New 'semantics-aware' IDS reduces false positives

By Anne Saita, News Director 08 Aug 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The researchers unveiled their architecture, dubbed Nemean, at last week's Usenix Security Symposium in Baltimore. Nemean automatically generates "semantics-aware" signatures based on traffic at the session and application layers. Most commercial IDSes generate signatures at the network and transport layers.

Finding the proper sensitivity threshold for NIDS sensors has always been a problem for

Expert Webcast Five steps to IDS success The value of IDS can be cancelled out by problems in configuration, placement and administration. You can't achieve IDS success unless you know the essential steps that can lead you there.

network and security administrators. Lower the threshold and some attacks get through the signature screening; raise it too high and false positives flourish.

Nemean attempts to find the proper balance by gathering traffic sent to a honeynet to build signatures based on weighted data. The numerical weights are entirely subjective and based on the creators' expertise. The data is then clustered and fed through an algorithm to determine threat levels and develop signatures.

Among the advantages of such a system, researchers argue, are signatures that can be created for attacks in which the exploit is a tiny part of the entire payload. The method also helps produce generalized signatures from a small number of samples and are easy to validate, they say in their academic paper. Because its emphasis is on accuracy and not timeliness, the architecture cannot deploy the signatures it generates in real-time.

In tests against the popular Snort IDS, Nemean performed very well. It edged out Snort in its detection rate by .2% -- 99.9% compared to Snort's 99.7%. But the real difference came in false positives: Nemean had none, while Snort 2.1.0 with the HTTP pre-processor enabled generated 88,000 alarms -- a vast majority of them false. However, that disparity can be attributed to Snort's much larger signature set -- 2,200 signatures, compared to Nemean's 22 connection-level and seven session-level signatures. Still, the new system captured all malicious code.

Nemean's creators now plan to tweak the architecture's capabilities and test its performance over a longer stretch and in live deployments to refine the signatures it generates.

Tags: Network Intrusion Detection (IDS),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary