Skip content, jump to navigation.

Jump to : Download | Abstract | Keyword | Contact | BibTex reference | EndNote reference |

DFMPS-DAPANID-06

Holger Dreger, Anja Feldmann, Michael Mai, Vern Paxson, Robin Sommer. Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection. In Proceedings of the 15th Usenix Security Symposium, (Location: Vancouver, B.C, Canada), Pages 257-272, USENIX Association, Berkeley, CA, USA, 2006.

Download [help]

Download paper: Adobe portable document (pdf)

Copyright notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

Abstract

Many network intrusion detection systems (NIDS) rely on protocol-specific analyzers to extract the higher-level semantic context from a traffic stream. To select the correct kind of analysis, traditional systems exclusively depend on well-known port numbers. However, based on our experience, increasingly significant portions of today's traffic are not classifiable by such a scheme. Yet for a NIDS, this traffic is very interesting, as a primary reason for not using a standard port is to evade security and policy enforcement monitoring. In this paper, we discuss the design and implementation of a NIDS extension to perform dynamic application-layer protocol analysis. For each connection, the system first identifies potential protocols in use and then activates appropriate analyzers to verify the decision and extract higher-level semantics. We demonstrate the power of our enhancementwith three examples: reliable detection of applications not using their standard ports, payload inspection of FTP data transfers, and detection of IRC-based botnet clients and servers. Prototypes of our system currently run at the border of three large-scale operational networks. Due to its success, the bot-detection is already integrated into a dynamic inline blocking of production traffic at one of the sites.

Keyword

[ Id ]

Contact

Holger Dreger
Anja Feldmann
Robin Sommer

BibTex Reference

@InProceedings{DFMPS-DAPANID-06,
   Author = {Dreger, Holger and Feldmann, Anja and Mai, Michael and Paxson, Vern and Sommer, Robin},
   Title = {Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection},
   BookTitle = {Proceedings of the 15th Usenix Security Symposium},
   Pages = {257--272},
   Publisher = {USENIX Association},
   Address = {Berkeley, CA, USA},
   Location = {Vancouver, B.C, Canada},
   Year = {2006}
}

EndNote Reference [help]

Get EndNote Reference (.ref)

It has been automatically generated using the bib2html program.