Title :
Optimizing the observation windows size for kernel attack signatures
Author :
Harrison, William S. ; Krings, Axel W. ; Hanebutte, Nadine
Author_Institution :
Dept. of Comput. Sci., Idaho Univ., Moscow, ID, USA
Abstract :
In this paper, we introduce a signature-based intrusion detection methodology which utilizes low-level kernel data in order to identify network attacks in real time. Different types of attacks have different behavior characteristics over time, and thus require observation intervals of different length to clearly identify attack data within a network data stream. Our technique involves a pseudo-continuous stream of network kernel data that is processed in order to identify attacks. An additional advantage of a pseudo-continuous system is that it allows dynamic adjustment to account for varying levels of network load. This allows a higher precision and lower false positive rate than in a fixed-interval system because only the data needed for identification is compared to the stored signature. Further, response time is near-immediate as only the minimum data needed in order to detect the attack must be sampled.
Keywords :
digital signatures; operating system kernels; security of data; kernel attack signature; network attack; observation windows size; pseudocontinuous network kernel data stream; signature-based intrusion detection; Application software; Computer science; Condition monitoring; Data security; Delay; Frequency; Instruments; Internet; Intrusion detection; Kernel;
Conference_Titel :
System Sciences, 2004. Proceedings of the 37th Annual Hawaii International Conference on
Print_ISBN :
0-7695-2056-1
DOI :
10.1109/HICSS.2004.1265450
