Multi-packet & multi-session signature detection using state based model

Signature Detection modules in IDS/IPS though accurate in pattern matching, yet it leads to false positives. This is due to the incompleteness of the signatures which lacks or has very little information about when, where and how to match these signatures. The signatures enriched with this information significantly brings down the false positives and at the same time enhances the performance of the signature detection module. In this paper we propose a state base signature detection model which leverages on our state aware signatures with sufficiently complete information to match these signatures. The proposed model keeps track of the state of the connection and matches the signatures within appropriate packets. We further classify our signatures that span across multiple packet and across multiple sessions. We also provide the notion of virtual signatures which represents patterns within packets in a distributed form. In this paper we demonstrate the capabilities of our proposed model to detect these virtual patterns, multi-packet and multi-session leveraging on our state aware signatures.