i-manager Publications

Network-Level Length-Based Intrusion Detection System

Jeya S*, S. Muthu Perumal Pillai**

* Professor & Head, M.C.A. Department, PET Engineering College, Vallioor, Tirunelveli.

** Assistant Professor, M.C.A. Department, PET Engineering College, Vallioor, Tirunelveli.

Periodicity:October - December'2010
DOI : https://doi.org/10.26634/jse.5.2.1333

Abstract

As the transmission of data on the Internet increases, the need to protect connected systems also increases. Most existing network-based signatures are specific to exploit and can be easily evaded. In this paper, we propose generating vulnerability-driven signatures at network level without any host-level analysis of worm execution or vulnerable programs. This implementation considers both temporal and spatial information of network connections. This is helpful for identification of complex anomalous behaviors. For detecting the unknown intrusions the proper knowledge base is to be formed after preprocessing the packets captured from the network. As the first step, we design a network-based length-based signature generator (LESG) for the worms exploiting buffer overflow vulnerabilities. This work is focused on the TCP/IP network protocols.

Keywords

Length-based signature,Polymorphic worm,Worm signature generation,Zero-day vulnerability.

How to Cite this Article?

Jeya S and S. Muthu Perumal Pillai (2010). Network-Level Length-Based Intrusion Detection System. i-manager’s Journal on Software Engineering, 5(2),31-36. https://doi.org/10.26634/jse.5.2.1333

References

[1]. M. Bailey et al. (2005). “The internet motion sensor: A distributed blackhole monitoring system,” presented at the NDSS.

[2]. J. Caballero, H. Yin, Z. Liang, and D. Song, (2007). “Polyglot: automatic extraction of protocol message format using dynamic binary analysis,” in Proc. ACM CCS, pp. 317–329.

[3]. W. Cui, V. Paxson, and N. Weaver, (2006). “GQ: Realizing a system to catch worms in a quarter million places”, ICSI, Tech. Rep. TR-06-004, 2006.

[4]. P. Fogla, and W. Lee, (2006). “Evading network anomaly detection systems: formal reasoning and practical techniques,” in Proc. CCS, pp.59-68.

[5]. Y. Gao, Z. Li, and Y. Chen, (2006). “A DoS resilient flowlevel intrusion detection approach for high-speed networks,” in Proc. ICDCS, Article No. 39.

[6]. Z. Lin, X. Jiang, D. Xu, and X. Zhang, (2008). “Automatic protocol format reverse engineering through concept-aware monitored execution,” presented at the NDSS.

[7]. J. Newsome, B. Karp, and D. Song, (2005). “Polygraph: Automatically generating signatures for polymorphic worms,” in Proc. IEEE S&P, pp. 226-241.

[8]. R. Pang et al. (2006). “BINPAC: A yacc for writing application protocol parsers,” in Proc. ACM/USENIX IMC, pp. 289-300.

[9]. M. Polychronakis, K.G. Anagnostakis, and E.P. Markatos, (2007). “Emulation-based detection of nonself- contained polymorphic shellcode”, in Proc. RAID, pp. 87–106.

[10]. G. Wondracek, P.M. Comparetti, C. Kruegel, and E. Kirda, (2008). “Automatic network protocol analysis”, presented at the NDSS.

[11]. X. Wang et al., (2006). “Sigfree: A signature-free buffer overflow attack blocker,” in Proc. USENIX Security Symp., Article No. 16.

[12]. V. Yegneswaran, P. Barford, and D. Plonka, (2004). “On the design and use of Internet sinks for network abuse monitoring,” in Proc. RAID, pp. 146-165.

If you have access to this article please login to view the article or kindly login to purchase the article

Single Article

	North Americas,UK, Middle East,Europe		India	Rest of world
	USD	EUR	INR	USD-ROW
Online	15	15

ADD TO CART

Options for accessing this content:

If you would like institutional access to this content, please recommend the title to your librarian.
If you already have i-manager's user account: Login above and proceed to purchase the article.
New Users: Please register, then proceed to purchase the article.