Efficient decision tree for protocol analysis in intrusion detection

被引：25

作者：

Abbes T. ^{[1
]}

Bouhoula A. ^{[2
]}

Rusinowitch M. ^{[3
]}

机构：

[1] Higher Institute of Electronics and Telecommunication of Sfax, University of Sfax, Tunisia, Sfax 3000, Route Menzel Chaker

[2] Higher School of Communication of Tunis (sup'Com), University of 7th November at Carthage, Tunisia City of Communication Technologies

[3] INRIA Nancy-Grand Est, 54603 Villers les Nancy Cedex

来源：

International Journal of Security and Networks | 2010年 / 5卷 / 04期

关键词：

Decision tree; Inference system; Intrusion detection; Pattern matching; Protocol analysis;

D O I：

10.1504/IJSN.2010.037661

中图分类号：

学科分类号：

摘要：

Pattern matching is a crucial factor for deriving efficient intrusion detection. However Network Intrusion Detection Systems (NIDSs) frequently ignore data semantics of captured packets and have to consider the whole payloads leading to false positives if attacks signatures are found in incorrect positions. Therefore NIDSs have to investigate in packets contents in order to determine how application layer protocols are used. We propose a combination of pattern matching and protocol analysis to better detect intrusions. While the first detection method relies on a multi-pattern matching algorithm, the second one benefits from a decision tree to select in each analysis step, the efficient test. Copyright © 2010 Inderscience Enterprises Ltd.

引用

页码：220 / 235

页数：15

共 32 条

[1]

Abbes T., Bouhoula A., Rusinowitch M., On the fly pattern matching for intrusion detection with snort, Annals of Telecommunications, 59, 9-10, pp. 941-967, (2004)

[2]

Aho A., Corasick M., Efficient string matching: An aid to bibliographic search, Communications of the ACM, 18, 6, pp. 333-340, (1975)

[3]

Albitz P., Liu C., DNS and BIND, (2001)

[4]

Anagnostakis K.G., Markatos E.P., Antonatos S., Polychronakis M., E2xB: A domain-specific string matching algorithm for intrusion detection, Proceedings of the 18th IFIP International Information Security Conference (SEC2003), pp. 217-228, (2003)

[5]

Boyer R.S., Moore J.S., A fast string searching algorithm, Communications of the ACM, 20, 10, pp. 762-772, (1977)

[6]

Coit C., Staniford S., McAlerney J., Towards faster string matching for intrusion detection or exceeding the speed of snort, DARPA Information Survivability Conference and Exposition, 1, (2001)

[7]

Crochemore M., Czumaj A., Gasieniec L., Lecroq T., Plandowski T., Rytter W., Fast practical multi-pattern matching, Information Processing Letters, 71, pp. 3-4, (1999)

[8]

Crochemore M., Rytter W., Text Algorithms, (1994)

[9]

Dreger H., Feldmann A., Mai M., Paxson V., Sommer R., Dynamic application-layer protocol analysis for network intrusion detection, Proceedings of the 15th USENIX Security Symposium, pp. 257-272, (2006)

[10]

Elz R., Bush R., RFC 2181: Clarifications to the DNS Specification, (1997)

← 1 2 3 4 →