Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?
| Title | Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter? |
| Publication Type | Conference Paper |
| Year of Publication | 2014 |
| Authors | Holm, H. |
| Conference Name | System Sciences (HICSS), 2014 47th Hawaii International Conference on |
| Date Published | Jan |
| Keywords | Code injection, Computer architecture, computer network security, computer security, digital signatures, exploits, false alarm, NIDS, Payloads, Ports (Computers), reliability, Servers, signature based network intrusion detection, SNIDS, Software, Testing, Zero day attacks, zero day detection |
| Abstract | A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days' to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days' (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days' are detected, how prone the corresponding signatures are to false alarms, and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snort is 8.2%. |
| URL | https://ieeexplore.ieee.org/document/6759203 |
| DOI | 10.1109/HICSS.2014.600 |
| Citation Key | 6759203 |