標題: | Extracting Attack Sessions from Real Traffic with Intrusion Prevention Systems |
作者: | Chen, I-Wei Lin, Po-Ching Luo, Chi-Chung Cheng, Tsung-Huan Lin, Ying-Dar Lai, Yuan-Cheng Lin, Frank C. 資訊工程學系 Department of Computer Science |
關鍵字: | False Positive;False Negative;Intrusion Prevention;Intrusion Detection;Packet Trace;Session Extraction;Similarity |
公開日期: | 2009 |
摘要: | False Positive (FP) and False Negative (FN) happen to every Intrusion Prevention System (IPS). No one could do better judgment than others all the time. This work proposes a system of Attack Session Extraction (ASE) to create a pool of suspicious traffic traces which cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. Developers of IPSes can use these suspicious traffic traces to improve the accuracy of their products. Traffic traces are called suspicious since what they cause are P-FNs and P-FPs which need to be confirmed by the developers of IPSes whether P-FNs are FNs and P-FPs are FPs. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we can find that some attack logs are logged or not logged only at certain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract this suspicious traffic from replayed traffic traces. The extracted traffic traces can then be used for further analysis by IPS developers. Some of the traces may prove to be guilty, i.e. confirmed to be FNs and FPs. To completely extract a suspicious session, the ASE uses an association mechanism based on anchor packets, five-tuple and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract a suspicious session containing multiple connections. We define variation and completeness/purity as the performance indexes to evaluate ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%. |
URI: | http://hdl.handle.net/11536/15028 |
ISBN: | 978-1-4244-3434-3 |
ISSN: | 1550-3607 |
期刊: | 2009 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS, VOLS 1-8 |
起始頁: | 889 |
結束頁: | 893 |
Appears in Collections: | Conferences Paper |