Abstract | ||
---|---|---|
A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days' to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days' (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days' are detected, how prone the corresponding signatures are to false alarms, and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snort is 8.2%. |
Year | DOI | Venue |
---|---|---|
2014 | 10.1109/HICSS.2014.600 | HICSS |
Keywords | Field | DocType |
intrusion detection,signature based network intrusion detection,rule set,network intrusion detection system,zero-day attacks,computer network security,paper study,closed chapter,snids snort,exploits,false alarm,snids,nids,old official rule set,digital signatures,detection rate,zero day detection,code injection,corresponding signature,conservative estimate,zero day attacks,zero-day attack,computer security,zero-day detection,computer science | Network intrusion detection,Robust random early detection,Computer science,Computer security,Knowledge management,Digital signature,Anomaly-based intrusion detection system,Artificial intelligence,Intrusion detection system,Pattern recognition,Code injection,Network security,Zero-day attack | Conference |
ISSN | Citations | PageRank |
1060-3425 | 9 | 0.54 |
References | Authors | |
10 | 1 |
Name | Order | Citations | PageRank |
---|---|---|---|
Hannes Holm | 1 | 191 | 14.59 |