Application Level IDS using Protocol Analysis

As network attacks have increased in number and severity over the past few years, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations. From a security perspective, firewalls and SSL offer little protection. Web traffic often contains attacks such as cross-site scripting and SQL injection that enter through port 80 and are not blocked by the firewall. Among the Web applications HTTP holds the majority share of the traffic transported through Web. In this paper, implementation of an application level IDS has been presented which uses combination of pattern matching and protocol analysis approaches. The first method of detection relies on a multi pattern matching within the protocol fields, the second one provides an efficient decision tree adaptive to the application traffic characteristics to limit the number of patterns to be checked. The proposed IDS can be effectively implemented in a high performance semantic processor

[1]  Renato De Mori,et al.  The Application of Semantic Classification Trees to Natural Language Understanding , 1995, IEEE Trans. Pattern Anal. Mach. Intell..

[2]  Michaël Rusinowitch,et al.  Protocol analysis in intrusion detection using decision tree , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[3]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[4]  Jianping Wu,et al.  Study on conformance testing of hypertext transfer protocol , 2003, International Conference on Communication Technology Proceedings, 2003. ICCT 2003..

[5]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6]  Christopher Krügel,et al.  Service specific anomaly detection for network intrusion detection , 2002, SAC '02.

[7]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[8]  Li Zhou,et al.  Integrated access control and intrusion detection for Web Servers , 2003, 23rd International Conference on Distributed Computing Systems, 2003. Proceedings..

[9]  Gerald A. Marin,et al.  Modeling networking protocols to test intrusion detection systems , 2004, 29th Annual IEEE International Conference on Local Computer Networks.

[10]  Giovanni Vigna,et al.  A stateful intrusion detection system for World-Wide Web servers , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[11]  Steven A. Hofmeyr,et al.  Intrusion Detection via System Call Traces , 1997, IEEE Softw..

[12]  Nen-Fu Huang,et al.  A fast pattern-match engine for network processor-based network intrusion detection system , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[13]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[14]  V. Vaidehi,et al.  Context based Application Level Intrusion Detection System , 2006, International conference on Networking and Services (ICNS'06).

[15]  Christopher Krügel,et al.  Using Decision Trees to Improve Signature-Based Intrusion Detection , 2003, RAID.

[16]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[17]  David Watson,et al.  Transport and application protocol scrubbing , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[18]  Daniel V. Klein Defending Against the Wily Surfer-Web-based Attacks and Defenses , 1999, Workshop on Intrusion Detection and Network Monitoring.