Advanced search
Publication Cover
Information Security Journal: A Global Perspective Volume 31, 2022 - Issue 6
Submit an article Journal homepage
2,550
Views
3
CrossRef citations to date
0
Altmetric
Research Article

Variables influencing the effectiveness of signature-based network intrusion detection systems

Teodor Sommestada C4ISR, Swedish Defence Research Agency, SwedenCorrespondence[email protected]
,
Hannes Holma C4ISR, Swedish Defence Research Agency, Sweden
&
Daniel Steinvallb Department of mathematics and computer science, Karlstad University, Karlstad, Sweden
Pages 711-728 | Published online: 20 Sep 2021

References

  • Bhosale, D. A., & Mane, V. M. (2015). Comparative study and analysis of network intrusion detection tools. In 2015 International Conference on Applied and Theoretical Computing and Communication Technology (iCATccT) (Vol.9, pp. 312–315). IEEE. Davangere, India. https://doi.org/10.1109/ICATCCT.2015.7456901
  • Bilge, L., & Dumitras, T. (2012). Before we knew it: An empirical study of zero-day attacks in the real world. Proceedings of the 2012 ACM Conference on Computer and Communications Security – CCS’12, Raleigh, North Carolina, USA, 833–844. https://doi.org/10.1145/2382196.2382284
  • Boukris, I. (2019). Wireshark - Sample Captures. The Wireshark Foundation. Retrieved July 15, 2019, from https://wiki.wireshark.org/SampleCaptures#Sample_Captures
  • Chandrasekaran, M., Baig, M., & Upadhyaya, S. (2006). AVARE: Aggregated vulnerability assessment and response against zero-day exploits. In 2006 IEEE International Performance Computing and Communications Conference (Vol.2006, pp. 603–610). Phoenix, AZ: IEEE. https://doi.org/10.1109/.2006.1629458
  • Cotroneo, D., Paudice, A., & Pecchia, A. (2019). Empirical analysis and validation of security alerts filtering techniques. IEEE Transactions on Dependable and Secure Computing, 16(5), 856–870. https://doi.org/10.1109/TDSC.2017.2714164
  • Debar, H., Dacier, M., & Wespi, A. (1999). Towards a taxonomy of intrusion-detection systems. Computer Networks, 31(8), 805–822. https://doi.org/10.1016/S1389-1286(98)00017-6
  • Erlacher, F., & Dressler, F. (2018). How to test an IDS? GENESIDS: An automated system for generating atack traffic. WTMC 2018 - Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity, Part of SIGCOMM 2018, Budapest, Hungary: Association for Computing Machinery, New York, United States46–51. https://doi.org/10.1145/3229598.3229601
  • Garcia-Teodoro, P., Diaz-Verdejo, J. E. E., Tapiador, J. E. E., & Salazar-Hernandez, R. (2015). Automatic generation of HTTP intrusion signatures by selective identification of anomalies. Computers and Security, 55, 159–174. https://doi.org/10.1016/j.cose.2015.09.007
  • Gascon, H., Orfila, A., & Blasco, J. (2011). Analysis of update delays in signature-based network intrusion detection systems. Computers and Security, 30(8), 613–624. https://doi.org/10.1016/j.cose.2011.08.010
  • Goodall, J. R., Lutters, W. G., & Komlodi, A. (2009). Developing expertise for network intrusion detection. Information Technology & People, 22(2), 92–108. https://doi.org/10.1108/09593840910962186
  • Hieu, T. T., Thinh, T. N., & Tomiyama, S. (2013). ENREM: An efficient NFA-based regular expression matching engine on reconfigurable hardware for NIDS. Journal of Systems Architecture, 59(4–5), 202–212. https://doi.org/10.1016/j.sysarc.2013.03.013
  • Hofmann, A., & Sick, B. (2011). Online intrusion alert aggregation with generative data stream modeling. IEEE Transactions on Dependable and Secure Computing, 8(2), 282–294. https://doi.org/10.1109/TDSC.2009.36
  • Holm, H. (2014). Signature based intrusion detection for zero-day attacks: (Not) a closed chapter? In 2014 47th Hawaii International Conference on System Sciences (pp. 4895–4904). Big Island, HI, United states: IEEE. https://doi.org/10.1109/HICSS.2014.600
