Extracting attack sessions from real traffic with intrusion prevention systems

I. Wei Chen*, Po Ching Lin, Chi Chung Luo, Tsung Huan Cheng, Ying-Dar Lin, Yuan Cheng Lai, Frank C. Lin

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Scopus citations

Abstract

False Positive (FP) and False Negative (FN) happen to every Intrusion Prevention System (IPS). No one could do better judgment than others all the time. This work proposes a system of Attack Session Extraction (ASE) to create a pool of suspicious traffic traces which cause potential FNs (abbreviated as P-FNs) and potential FPs (abbreviated as P-FPs) to IPSes. Developers of IPSes can use these suspicious traffic traces to improve the accuracy of their products. Traffic traces are called suspicious since what they cause are P-FNs and P-FPs which need to be confirmed by the developers of IPSes whether P-FNs are FNs and P-FPs are FPs. First, the ASE captures real traffic and replays captured traffic traces to multiple IPSes. By comparing the logs of IPSes, we can find that some attack logs are logged or not logged only at certain IPS. The former is P-FPs, while the latter is P-FNs to that IPS. The ASE then starts to extract this suspicious traffic from replayed traffic traces. The extracted traffic traces can then be used for further analysis by IPS developers. Some of the traces may prove to be guilty, i.e. confirmed to be FNs and FPs. To completely extract a suspicious session, the ASE uses an association mechanism based on anchor packets, five-tuple and time, and similarity for the first packet, first connection, and whole session, respectively. It calculates the degree of similarity among packets to extract a suspicious session containing multiple connections. We define variation and completeness/purity as the performance indexes to evaluate ASE. The experiments demonstrate that 95% of extracted sessions have low variation, and the average completeness/purity is around 80%.

Original languageEnglish
Title of host publicationProceedings - 2009 IEEE International Conference on Communications, ICC 2009
DOIs
StatePublished - 19 Nov 2009
Event2009 IEEE International Conference on Communications, ICC 2009 - Dresden, Germany
Duration: 14 Jun 200918 Jun 2009

Publication series

NameIEEE International Conference on Communications
ISSN (Print)0536-1486

Conference

Conference2009 IEEE International Conference on Communications, ICC 2009
CountryGermany
CityDresden
Period14/06/0918/06/09

Keywords

  • False negative
  • False positive
  • Intrusion detection
  • Intrusion prevention
  • Packet trace
  • Session extraction
  • Similarity

Fingerprint Dive into the research topics of 'Extracting attack sessions from real traffic with intrusion prevention systems'. Together they form a unique fingerprint.

  • Cite this

    Chen, I. W., Lin, P. C., Luo, C. C., Cheng, T. H., Lin, Y-D., Lai, Y. C., & Lin, F. C. (2009). Extracting attack sessions from real traffic with intrusion prevention systems. In Proceedings - 2009 IEEE International Conference on Communications, ICC 2009 [5199022] (IEEE International Conference on Communications). https://doi.org/10.1109/ICC.2009.5199022