TU Berlin

Internet Network ArchitecturesRobin Sommer's Publications

Page Content

to Navigation

Robin Sommer's Publications

Enhancing byte-level network intrusion detection signatures with context
Citation key SP-EBNIDSC-03
Author Sommer, Robin and Paxson, Vern
Title of Book Proceedings of the 10th ACM conference on Computer and communications security (CCS '03)
Pages 262–271
Year 2003
ISBN 1-58113-738-9
DOI http://dx.doi.org/10.1145/948109.948145
Location Washington D.C., USA
Address New York, NY, USA
Publisher ACM Press
Abstract Many network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an improvement of string-based signature-matching. Rather than matching fixed strings in isolation, we augment the matching process with additional context. When designing an efficient signature engine for the NIDS bro, we provide low-level context by using regular expressions for matching, and high-level context by taking advantage of the semantic information made available by bro's protocol analysis and scripting language. Therewith, we greatly enhance the signature's expressiveness and hence the ability to reduce false positives. We present several examples such as matching requests with replies, using knowledge of the environment, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.To leverage existing efforts, we convert the comprehensive signature set of the popular freeware NIDS snort into bro's language. While this does not provide us with improved signatures by itself, we reap an established base to build upon. Consequently, we evaluate our work by comparing to snort, discussing in the process several general problems of comparing different NIDSs.
Link to publication Download Bibtex entry


Quick Access

Schnellnavigation zur Seite über Nummerneingabe