  • Holm, H., & Sommestad, T. (2016). SVED: Scanning, Vulnerabilities, Exploits and Detection. In MILCOM 2016-2016 IEEE Military Communications Conference (pp. 976–981). Baltimore, MD: IEEE. https://doi.org/10.1109/MILCOM.2016.7795457
  • Khamphakdee, N., Benjamas, N., & Saiyod, S. (2014). Network traffic data to ARFF converter for association rules technique of data mining. In 2014 IEEE Conference on Open Systems (ICOS) (pp. 89–93). IEEE. Subang, Malaysia. https://doi.org/10.1109/ICOS.2014.7042635
  • Khraisat, A., Gondal, I., Vamplew, P., & Kamruzzaman, J. (2019). Survey of intrusion detection systems: Techniques, datasets and challenges. Cybersecurity, 2(1), 1. https://doi.org/10.1186/s42400-019-0038-7
  • Kumar, S., & Spafford, E. H. (1994). A pattern matching model for misuse intrusion detection. In Proceedings of the 17th national computer security conference (pp. 11–21). Baltimore, MD
  • Lee, S., Kim, S., Lee, S., Choi, J., Yoon, H., Lee, D., & Lee, J.-R. (2018). LARGen: Automatic signature generation for malwares using latent dirichlet allocation. IEEE Transactions on Dependable and Secure Computing, 15(5), 771–783. https://doi.org/10.1109/TDSC.2016.2609907
  • Levine, J., LaBella, R., Owen, H., Contis, D., & Culver, B. (2003). The use of honeynets to detect exploited systems across large enterprise networks. IEEE Systems, Man and Cybernetics Society Information Assurance Workshop, West Point, NY, USA, (June), 92–99. https://doi.org/10.1109/SMCSIA.2003.1232406
  • Liao, H.-J., Richard Lin, C.-H., Lin, Y.-C., & Tung, K.-Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16–24. https://doi.org/10.1016/j.jnca.2012.09.004
  • Mahdavi, E., Fanian, A., & Amini, F. (2020). A real-time alert correlation method based on code-books for intrusion detection systems. Computers and Security, 89, 101661. https://doi.org/10.1016/j.cose.2019.101661
  • Milenkoski, A., Vieira, M., Kounev, S., Avritzer, A., & Payne, B. D. (2015). Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys, 48(1), 1. https://doi.org/10.1145/2808691
  • Mitchell, R., & Chen, I.-R. (2015). Behavior rule specification-based intrusion detection for safety critical medical cyber physical systems. IEEE Transactions on Dependable and Secure Computing, 12(1), 16–30. https://doi.org/10.1109/TDSC.2014.2312327
  • Nadler, A., Aminov, A., & Shabtai, A. (2019). Detection of malicious and low throughput data exfiltration over the DNS protocol. Computers and Security, 80, 36–53. https://doi.org/10.1016/j.cose.2018.09.006
  • Nivethan, J., & Papa, M. (2016). Dynamic rule generation for SCADA intrusion detection. 2016 IEEE Symposium on Technologies for Homeland Security, HST 2016, Waltham, MA, USA, (May). https://doi.org/10.1109/THS.2016.7568964
  • Nyasore, O. N., Zavarsky, P., Swar, B., Naiyeju, R., & Dabra, S. (2020). Deep packet inspection in industrial automation control system to mitigate attacks exploiting modbus/TCP vulnerabilities. Proceedings - 2020 IEEE 6th Intl Conference on Big Data Security on Cloud, BigDataSecurity 2020, 2020 IEEE Intl Conference on High Performance and Smart Computing, HPSC 2020 and 2020 IEEE Intl Conference on Intelligent Data and Security, IDS 2020, Baltimore, MD, 241–245. https://doi.org/10.1109/BigDataSecurity-HPSC-IDS49724.2020.00051
  • Pan, Z., Hariri, S., & Pacheco, J. (2019). Context aware intrusion detection for building automation systems. Computers and Security, 85, 181–201. https://doi.org/10.1016/j.cose.2019.04.011
  • Patcha, A., & Park, J.-M.-M. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, 51(12), 3448–3470. https://doi.org/10.1016/j.comnet.2007.02.001
  • Portokalidis, G., Slowinska, A., & Bos, H. (2006). Argos. ACM SIGOPS Operating Systems Review, 40(4), 15–27. https://doi.org/10.1145/1218063.1217938
