Paper Appeared at 14th USENIX Security Symposium
Posted 12 October 2005
The paper An Architecture for Generating Semantics-Aware
Signatures by Vinod Yegneswaran, Jonathon T. Giffin (pictured at
left), Paul Barford, and Somesh Jha (pictured at right) appeared at
the 14th USENIX Security Symposium. The conference was held August
3–5 in Baltimore, Maryland. Jon presented the paper at the
conference.
Identifying new intrusions and developing effective signatures that detect them is essential for protecting computer networks. The authors presented Nemean, a system for automatic generation of intrusion signatures from honeynet packet traces. Their architecture is distinguished by its emphasis on a modular design framework that encourages independent development and modification of system components and protocol semantics-awareness which allows for construction of signatures that greatly reduce false alarms. The building blocks of their architecture include transport and service normalization, intrusion profile clustering, and automata learning that generates connection- and session-aware signatures. They demonstrated the potential of Nemean's semantics-aware, resilient signatures through a prototype implementation. They used two datasets to evaluate the system: (i) a production dataset for false-alarm evaluation and (ii) a honeynet dataset to measure detection rates. Signatures generated by Nemean for NetBIOS exploits had a 0% false-positive rate and a 0.04% false-negative rate.
