Abstract
In this paper, we present our work on specification-based intrusion detection. Our goal is to build a web application firewall which is able to learn the normal behaviour of an application (and/or the user) from the traffic between a client and a server. The model learnt is used to validate future traffic. We will discuss later in this paper, the interactions between the learning phase and the exploitation phase of the generated model expressed as a set of regular expressions. These regular expressions are generated after a process of sequence alignment combined to BRELA (Basic Regular Expression Learning Algorithm) or directly by the later. We also present our multiple sequence alignment algorithm called AMAA (Another multiple Alignment Algorithm) and the usage of data clustering to improve the generated regular expressions. The detection phase is simulated in this paper by generating data which represent a traffic and using a pattern matcher to validate them.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
In the rest of the paper, the term behaviour and specification are considered the same.
- 2.
These criteria are explained on http://en.wikipedia.org/wiki/F1_score.
- 3.
- 4.
References
Adams, N., Heard, N.: Data Analysis for Network Cyber-Security. World Scientific, Singapore (2014)
Bartoli, A., Davanzo, G., De Lorenzo, A., Mauri, M., Medvet, E., Sorio, E.: Automatic generation of regular expressions from examples with genetic programming. In: Proceedings of the 14th Annual Conference Companion on Genetic and Evolutionary Computation, pp. 1477–1478. ACM (2012)
Böckenhauer, H.J., Bongartz, D.: Algorithmic Aspects of Bioinformatics. Natural Computing Series. Springer, Heidelberg (2007)
De La Higuera, C.: A bibliographical study of grammatical inference. Pattern Recognit. 38(9), 1332–1348 (2005)
Debar, H., Dacier, M., Wespi, A.: Towards a taxonomy of intrusion-detection systems. Comput. Netw. 31(8), 805–822 (1999)
Fernau, H.: Algorithms for learning regular expressions from positive data. Inf. Comput. 207(4), 521–541 (2009)
Garcia-Teodoro, P.: Anomaly-based network intrusion detection: Techniques, systems and challenges. Comput. Secur. 28(1), 18–28 (2009)
Jokar, P., Nicanfar, H., Leung, V.C.M.: Specification-based intrusion detection for home area networks in smart grids. In: 2011 IEEE International Conference on Smart Grid Communications (SmartGridComm), pp. 208–213. IEEE (2011)
Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Comput. Netw. 48(5), 717–738 (2005)
Li, Y., Krishnamurthy, R., Raghavan, S., Vaithyanathan, S., Jagadish, H.V.: Regular expression learning for information extraction. In: Proceedings of the Conference on Empirical Methods in Natural Language Processing, pp. 21–30. Association for Computational Linguistics (2008)
Li, Z., Sanghi, M., Chen, Y., Kao, M.-Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: 2006 IEEE Symposium on Security and Privacy, 15 p. IEEE (2006)
Mouelhi, T.: Testing and Modeling Security Mechanisms in Web Applications. Theses, Institut National des Télécommunications (2010)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, pp. 226–241. IEEE (2005)
Notredame, C., Higgins, D.G., Heringa, J.: T-coffee: a novel method for fast and accurate multiple sequence alignment. J. Mol. Biol. 302(1), 205–217 (2000)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (idps). NIST Spec. Publ. 800(2007), 94 (2007)
Tang, Y., Lu, X., Xiao, B.: Generating simplified regular expression signatures for polymorphic worms. In: Xiao, B., Yang, L.T., Ma, J., Muller-Schloer, C., Hua, Y. (eds.) ATC 2007. LNCS, vol. 4610, pp. 478–488. Springer, Heidelberg (2007)
Tang, Y., Xiao, B., Xicheng, L.: Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. Comput. Secur. 28(8), 827–842 (2009)
Uppuluri, P., Sekar, R.: Experiences with specification-based intrusion detection. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 172. Springer, Heidelberg (2001)
Vigna, G., Valeur, F., Kemmerer, R.A.: Designing and implementing a family of intrusion detection systems. In: ACM SIGSOFT Software Engineering Notes, vol. 28, pp. 88–97. ACM (2003)
Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probabilistic techniques for intrusion detection based on computer audit data. IEEE Trans. Syst. Man Cybern. Part A Syst. Hum. 31(4), 266–274 (2001)
Acknowledgements
This work is a part of the RoCaWeb project carried at Kereval and Telecom-Bretagne and financed as a RAPID project by the DGA-MI. We would like to thank Alain Ribault, Constant Chartier, Fr?d?ric Majorczyk and Yacine Tamoudi.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Amadou Kountché, D., Gombault, S. (2015). Specification-Based Intrusion Detection Using Sequence Alignment and Data Clustering. In: Doss, R., Piramuthu, S., ZHOU, W. (eds) Future Network Systems and Security. FNSS 2015. Communications in Computer and Information Science, vol 523. Springer, Cham. https://doi.org/10.1007/978-3-319-19210-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-19210-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-19209-3
Online ISBN: 978-3-319-19210-9
eBook Packages: Computer ScienceComputer Science (R0)