learning to classify vulnerabilities and predict exploits
Proceedings of the 16th ACM SIGKDD international conference on Knowledge discovery and data mining
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
A Context Adaptive Intrusion Detection System for MANET
Computer Communications
Event-Based Alert Correlation System to Detect SQLI Activities
AINA '11 Proceedings of the 2011 IEEE International Conference on Advanced Information Networking and Applications
A new alert correlation algorithm based on attack graph
CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Extracting Information about Security Vulnerabilities from Web Text
WI-IAT '11 Proceedings of the 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology - Volume 03
CIS '11 Proceedings of the 2011 Seventh International Conference on Computational Intelligence and Security
Hi-index | 0.24 |
Signature-based intrusion detection systems (IDSs) have been widely deployed in network environments aiming to defend against different kinds of attacks. However, a large number of alarms, especially noncritical alarms could be generated during the detection, which can greatly lower the effectiveness of detection and increase the difficulty in analyzing the generated IDS alarms. The main reason is that the detection capability of a signature-based IDS heavily depends on its signatures, whereas current IDS signatures are short of information related to actual deployment (i.e., lacking of contextual information). In addition, the traditional signature matching is a key limiting factor for IDSs in which the processing burden is at least linear to the size of an input string. To mitigate these issues, in this paper, we propose a novel scheme of hash-based contextual signatures that combines the original intrusion detection signatures with contextual information and hash functions. By using hash functions, our scheme can be used to construct an adaptive hash-based non-critical alarm filter which can further improve the performance of existing contextual signatures in filtering out non-critical alarms. Some examples of contextual information matching are also provided. In the evaluation, we discuss how to choose appropriate hash functions and investigate the performance upon implementation of the scheme with a real dataset and in a real network environment. The experimental results are positive and indicate that our scheme is encouraging and effective in filtering out non-critical alarms.