Visible to the public Biblio

Filters: Keyword is zero day detection  [Clear All Filters]
2015-05-06
Holm, H..  2014.  Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter? System Sciences (HICSS), 2014 47th Hawaii International Conference on. :4895-4904.

A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days' to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days' (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days' are detected, how prone the corresponding signatures are to false alarms, and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snort is 8.2%.