스마트미디어저널 (Smart Media Journal)

  • 제8권3호
  • /
  • Pages.17-22
  • /
  • 2019
  • /
  • 2287-1322(pISSN)
  • /
  • 2288-9671(eISSN)
한국스마트미디어학회 (THE KOREAN INSTITUTE OF SMART MEDIA)
권호 표지
DOI QR코드

DOI QR Code

Mining Regular Expression Rules based on q-grams

  • Lee, Inbok (Department of Software, Korea Aerospace University)
  • 투고 : 2019.09.05
  • 심사 : 2019.09.23
  • 발행 : 2019.09.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

Signature-based intrusion systems use intrusion detection rules for detecting intrusion. However, writing intrusion detection rules is difficult and requires considerable knowledge of various fields. Attackers may modify previous attempts to escape intrusion detection rules. In this paper, we deal with the problem of detecting modified attacks based on previous intrusion detection rules. We show a simple method of reporting approximate occurrences of at least one of the network intrusion detection rules, based on q-grams and the longest increasing subsequences. Experimental results showed that our approach could detect modified attacks, modeled with edit operations.

키워드

참고문헌

  1. US Department of Defense Cyber Strategy, US Department of Defense, pp. 2-8, 2015.
  2. Linux IP Firewalling Chains. http://people.netfilter.org/rusty/ipchains (accessed Sept., 25, 2019).
  3. Netfilter: firewalling, NAT, and packet mangling for Linux. http://www.netfilter.org (accessed Sept., 25, 2019).
  4. K. Wang, "Anomalous Payload -Based Network Intrusion Detection," Recent Advances in Intrusion Detection. Springer Berlin. doi:10.1007/978-3-540-30143-1_11.
  5. R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, and W. Lee, "McPAD : A Multiple Classification System for Accurate Payload-based Anomaly Detection," Computer Networks, Special Issue on Traffic Classification and Its Applications to Modern Networks, vol. 5, no. 6, pp. 864-881, 2009.
  6. AV-TEST: Malware statistics. http://www.av-test.org/en/statistics/malware (accessed Sept., 25, 2019).
  7. K.H. Lee and G.S. Ryu, "Research for improving vulnerability of unmanned aerial vehicles," Smart Media Journal, vol. 7, no. 3, pp. 64-71, 2018 https://doi.org/10.30693/SMJ.2018.7.3.64
  8. W.J. Joe, H.J. Shin, and H.S. Kim, "A log visualization method for network security monitoring," Smart Media Journal, vol. 7, no. 4, pp. 70-78, 2018
  9. S.I. Bae and E.G. Im, "Unpacking Technique for In-memory malware injection technique," Smart Media Journal, vol. 8, no. 1, pp. 19-26, 2019
  10. Snort: Network intrusion detection and prevention system. http://www.snort.org (accessed Sept., 25, 2019).
  11. The Bro Network Security Monitor. https://www.bro.org (accessed Sept., 25, 2019).
  12. Suricata: Open IDS / IPS / NSM engine. https://suricata-ids.org (accessed Sept., 25, 2019).
  13. G. Navarro, "A guided tour to approximate string matching," ACM Computing Surveys, vol. 33, no. 1, pp. 31-88, 2001 https://doi.org/10.1145/375360.375365
  14. E.W. Myers, "A Four Russians Algorithm for Regular Expression Pattern Matching," Journal of ACM, vol. 39, no. 2, pp. 430-448, 1992 https://doi.org/10.1145/128749.128755
  15. D. Belazzougui and M. Raffinot, "Approximate regular expression matching with multi-strings," Journal of Discrete Algorithms, vol. 18, pp. 14-21, 2013 https://doi.org/10.1016/j.jda.2012.07.008
  16. H. Altwaijry and K. Shahbar, "Automatic SNORT Signatures Generation by using Honeypot," Journal of Computers , vol. 8, no. 12, pp. 3280-3286, 2013
  17. B. Rice, "Automated Snort Signature Generation", Masters Theses, James Madison University, 2014
  18. S. Ashfaq, M.U. Farooq, and A. Karim, "Efficient rule generation for cost-sensitive misuse detection using genetic algorithms," Proc. of CIS, pp. 282-285, 2006
  19. H.A. Kim and B. Karp, "Autograph: Toward automated, distributed worm signature detection," USENIX Security Symposium, pp. 271-286, 2004
  20. C. Schensted, "Longest increasing and decreasing subsequences," Canadian Journal of Mathematics, vol. 13, pp. 179-191, 1961 https://doi.org/10.4153/CJM-1961-015-3
  21. R.M. Karp and M.O. Rabin, "Efficient randomized pattern-matching algorithms," IBM Journal of Research and Development, vol.31, no. 2, pp. 249-260, 1987 https://doi.org/10.1147/rd.312.0249
  22. Sniffles: Capture Generator for IDS and Regular Expression Evaluation. https://github.com/petabi/sniffles (accessed Sept., 25, 2019).
  23. M. Shao, M.S. Kim, V.C. Valgenti, and J. Park, "Grammar-Driven Workload Generation for Efficient Evaluation of Signature-Based Network Intrusion Detection Systems," IEICE Transactions on Information and Systems, vol. 99-D, no. 8, pp. 2090-2099, 2016
  24. tcpdump and libpcap. http://www.tcpdump.org (accessed Sept., 25, 2019).