research-article

Characterizing Realistic Signature-based Intrusion Detection Benchmarks

Authors:

Monther Aldwairi,

Mohammad A. Alshboul,

Asmaa SeyamAuthors Info & Claims

ICIT '18: Proceedings of the 6th International Conference on Information Technology: IoT and Smart City

Pages 97 - 103

https://doi.org/10.1145/3301551.3301591

Published: 29 December 2018 Publication History

Abstract

Speeding up pattern matching for intrusion detection systems has been a growing field of research. There has been a flux of new algorithms, modifications to existing algorithms and even hardware architectures aimed at improving pattern matching performance. Establishing an accurate comparison to related work is a real challenge because researchers use different datasets and metrics to evaluate their work. The purpose of this paper is to characterize and identify realistic workloads, propose standard benchmarks, and establish common metrics to better compare work in the area of pattern matching for intrusion detection. We collect traffic traces and attack signatures from popular open source platforms. The datasets are processed, cleansed and studied, to give the researchers a better understanding of their characteristics. The final datasets along with detailed information about their origins, contents, features, statistical analysis and performance evaluation using well-known pattern-matching algorithms are available to the public. In addition, we provide a generic parser capable of parsing different intrusion detection systems rule formats and extract attack signatures. Finally, a pattern-matching engine that enables researchers to plug-and-play their new pattern matching algorithms and compare to existing algorithms using the predefined metrics.

References

[1]

M. Aldwairi, Y. Khamayseh, and M. Al-Masri, "Application of artificial bee colony for intrusion detection systems", Security and Communication Networks, John Wiley & Sons, Ltd., Vol. 8, No. 16, pp. 2730--2740, 2015/11.

Digital Library

[2]

M. Aldwairi, A. Abu-Dalo, M. Jarrah, "Pattern matching for signature-based IDS Using MapReduce framework and Myers algorithm", EURASIP Journal on Information Security. Vol 2017, No. 1, pp. 9, Jun 2, 2017.

[3]

M. Kharbutli, M. Aldwairi, A. Mughrabi, "Function and data parallelization of Wu-Manber pattern matching for intrusion detection systems", Network Protocols and Algorithms, Vol. 4, No. 3, pp. 46--61, 2012.

[4]

M. Aldwairi, K. Al-Khamaiseh, F. Alharbi and B. Shah. "Bloom filters optimized Wu-Manber for intrusion detection", Journal of Digital Forensics, Security and Law: Vol. 11: No. 4, Article 5, Dec 2016. http://commons.erau.edu/jdfsl/vol11/iss4/5/.

[5]

M. Aldwairi, A. Abu-Dalo, Moath Jarrah, "Pattern Matching for Signature-Based IDS Using MapReduce Framework and Myers Algorithm", EURASIP Journal on Information Security. Vol 2017, No. 1, pp. 9, Jun 2, 2017.

[6]

M. Aldwairi, W. Mardini and A. Alhowaide, "Anomaly payload signature generation system based on efficient tokenization methodology", International Journal on Communications Antenna and Propagation (IRECAP), In Press 2018.

[7]

R. Lehti, P. Virolainen, R. VD. Berg and H. V. Haugwitz, Advanced intrusion detection environment (AIDE), 1999. {Online}. Available: http://aide.sourceforge.net/. Accessed on: Sept 13, 2018.

[8]

A. Hay, D. Cid, and R. Bray. "OSSEC host-based intrusion detection guide". 1st edition, Syngress Publishing, 2008

Digital Library

[9]

Open source host-based intrusion detection system (OSSEC). OSSEC project, Trend Micro, Inc., 2010 {Online}. Available: https://www.ossec.net/. Accessed on: Sept 13, 2018.

[10]

R. Wichmann, "The SAMHAIN file integrity / host-based intrusion detection system", 2006. {Online}. Available: https://la-samhna.de/samhain/. Accessed on: Sept 13, 2018.

[11]

Y. Vandoorselaere, "Prelude universal open-source SIEM", Prelude SIEM project, 1998. {Online}. Available: http://www.prelude-siem.org. Accessed on: Sept 13, 2018.

