Full metadata record
DC FieldValueLanguage
dc.contributor.authorChen, I-Weien_US
dc.contributor.authorLin, Po-Chingen_US
dc.contributor.authorLuo, Chi-Chungen_US
dc.contributor.authorCheng, Tsung-Huanen_US
dc.contributor.authorLin, Ying-Daren_US
dc.contributor.authorLai, Yuan-Chengen_US
dc.contributor.authorLin, Frank C.en_US
dc.date.accessioned2014-12-08T15:21:11Z-
dc.date.available2014-12-08T15:21:11Z-
dc.date.issued2009en_US
dc.identifier.isbn978-1-4244-3434-3en_US
dc.identifier.issn1550-3607en_US
dc.identifier.urihttp://hdl.handle.net/11536/15028-
dc.description.abstractFalse Positive (FP) and False Negative (FN) happen to every Intrusion Prevention System (IPS). No one could do better judgment than others all the time. This work proposes a system of Attack Session Extraction (ASE) to create a pool of suspicious traffic traces which cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. Developers of IPSes can use these suspicious traffic traces to improve the accuracy of their products. Traffic traces are called suspicious since what they cause are P-FNs and P-FPs which need to be confirmed by the developers of IPSes whether P-FNs are FNs and P-FPs are FPs. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we can find that some attack logs are logged or not logged only at certain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract this suspicious traffic from replayed traffic traces. The extracted traffic traces can then be used for further analysis by IPS developers. Some of the traces may prove to be guilty, i.e. confirmed to be FNs and FPs. To completely extract a suspicious session, the ASE uses an association mechanism based on anchor packets, five-tuple and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract a suspicious session containing multiple connections. We define variation and completeness/purity as the performance indexes to evaluate ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%.en_US
dc.language.isoen_USen_US
dc.subjectFalse Positiveen_US
dc.subjectFalse Negativeen_US
dc.subjectIntrusion Preventionen_US
dc.subjectIntrusion Detectionen_US
dc.subjectPacket Traceen_US
dc.subjectSession Extractionen_US
dc.subjectSimilarityen_US
dc.titleExtracting Attack Sessions from Real Traffic with Intrusion Prevention Systemsen_US
dc.typeArticleen_US
dc.identifier.journal2009 IEEE INTERNATIONAL CONFERENCE ON COMMUNICATIONS, VOLS 1-8en_US
dc.citation.spage889en_US
dc.citation.epage893en_US
dc.contributor.department資訊工程學系zh_TW
dc.contributor.departmentDepartment of Computer Scienceen_US
dc.identifier.wosnumberWOS:000280922200166-
Appears in Collections:Conferences Paper