Title :
Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?
Author_Institution :
R. Inst. of Technol. (KTH), Stockholm, Sweden
Abstract :
A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days´ to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days´ (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days´ are detected, how prone the corresponding signatures are to false alarms, and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snort is 8.2%.
Keywords :
computer network security; digital signatures; SNIDS; false alarm; signature based network intrusion detection; zero day attacks; zero day detection; Computer architecture; Payloads; Ports (Computers); Reliability; Servers; Software; Testing; Computer security; NIDS; code injection; exploits;
Conference_Titel :
System Sciences (HICSS), 2014 47th Hawaii International Conference on
Conference_Location :
Waikoloa, HI
DOI :
10.1109/HICSS.2014.600
