Content-based pattern detection for network intrusion detection systems and firewalls has enjoyed tremendous success over the last dozen years. However, as implemented, the approach has at least two drawbacks. First, because of a lack of good quality assurance support, many signatures that are deployed have high false alarm rates. Second, because current signature generation approaches take at best minutes, and more likely hours or days, these signature-based systems cannot effectively defend against fast moving, newly discovered attacks such as worms. To effectively address both of these problems, we propose to adapt technologies used in the Human Genome Project, suffix trees, to automatically, and within seconds, generate high quality signatures to newly discovered attacks.
Benefits: The results of the proposed work will be a set of technologies to automatically generate content-based intrusion detection signatures that have very low false positive rates. Furthermore, these signatures will be developed fast enough (on the order of seconds), so that the signatures may play an effective role defending against fast moving attacks such as worms. These benefits can reduce the false alarm rates for sensors, making analysts more productive. Managed security services can also provide effective response for their customers to fast moving attacks.
Keywords: Intrusion Detection, Network-Centric Warfare, ASIM, Worms, Signature, Firewall, Suffix Tree