  • Raftopoulos, E., & Dimitropoulos, X. (2013). A quality metric for IDS signatures: In the wild the size matters. Eurasip Journal on Information Security, (2013(1), 7. https://doi.org/10.1186/1687-417X-2013-7
  • Ramaki, A. A., Amini, M., & Ebrahimi Atani, R. (2015). RTECA: Real time episode correlation algorithm for multi-step attack scenarios detection. Computers and Security, 49, 206–219. https://doi.org/10.1016/j.cose.2014.10.006
  • Ramirez-Silva, E., & Dacier, M. (2007). Empirical study of the impact of metasploit-related attacks in 4 years of attack traces In: Cervesato I. (eds) Advances in Computer Science – ASIAN 2007. Computer and Network Security. ASIAN 2007. Lecture Notes in Computer Science, vol 4846. Springer, Berlin, Heidelberg h ttps://d oi.org/d oi:1 0.1007/978-3-540-76929-3_19
  • Ring, M., Schlör, D., Landes, D., & Hotho, A. (2019). Flow-based network traffic generation using generative adversarial networks. Computers and Security, 82, 156–172. https://doi.org/10.1016/j.cose.2018.12.012
  • Roesch, M. (1999). Snort: Lightweight intrusion detection for networks. In LISA ’99: 13th Systems Administration Conference (pp. 229–238). Seattle, Washington: USENIX Association.
  • Rubin, S., Jha, S., & Miller, B. P. (2004). Automatic generation and analysis of NIDS attacks. In Proceedings - Annual Computer Security Applications Conference, ACSAC (pp. 28–38). Tucson, AZ: IEEE. https://doi.org/10.1109/CSAC.2004.9
  • Shiravi, A., Shiravi, H., Tavallaee, M., & Ghorbani, A. A. A. (2012). Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers and Security, 31(3), 357–374. https://doi.org/10.1016/j.cose.2011.12.012
  • Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., & Rajarajan, M. (2015). Intrusion alert prioritisation and attack detection using post-correlation analysis. Computers and Security, 50, 1–15. https://doi.org/10.1016/j.cose.2014.12.003
  • Sommestad, T., & Franke, U. (2015). A test of intrusion alert filtering based on network information. Security and Communication Networks, 8(13), 2291–2301. https://doi.org/10.1002/sec.1173
  • Sommestad, T., Hunstad, A., & Furnell, S. M. (2013). Intrusion detection and the role of the system administrator. Information Management & Computer Security, 21(1), 30–40. https://doi.org/10.1108/09685221311314400
  • Tjhai, G., Papadaki, M., Furnell, S. M., & Clarke, N. L. (2008). Investigating the problem of IDS false alarms: An experimental study using snort. In Proceedings of The IFIP TC 11 23rd International Information Security Conference (pp. 253–267). Boston, MA: Springer US. https://doi.org/10.1007/978-0-387-09699-5_17
  • Tran, T., Aib, I., Al-Shaer, E., & Boutaba, R. (2012). An evasive attack on SNORT flowbits. In Proceedings of the 2012 IEEE Network Operations and Management Symposium, NOMS 2012 (pp. 351–358). Maui, HI: IEEE. https://doi.org/10.1109/NOMS.2012.6211918
  • Vasilomanolakis, E., Karuppayah, S., Muhlhauser, M., & Fischer, M. (2015). Taxonomy and survey of collaborative intrusion detection. ACM Computing Surveys, 47(4), 1–33. https://doi.org/10.1145/2716260
  • Werlinger, R., Hawkey, K., Muldner, K., Jaferian, P., & Beznosov, K. (2008). The challenges of using an intrusion detection system. In Proceedings of the 4th symposium on Usable privacy and security - SOUPS ’08 (p. 107). New York, New York, USA: ACM Press. https://doi.org/10.1145/1408664.1408679
  • Wuu, L.-C., Hung, C.-H., & Chen, S.-F. (2007). Building intrusion pattern miner for snort network intrusion detection system. Journal of Systems and Software, 80(10), 1699–1715. https://doi.org/10.1016/j.jss.2006.12.546
  • Zand, A., Vigna, G., Yan, X., & Kruegel, C. (2014). Extracting probable command and control signatures for detecting botnets. In Proceedings of the ACM Symposium on Applied Computing (pp. 1657–1662). Gyeongju: Association for Computing Machinery. https://doi.org/10.1145/2554850.2554896

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.