Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?
2014 (English)In: 2014 47th Hawaii International Conference on System Sciences, HICSS, IEEE Computer Society, 2014, 4895-4904 p.Conference paper (Refereed)
A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days’ to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days’ (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days’ aredetected, how prone the correspondingsignaturesare to false alarms,and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snortis 8.2%.
Place, publisher, year, edition, pages
IEEE Computer Society, 2014. 4895-4904 p.
, Proceedings of the Annual Hawaii International Conference on System Sciences, ISSN 1060-3425
Detection rates, False alarms, Rule set, Signature-based network intrusion detection systems, Zero day attack, Systems science
IdentifiersURN: urn:nbn:se:kth:diva-129255DOI: 10.1109/HICSS.2014.600ISI: 000343806605004ScopusID: 2-s2.0-84902261151ISBN: 978-147992504-9OAI: oai:DiVA.org:kth-129255DiVA: diva2:651164
47th Hawaii International Conference on System Sciences, HICSS 2014; Waikoloa, HI; United States; 6 January 2014 through 9 January 2014
QC 201401312013-09-242013-09-242014-12-09Bibliographically approved