Essay About Domain-Specific Language And Hard Copies

Network Detection
Essay Preview: Network Detection
Report this essay
A High-Performance Network Intrusion Detection System*
R. Sekar Y. Guang S. Verma T. Shanbhag
SUNY at Stony Brook, NY Iowa State University, Ames, IA
Abstract
In this paper we present a new approach for network intrusion
detection based on concise specifications that characterize normal
and abnormal network packet sequences. Our specification
language is geared for a robust network intrusion detection by
enforcing a strict type discipline via a combination of static and
dynamic type checking. Unlike most previous approaches in network
intrusion detection, our approach can easily support new
network protocols as information relating to the protocols are
not hard-coded into the system. Instead, we simply add suitable
type definitions in the specifications and define intrusion pattans
on these types. We compile these specifications into a highpedormance
network intrusion detection system. Important components
of our approach include efficient algorithms for patternmatching
and information aggregation on sequences of network
packets. In particular, our techniques ensure that the matching
time is insensitive to the number of patterns characterizing different
network intrusions, and that the aggregation operations typically
take constant time per packet. Our system participated in an
intrusion detection evaluation organized by MIT Lincoln Labs,
where our system demonstrated its effectiveness (96% detection
rate on low-level network attacks) and performance (real-time detection
at 500Mbps), while producing very few false positives
(0.05 to 0.I per attack).
1 Introduction
Network-based attacks have been increasing in frequency and
severity over the past several years. Consequently, many research
efforts have focused
on network intrusion detection techniques
aimed at identifying such attacks. This paper describes a new approach
to detect such attacks. The centerpiece of our approach
is a domain-specific language that enables concise specification
of network packet contents under normal as well as attack condiUons.
These specifications are compiled to produce a highperformance
network intrusion detection system. The main benefits
of our approach are:
* concise, easy-to-develop intrusion specifications. Using our
domain-specific language, we can specify network-based attacks
or other anomalous behavior easily and concisely. We
have encoded the signatures for most low-level network
probes and attacks using a specification that is about five lines
each. Such conciseness contributes to increased confidence in
*This research is supported in p=xt by Defense Advanced Research Agencys
InformaUon Technology Otfic, e (DARPA-ITO) under the Infonmation System Suxvivabthty
program, under contract number F30602-97 -(2-0244.
Permission to make dlg*tal or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that
copies are not made or d(strtbuted for profit or commercial advant
-age and that copies bear this noUce and the full cttatlon on the hrst page
To copy otherwise, to republish, to post on servers or to
redtstrlbute to lists, requires pnor specific permission and/or a fee
CCS 99 11/99 Singapore
© 1999ACM 1-58113-148-8/99t0010 $500
the correctness of specifications, and leads to reduced development
and debugging efforts.
* high-speed, large-volume monitoring. A central component
of our approach is a fast pattern matching algorithm whose
runtime is insensitive to the number of attack signatures. This
algorithm ~ensures that the same packet field is never examined
more than once, regardless of the number of patterns
that refer to the field. This factor, combined with efficient
data aggregation