On the fly pattern matching for intrusion detection with Snort
Identifieur interne : 006B57 ( Main/Exploration ); précédent : 006B56; suivant : 006B58On the fly pattern matching for intrusion detection with Snort
Auteurs : Tarek Abbes [France] ; Adel Bouhoula [Tunisie] ; Michael Rusinowitch [France]Source :
- Annales des Télécommunications [ 0003-4347 ] ; 2004-09-01.
Descripteurs français
- Pascal (Inist)
- