Internet sieve: An architecture for generating resilient signatures

Vinod Yegneswaran, Jonathon T. Giffin, Paul Barford, and Somesh Jha.

Technical Report #1507, Computer Sciences Department, University of Wisconsin.

Madison, Wisconsin, May 2004.

We present iSieve, a modular architecture for identifying intrusion profiles in packet trace data and automatically constructing resilient signatures for the profiles. The first component of the architecture organizes and normalizes packet trace data collected from honeynets. The second component classifies this data into attack profiles based upon data similarity measures. The final component uses machine learning methods to generate an automaton for each attack profile. These automata can then be used as signatures by network intrusion detection systems. We show how a large, diverse data set is effectively summarized by each component of our system and use these results to highlight implementation considerations in the architecture. Evaluation demonstrates iSieve's ability to generate resilient signatures for many different intrusion profiles. For example, our learned signatures detect 99.98% of the intrusive sessions in NetBIOS data and generate no false alarms.

Paper: [pdf]

An alternate version of this paper is available as a conference publication.