- Term Papers and Free Essays

Network Detection

Essay by   •  November 9, 2010  •  823 Words (4 Pages)  •  1,176 Views

Essay Preview: Network Detection

Report this essay
Page 1 of 4

A High-Performance Network Intrusion Detection System*

R. Sekar Y. Guang S. Verma T. Shanbhag

SUNY at Stony Brook, NY Iowa State University, Ames, IA


In this paper we present a new approach for network intrusion

detection based on concise specifications that characterize normal

and abnormal network packet sequences. Our specification

language is geared for a robust network intrusion detection by

enforcing a strict type discipline via a combination of static and

dynamic type checking. Unlike most previous approaches in network

intrusion detection, our approach can easily support new

network protocols as information relating to the protocols are

not hard-coded into the system. Instead, we simply add suitable

type definitions in the specifications and define intrusion pattans

on these types. We compile these specifications into a highpedormance

network intrusion detection system. Important components

of our approach include efficient algorithms for patternmatching

and information aggregation on sequences of network

packets. In particular, our techniques ensure that the matching

time is insensitive to the number of patterns characterizing different

network intrusions, and that the aggregation operations typically

take constant time per packet. Our system participated in an

intrusion detection evaluation organized by MIT Lincoln Labs,

where our system demonstrated its effectiveness (96% detection

rate on low-level network attacks) and performance (real-time detection

at 500Mbps), while producing very few false positives

(0.05 to 0.I per attack).

1 Introduction

Network-based attacks have been increasing in frequency and

severity over the past several years. Consequently, many research

efforts have focused

on network intrusion detection techniques

aimed at identifying such attacks. This paper describes a new approach

to detect such attacks. The centerpiece of our approach

is a domain-specific language that enables concise specification

of network packet contents under normal as well as attack condiUons.

These specifications are compiled to produce a highperformance

network intrusion detection system. The main benefits

of our approach are:

* concise, easy-to-develop intrusion specifications. Using our

domain-specific language, we can specify network-based attacks

or other anomalous behavior easily and concisely. We

have encoded the signatures for most low-level network

probes and attacks using a specification that is about five lines

each. Such conciseness contributes to increased confidence in

*This research is supported in p=xt by Defense Advanced Research Agency's

InformaUon Technology Otfic, e (DARPA-ITO) under the Infonmation System Suxvivabthty

program, under contract number F30602-97 -(2-0244.

Permission to make dlg*tal or hard copies of all or part of this work for

personal or classroom use is granted without fee provided that

copies are not made or d(strtbuted for profit or commercial advant

-age and that copies bear this noUce and the full cttatlon on the hrst page

To copy otherwise, to republish, to post on servers or to

redtstrlbute to lists, requires pnor specific permission and/or a fee

CCS '99 11/99 Singapore

© 1999ACM 1-58113-148-8/99t0010 $500

the correctness of specifications, and leads to reduced development

and debugging efforts.

* high-speed, large-volume monitoring. A central component

of our approach is a fast pattern matching algorithm whose

runtime is insensitive to the number of attack signatures. This

algorithm ~ensures that the same packet field is never examined

more than once, regardless of the number of patterns

that refer to the field. This factor, combined with efficient

data aggregation



Download as:   txt (6.1 Kb)   pdf (86.8 Kb)   docx (11.8 Kb)  
Continue for 3 more pages »
Only available on
Citation Generator

(2010, 11). Network Detection. Retrieved 11, 2010, from

"Network Detection" 11 2010. 2010. 11 2010 <>.

"Network Detection.", 11 2010. Web. 11 2010. <>.

"Network Detection." 11, 2010. Accessed 11, 2010.