New 'semantics-aware' IDS reduces false positives

Article

New 'semantics-aware' IDS reduces false positives

BALTIMORE -- University of Wisconsin, Madison researchers have developed a network-based intrusion detection system that scans deeper inside the packet stack to generate signatures and reduce the number of false positives. It may also someday quickly detect botnets that currently generate little noise on a network.

The researchers unveiled their architecture, dubbed Nemean, at last week's Usenix Security Symposium in Baltimore. Nemean automatically generates "semantics-aware" signatures based on traffic at the session and application layers. Most commercial IDSes generate signatures at the network and transport layers.

Finding the proper sensitivity threshold for NIDS sensors has always been a problem for

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Expert Webcast

Five steps to IDS success
The value of IDS can be cancelled out by problems in configuration, placement and administration. You can't achieve IDS success unless you know the essential steps that can lead you there.

network and security administrators. Lower the threshold and some attacks get through the signature screening; raise it too high and false positives flourish.

Nemean attempts to find the proper balance by gathering traffic sent to a honeynet to build signatures based on weighted data. The numerical weights are entirely subjective and based on the creators' expertise. The data is then clustered and fed through an algorithm to determine threat levels and develop signatures.

Among the advantages of such a system, researchers argue, are signatures that can be created for attacks in which the exploit is a tiny part of the entire payload. The method also helps produce generalized signatures from a small number of samples and are easy to validate, they say in their academic paper. Because its emphasis is on accuracy and not timeliness, the architecture cannot deploy the signatures it generates in real-time.

In tests against the popular Snort IDS, Nemean performed very well. It edged out Snort in its detection rate by .2% -- 99.9% compared to Snort's 99.7%. But the real difference came in false positives: Nemean had none, while Snort 2.1.0 with the HTTP pre-processor enabled generated 88,000 alarms -- a vast majority of them false. However, that disparity can be attributed to Snort's much larger signature set -- 2,200 signatures, compared to Nemean's 22 connection-level and seven session-level signatures. Still, the new system captured all malicious code.

Nemean's creators now plan to tweak the architecture's capabilities and test its performance over a longer stretch and in live deployments to refine the signatures it generates.