Network Attack Signature and Intrusion Analysis Research Paper

Exclusively available on Available only on IvyPanda® Made by Human No AI

After the invention of the internet, network intrusions became a major concern to network administrators. Nowadays, it is probable that it is nearly impossible for the existence of a completely safeguarded network system majorly due to network intrusion (Boriana and Lisa, 2005). Intrusion is usually carried out via signatures; a rule set that matches every attack instance modeled by the signature. A polymorphic worm (mutates through code transformations) is one of the many network intruders which always vary its payload on every attempt of infection.

To detect this intrusion, the content-based signature intrusion detection system (IDS) a polygraph, is introduced. Polygraph indeed does successfully produce matching signatures for worms that are polymorphic. Unlike other automated signature generation strings that try to find a payload of continuous substring sufficient in length so as to only match the worm, polygraph tries to deviate from the weak assumption of the existence of an invariant payload substring through worm connections. Instead, a vital knowledge that worms must exploit some vulnerability on server software that contains important invariant bytes e.g. protocols, is employed.

It thus becomes conclusive that these worms share a bit of invariant content because of the fact that they all take advantage of same vulnerabilities (Newsome and Dawn, 2006). It becomes even more conclusive from findings that nearly all software irrespective of the operating system contains invariants prone to exploitation. Some of the more common polymorphic worms used for intrusion include CodeRed that uses the GET string while converting to Unicode from ASCII to exploit buffer overflow, AdmWorm that overwrites return address via a buffer overrun, and many others.

A typical polygraph monitor placed strategically in a network to have all access to network flow, assembles the flow to bytes which are continuous. Two flow pools are produced i.e. innocuous, suspicious flow. Set of signatures are produced to give either false positive or negative classes of worm payloads using algorithms based on Bayes law i.e. Pr (M|N) = Pr (M|N)*Pr (M)/Pr (N). From the law, Pr denotes probability while M and N are events. M|N implies an event M if N, another event occurs. In simple terms, Bayes law states that the probability of M given N is true is computed by finding the probability of M given N is true multiplied by M’s probability which is divided by the Probability of occurrence of N (Darren et al., 2004). This rule, therefore, looks for the occurrence of invariants in the suspected payloads.

To ensure good quality signatures, quality hierarchical clustering ought to be used. Each cluster has flows and a generated signature from the same set. On merging the clusters, the algorithm is re-run producing a better signature. To further prevent forms of false positives, the algorithm can be optimized. Parallelization on hierarchical clusters allows for a multi-processor reduction in time for the generation of the signature. This is especially important given the fact that these algorithms are expensive in terms of the costs of computation. However, polygraph advantageously provides the most highly required database of signatures for use by NIDS automatically.

Filtering based the contents of the payload seems to effectively counteract polymorphic worm intrusion. With the incorporation of sequences of bytes that are invariant and use of Bayes law can effectively seclude worms via the invariant contents of their exploits. The above algorithm and others like token-subsequence and conjunction automatically generate signatures in their respective classes. Therefore a high signature quality can be derived even if noise flows which are misclassified are present together with multiple worms.

References

Boriana, D. &Lisa, F. (2005). Signature-Based Intrusion Detection. North Carolina: University of North Carolina.

Darren, M. at ,el. (2004). Reverse Engineering of Network Signatures. Santa Barbara: Routledge Publishers.

Newsome, J. & Dawn, S. (2006). Polygraph Automatically Generating Signatures For Polymorphic Worms. New York: St. Martin’s Press.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2022, March 21). Network Attack Signature and Intrusion Analysis. https://ivypanda.com/essays/network-attack-signature-and-intrusion-analysis/

Work Cited

"Network Attack Signature and Intrusion Analysis." IvyPanda, 21 Mar. 2022, ivypanda.com/essays/network-attack-signature-and-intrusion-analysis/.

References

IvyPanda. (2022) 'Network Attack Signature and Intrusion Analysis'. 21 March.

References

IvyPanda. 2022. "Network Attack Signature and Intrusion Analysis." March 21, 2022. https://ivypanda.com/essays/network-attack-signature-and-intrusion-analysis/.

1. IvyPanda. "Network Attack Signature and Intrusion Analysis." March 21, 2022. https://ivypanda.com/essays/network-attack-signature-and-intrusion-analysis/.


Bibliography


IvyPanda. "Network Attack Signature and Intrusion Analysis." March 21, 2022. https://ivypanda.com/essays/network-attack-signature-and-intrusion-analysis/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
Privacy Settings

IvyPanda uses cookies and similar technologies to enhance your experience, enabling functionalities such as:

  • Basic site functions
  • Ensuring secure, safe transactions
  • Secure account login
  • Remembering account, browser, and regional preferences
  • Remembering privacy and security settings
  • Analyzing site traffic and usage
  • Personalized search, content, and recommendations
  • Displaying relevant, targeted ads on and off IvyPanda

Please refer to IvyPanda's Cookies Policy and Privacy Policy for detailed information.

Required Cookies & Technologies
Always active

Certain technologies we use are essential for critical functions such as security and site integrity, account authentication, security and privacy preferences, internal site usage and maintenance data, and ensuring the site operates correctly for browsing and transactions.

Site Customization

Cookies and similar technologies are used to enhance your experience by:

  • Remembering general and regional preferences
  • Personalizing content, search, recommendations, and offers

Some functions, such as personalized recommendations, account preferences, or localization, may not work correctly without these technologies. For more details, please refer to IvyPanda's Cookies Policy.

Personalized Advertising

To enable personalized advertising (such as interest-based ads), we may share your data with our marketing and advertising partners using cookies and other technologies. These partners may have their own information collected about you. Turning off the personalized advertising setting won't stop you from seeing IvyPanda ads, but it may make the ads you see less relevant or more repetitive.

Personalized advertising may be considered a "sale" or "sharing" of the information under California and other state privacy laws, and you may have the right to opt out. Turning off personalized advertising allows you to exercise your right to opt out. Learn more in IvyPanda's Cookies Policy and Privacy Policy.

1 / 1