• DocumentCode
    265654
  • Title

    Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?

  • Author

    Holm, Hannes

  • Author_Institution
    R. Inst. of Technol. (KTH), Stockholm, Sweden
  • fYear
    2014
  • fDate
    6-9 Jan. 2014
  • Firstpage
    4895
  • Lastpage
    4904
  • Abstract
    A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days´ to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days´ (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days´ are detected, how prone the corresponding signatures are to false alarms, and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snort is 8.2%.
  • Keywords
    computer network security; digital signatures; SNIDS; false alarm; signature based network intrusion detection; zero day attacks; zero day detection; Computer architecture; Payloads; Ports (Computers); Reliability; Servers; Software; Testing; Computer security; NIDS; code injection; exploits;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    System Sciences (HICSS), 2014 47th Hawaii International Conference on
  • Conference_Location
    Waikoloa, HI
  • Type

    conf

  • DOI
    10.1109/HICSS.2014.600
  • Filename
    6759203
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=265654