[12]

C. Yasm, "Prelude as a hybrid IDS framework", SANS Institute InfoSec Reading Room, 2009.

[13]

V. Paxson, S. Campbell, and J. Lee, "Bro intrusion detection system". No. Bro; 001905IBMPC00. Lawrence Berkeley National Laboratory, 2006.

[14]

The Bro Network Security Monitor, 2006. {Online}. Available: https://www.bro.org. Accessed on: Sept 13, 2018.

[15]

"Suricata Open Source IDS / IPS / NSM engine", OPEN information security foundation (OISF). 2010 {Online}. Available: https://suricata-ids.org. Accessed on: Sept 13, 2018.

[16]

Security Onion, Security Onion Solutions, {Online}. Available: https://securityonion.net/. Accessed on: Sept 13, 2018.

[17]

M. Roesch, "Snort: Lightweight intrusion detection for networks." Lisa. Vol. 99. No. 1. 1999.

Digital Library

[18]

R. Ur Rehman, "Intrusion detection with SNORT: Advanced IDS techniques using SNORT, Apache, MySQL, PHP, and ACID". 1st Edition, Prentice Hall, 2003.

Digital Library

[19]

W. Bulajoul, A. James and M. Pannu, "Network Intrusion Detection Systems in High-Speed Traffic in Computer Networks," 2013 IEEE 10th International Conference on e-Business Engineering, Coventry, 2013, pp. 168--175.

Digital Library

[20]

M. Aldwairi, N. Yaser, "Hybrid pattern matching algorithm for intrusion detection systems", Journal of Information Assurance and Security, Vol. 6, No. 6, pp.512--521, 2011.

[21]

A. Aho, V. Corasick, J. Margaret. "Efficient string matching: An aid to bibliographic search". Communications of the ACM. 18 (6): 333--340. 1975.

Digital Library

[22]

M. Alicherry, M. Muthuprasanna and V. Kumar, "High Speed Pattern Matching for Network IDS/IPS," Proceedings of the 2006 IEEE International Conference on Network Protocols, Santa Barbara, CA, 2006, pp. 187--196.

Digital Library

[23]

D. Knuth, J Morris, H.V. Pratt. "Fast pattern matching in strings". SIAM Journal on Computing. 6 (2): 323--350. 1977.

Digital Library

[24]

R.S. Boyer, J.S. Moore, "A fast string searching algorithm". Comm. ACM. New York, NY, USA: Association for Computing Machinery. 1977. 20 (10): 762--772.

Digital Library

[25]

S. Wu and U. Manber. A fast algorithm for multi-pattern searching. Technical Report TR-94-17, Department of Computer Science, University of Arizona, 1994.

[26]

MIT Lincoln Laboratory: DARPA intrusion detection evaluation. 1999, {Online}. Available: ftp://ftp.ll.mit.edu/outgoing/darpa/docs/attackDB.html. Accessed on: May 13, 2017.

[27]

KDD Cup 1999 Data, University of California, 1999, {Online}. Available: http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html. Accessed on: Sept 13, 2018.

[28]

M. Tavallaee, E. Bagheri, W. Lu and A. A. Ghorbani, "A detailed analysis of the KDD CUP 99 data set," 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, Ottawa, ON, 2009, pp. 1--6.

Digital Library

[29]

J. Song, H. Takakura, Y. Okabe, M. Eto, D. Inoue, and K. Nakao. Statistical analysis of honeypot data and building of Kyoto 2006+ dataset for NIDS evaluation. In Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS '11). ACM, New York, NY, USA, 29--36. 2011.

Digital Library

[30]

J. Song, H. Takakura, Y. Okabe, "Description of Kyoto University benchmark data". 2006. {Online}. Available: http://www.takakura.com/Kyoto_data/BenchmarkData-Description-v5.pdf. Accessed on: Sept 13, 2018.

[31]

CAIDA Dataset, Center for Applied Internet Data Analysis (CAIDA), University of California's San Diego Supercomputer Center, {Online}. Available: https://www.caida.org/data/. Accessed on: Sept 13, 2018.

[32]

J. O. Nehinbe, "A critical evaluation of datasets for investigating IDSs and IPSs researches," 2011 IEEE 10th International Conference on Cybernetic Intelligent Systems (CIS), London, 2011, pp. 92--97.

