Abstract
Intrusion detection systems are defensive tools that identify malicious activities in networks and hosts. In network forensics, investigators often study logs that store alerts generated by intrusion detection systems. This research focuses on Snort, a widely-used, open-source, misuse-based intrusion detection system that detects network intrusions based on a pre-defined set of attack signatures. When a security breach occurs, a forensic investigator typically starts by examining network log files. However, Snort cannot detect unknown attacks (i.e., zero-day attacks) even when they are similar to known attacks; as a result, an investigator may lose evidence in a criminal case.
This chapter demonstrates the ease with which it is possible to defeat the detection of malicious activity by Snort and the possibility of using constrained approximate search algorithms instead of the default Snort search algorithm to collect evidence. Experimental results of the performance of constrained approximate search algorithms demonstrate that they are capable of detecting previously unknown attack attempts that are similar to known attacks. While the algorithms generate additional false positives, the number of false positives can be reduced by the careful choice of constraint values in the algorithms.
Chapter PDF
Similar content being viewed by others
References
A. Aho and M. Corasick, Efficient string matching: An aid to bibliographic search, Communications of the ACM, vol. 18(6), pp. 333–340, 1975.
R. Baeza-Yates and G. Navarro, Faster approximate string matching, Algorithmica, vol. 23(2), pp. 127–158, 1999.
S. Faro and T. Lecroq, Twenty years of bit-parallelism in string matching, in Festschrift for Borivoj Melichar, J. Holub, B. Watson and J. Zdarek (Eds.), Prague Stringology Club, Prague, Czech Republic, pp. 72–101, 2012.
R. Joshi and E. Pilli, Fundamentals of Network Forensics: A Research Perspective, Springer-Verlag, London, United Kingdom, 2016.
G. Navarro, NR-grep: A fast and flexible pattern-matching tool, Software – Practice and Experience, vol. 31(13), pp. 1265–1312, 2001.
G. Navarro and M. Raffinot, A bit-parallel approach to suffix automata: Fast extended string matching, Proceedings of the Annual Symposium on Combinatorial Pattern Matching, pp. 14–33, 1998.
M. Roesch, Snort – Lightweight intrusion detection for networks, Proceedings of the Thirteenth USENIX Conference on System Administration, pp. 229–238, 1999.
M. Roesch and C. Green, Snort Users Manual 2.9.9, The Snort Project (manual-snort-org.s3-website-us-east-1.amazonaws.com), 2017.
D. Sankoff and J. Kruskal, Time Warps, String Edits and Macromolecules: The Theory and Practice of Sequence Comparison, Addison Wesley, Reading, Massachusetts, 1983.
A. Shrestha Chitrakar and S. Petrovic, Approximate search with constraints on indels with application in spam filtering, Proceedings of the Norwegian Information Security Conference, pp. 22–33, 2015.
A. Shrestha Chitrakar and S. Petrovic, Constrained row-based bit-parallel search in intrusion detection, Proceedings of the Norwegian Information Security Conference, pp. 68–79, 2016.
A. Shrestha Chitrakar and S. Petrovic, CRBP-OpType: A constrained approximate search algorithm for detecting similar attack patterns, in Computer Security, S. Katsikas, F. Cuppens, N. Cuppens, C. Lambrinoudakis, C. Kalloniatis, J. Mylopoulos, A. Anton and S. Gritzalis (Eds.), Springer, Cham, Switzerland, pp. 163–176, 2018.
S. Wu and U. Manber, Fast text searching: Allowing errors, Communications of the ACM, vol. 35(10), pp. 83–91, 1992.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 IFIP International Federation for Information Processing
About this paper
Cite this paper
Chitrakar, A.S., Petrovic, S. (2018). Collecting Network Evidence Using Constrained Approximate Search Algorithms. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIV. DigitalForensics 2018. IFIP Advances in Information and Communication Technology, vol 532. Springer, Cham. https://doi.org/10.1007/978-3-319-99277-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-99277-8_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99276-1
Online ISBN: 978-3-319-99277-8
eBook Packages: Computer ScienceComputer Science (R0)