The researchers unveiled their architecture, dubbed Nemean, at last week's Usenix Security Symposium in Baltimore. Nemean automatically generates "semantics-aware" signatures based on traffic at the session and application layers. Most commercial IDSes generate signatures at the network and transport layers.
Finding the proper sensitivity threshold for NIDS sensors has always been a problem for
Nemean attempts to find the proper balance by gathering traffic sent to a honeynet to build signatures based on weighted data. The numerical weights are entirely subjective and based on the creators' expertise. The data is then clustered and fed through an algorithm to determine threat levels and develop signatures.
Among the advantages of such a system, researchers argue, are signatures that can be created for attacks in which the exploit is a tiny part of the entire payload. The method also helps produce generalized signatures from a small number of samples and are easy to validate, they say in their academic paper. Because its emphasis is on accuracy and not timeliness, the architecture cannot deploy the signatures it generates in real-time.
In tests against the popular Snort IDS, Nemean performed very well. It edged out Snort in its detection rate by .2% -- 99.9% compared to Snort's 99.7%. But the real difference came in false positives: Nemean had none, while Snort 2.1.0 with the HTTP pre-processor enabled generated 88,000 alarms -- a vast majority of them false. However, that disparity can be attributed to Snort's much larger signature set -- 2,200 signatures, compared to Nemean's 22 connection-level and seven session-level signatures. Still, the new system captured all malicious code.
Nemean's creators now plan to tweak the architecture's capabilities and test its performance over a longer stretch and in live deployments to refine the signatures it generates.