[33]

S. Antonatos, K. Anagnostakis, E. Markatos, "Generating Realistic Workloads for Network Intrusion Detection Systems, " WOSP '04 Proceedings of the 4th international workshop on Software and performance, New York, 2004, pp. 207--215.

Digital Library

[34]

M. Aldwairi and D. Alansari, "Exscind: Fast pattern matching for intrusion detection using exclusion and inclusion filters," Next Generation Web Services Practices (NWeSP), 2011 7th International Conference on, Salamanca, 2011, pp. 24--30.

[35]

DEFCON, 1992-2018, {Online}. Available: https://www.defcon.org/. Accessed on: May 13, 2017.

[36]

H., Tarfa, J.B. Ernst, and S. C. Kremer. "A survey and taxonomy on data and pre-processing techniques of intrusion detection systems." Computer and Network Security Essentials. Springer, Cham, 2018. 113--134.

[37]

Shiravi, Ali, et al. "Toward developing a systematic approach to generate benchmark datasets for intrusion detection." computers & security 31.3 (2012): 357--374.

Digital Library

[38]

M. Aldwairi, M.A. Alshboul, IDSEngine. {Online}. Available: https://github.com/munzer2000/IDSEngine. Accessed on: May 13, 2017.

Cited By

Abdulganiyu OTchakoucht TSaheed Y(2024)Towards an efficient model for network intrusion detection system (IDS): systematic literature reviewWireless Networks10.1007/s11276-023-03495-230:1(453-482)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1007/s11276-023-03495-2
Abdulganiyu OAit Tchakoucht TSaheed Y(2023)A systematic literature review for network intrusion detection system (IDS)International Journal of Information Security10.1007/s10207-023-00682-222:5(1125-1162)Online publication date: 27-Mar-2023
https://doi.org/10.1007/s10207-023-00682-2
Aldwairi MHamzah AJarrah M(2019)MultiPLZWComputer Communications10.1016/j.comcom.2019.06.011145:C(126-136)Online publication date: 1-Sep-2019
https://dl.acm.org/doi/10.1016/j.comcom.2019.06.011
Show More Cited By

Index Terms

Characterizing Realistic Signature-based Intrusion Detection Benchmarks
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Explorative Visualization of Log Data to Support Forensic Analysis and Signature Development
SADFE '10: Proceedings of the 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering

Today’s growing number of security threats to computers and networks also increase the importance of log inspections to support the detection of possible breaches. The investigation and assessment of security incidents becomes more and more a daily ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Rule generalisation in intrusion detection systems using SNORT

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICIT '18: Proceedings of the 6th International Conference on Information Technology: IoT and Smart City

December 2018

344 pages

ISBN:9781450366298

DOI:10.1145/3301551

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

The Hong Kong Polytechnic: The Hong Kong Polytechnic University
TU: Tianjin University

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 December 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Conference

ICIT 2018

ICIT 2018: IoT and Smart City

December 29 - 31, 2018

Hong Kong, Hong Kong

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
188
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)0

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Abdulganiyu OTchakoucht TSaheed Y(2024)Towards an efficient model for network intrusion detection system (IDS): systematic literature reviewWireless Networks10.1007/s11276-023-03495-230:1(453-482)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1007/s11276-023-03495-2
Abdulganiyu OAit Tchakoucht TSaheed Y(2023)A systematic literature review for network intrusion detection system (IDS)International Journal of Information Security10.1007/s10207-023-00682-222:5(1125-1162)Online publication date: 27-Mar-2023
https://doi.org/10.1007/s10207-023-00682-2
Aldwairi MHamzah AJarrah M(2019)MultiPLZWComputer Communications10.1016/j.comcom.2019.06.011145:C(126-136)Online publication date: 1-Sep-2019
https://dl.acm.org/doi/10.1016/j.comcom.2019.06.011
Walshe MEpiphaniou GAl-Khateeb HHammoudeh MKatos VDehghantanha A(2019)Non-interactive zero knowledge proofs for the authentication of IoT devices in reduced connectivity environmentsAd Hoc Networks10.1016/j.adhoc.2019.10198895:COnline publication date: 1-Dec-2019
https://dl.acm.org/doi/10.1016/j.adhoc.2019.101988

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten