Open AccessSyntax, and semantics‐based signature database for hybrid intrusion detection systems
Author(s) -
Barry Bazara I. A.,
Chan H. Anthony
Publication year - 2008
Publication title -
security and communication networks
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.446
H-Index - 43
eISSN - 1939-0122
pISSN - 1939-0114
DOI - 10.1002/sec.77
Subject(s) - computer science , signature (topology) , syntax , intrusion detection system , semantics (computer science) , state (computer science) , operational semantics , programming language , obfuscation , database , data mining , artificial intelligence , computer security , geometry , mathematics
Signature‐based intrusion detection systems (IDSs) have the advantages of producing a lower false alarm rate and using less system resources compared to anomaly based systems. However, they are susceptible to obfuscation used by attackers to introduce new variants of the attacks stored in the database. Some of the disadvantages of signature‐based IDSs can be attributed to the fact that they are mostly purely syntactic and ignore the semantics of the monitored systems. In this paper, we present the design and implementation of a signature database that assists a Specification‐based IDS in a converged environment. Our design is novel in terms of considering the semantics of the monitored protocols alongside their syntax. Our protocol semantics awareness is based on the state transition analysis technique which models intrusions at a high level using state transition diagrams. The signature database is hierarchically designed to insure a balance between ease of use and fast retrieval in real time. The database prototype is tested against some implemented attacks and shows promising efficiency. Copyright © 2008 John Wiley & Sons, Ltd.