An architecture for generating semantics-aware signatures
Identifying new intrusions and developing effective signatures that
detect them is essential for protecting computer networks. We present
Nemean, a system for automatic generation of intrusion signatures from
honeynet packet traces. Our architecture is distinguished by its
emphasis on a modular design framework that encourages independent
development and modification of system components and protocol
semantics awareness which allows for construction of signatures that
greatly reduce false alarms. The building blocks of our architecture
include transport and service normalization, intrusion profile
clustering and automata learning that generates connection and session
aware signatures. We demonstrate the potential of Nemean's
semantics-aware, resilient signatures through a prototype
implementation. We use two datasets to evaluate the system: (i) a
production dataset for false-alarm evaluation and (ii) a honeynet
dataset for measuring detection rates. Signatures generated by Nemean
for NetBIOS exploits had a 0% false-positive rate and a 0.04%
false-negative rate.
Download:[PS,PDF]
Somesh Jha
Last modified: Thu Mar 23 13:57:49 CST 2006