Skip to main content
SpringerLink
Log in

KIDS – Keyed Intrusion Detection System

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6201))

Abstract

Since most current network attacks happen at the application layer, analysis of packet payload is necessary for their detection. Unfortunately malicious packets may be crafted to mimic normal payload, and so avoid detection if the anomaly detection method is known. This paper proposes keyed packet payload anomaly detection NIDS. Model of normal payload is key dependent. Key is different for each implementation of the method and is kept secret. Therefore model of normal payload is secret although detection method is public. This prevents mimicry attacks. Payload is partitioned into words. Words are defined by delimiters. Set of delimiters plays a role of a key. Proposed design is implemented and tested. Testing with HTTP traffic confirmed the same detection capabilities for different keys.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Rash, M., Orebaugh, A.D., Clark, G., Pinkard, B., Babbin, J.: Intrusion Prevention and Active Response: Deploying Network and Host IPS, Syngress (2005)

    Google Scholar 

  2. Mrdovic, S., Perunicic, B.: Kerckhoffs’ Principle for Intrusion Detection. In: The 13th International Telecommunications Network Strategy and Planning Symposium, Networks 2008, pp. 1–14 (2008)

    Google Scholar 

  3. Mrdovic, S., Perunicic, B.: NIDS Based on Payload Word Frequencies and Anomaly of Transitions. In: Third International Conference on Digital Information Management, ICDIM 2008, pp. 334–339 (2008)

    Google Scholar 

  4. Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Tiwari, A., Yang, H., Zhou, S.: Specification-based anomaly detection: a new approach for detecting network intrusions, pp. 265–274. ACM, Washington (2002)

    Google Scholar 

  5. Mahoney, M.V.: Network traffic anomaly detection based on packet bytes, pp. 346–350. ACM, Melbourne (2003)

    Google Scholar 

  6. Zanero, S., Savaresi, S.M.: Unsupervised learning techniques for an intrusion detection system, pp. 412–419. ACM, Nicosia (2004)

    Google Scholar 

  7. Kruegel, C., Vigna, G.: Anomaly detection of web-based attacks, pp. 251–261. ACM, Washington D.C (2003)

    Google Scholar 

  8. Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Computer Networks 48, 717–738 (2005)

    Article  Google Scholar 

  9. Robertson, W., Vigna, G., Kruegel, C., Kemmerer, R.A.: Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks (2006)

    Google Scholar 

  10. Ingham, K., Somayaji, A., Burge, J., Forrest, S.: Learning DFA representations of HTTP for protecting web applications. Computer Networks 51, 1239–1255 (2007)

    Article  MATH  Google Scholar 

  11. Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.: Stride: Polymorphic sled detection through instruction sequence analysis (2005)

    Google Scholar 

  12. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection Using Structural Information of Executables (2005)

    Google Scholar 

  13. Wang, X., Pan, C., Liu, P., Zhu, S.: SigFree: a signature-free buffer overflow attack blocker, p. 16. USENIX Association, Vancouver (2006)

    Google Scholar 

  14. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based Detection of Non-self-contained Polymorphic Shellcode

    Google Scholar 

  15. Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode, pp. 541–551. ACM, Alexandria (2007)

    Google Scholar 

  16. Wang, K., Stolfo, S.J.: Anomalous Payload-Based Network Intrusion Detection (2004)

    Google Scholar 

  17. Wang, K., Cretu, G., Stolfo, S.J.: Anomalous Payload-Based Worm Detection and Signature Generation (2005)

    Google Scholar 

  18. Wang, K., Parekh, J., Stolfo, S.: Anagram: A Content Anomaly Detector Resistant to Mimicry Attack, pp. 226–248 (2006)

    Google Scholar 

  19. Vargiya, R., Chan, P.: Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection (2003)

    Google Scholar 

  20. Rieck, K., Laskov, P.: Language models for detection of unknown attacks in network traffic. Journal in Computer Virology 2, 243–256 (2007)

    Article  Google Scholar 

  21. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems, pp. 255–264. ACM, Washington (2002)

    Google Scholar 

  22. Tan, K., Killourhy, K., Maxion, R.: Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 54–73. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  23. Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, College of Computing, Georgia Tech. (2005)

    Google Scholar 

  24. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks, p. 17. USENIX Association, Vancouver (2006)

    Google Scholar 

  25. Fogla, P., Lee, W.: Evading network anomaly detection systems: formal reasoning and practical techniques, pp. 59–68. ACM, Alexandria (2006)

    Google Scholar 

  26. SANS Institute, SANS Top-20 2007, Security Risks, Annual Update (2007)

    Google Scholar 

  27. Internet Security Threat Report, Symantec Corporation (2008)

    Google Scholar 

  28. Ingham, K., Inoue, H.: Comparing Anomaly Detection Techniques for HTTP. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 42–62. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  29. Lippmann, R., Fried, D., Graf, I., Haines, J., Kendall, K., McClung, D., Weber, D., Webster, S., Wyschogrod, D., Cunningham, R., Zissman, M.: Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation, vol. 2, pp. 12–26 (2000)

    Google Scholar 

  30. Richard, L., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34, 579–595 (2000)

    Article  Google Scholar 

  31. Gates, C., Taylor, C.: Challenging the anomaly detection paradigm: a provocative discussion, pp. 21–29. ACM, Germany (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Electrical Engineering, University of Sarajevo, Zmaja od Bosne bb, 71000, Sarajevo, Bosnia and Herzegovina

    Sasa Mrdovic & Branislava Drazenovic

Authors
  1. Sasa Mrdovic
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Branislava Drazenovic
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. International Computer Science Institute, Berkeley, USA

    Christian Kreibich

  2. Research Establishment for Applied Science (FGAN), Research Institute for Communication, Information Processing and Ergonomics (FKIE), Wachtberg, Germany

    Marko Jahnke

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Mrdovic, S., Drazenovic, B. (2010). KIDS – Keyed Intrusion Detection System. In: Kreibich, C., Jahnke, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2010. Lecture Notes in Computer Science, vol 6201. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14215-4_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14215-4_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14214-7

  • Online ISBN: 978-3-642-14215-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation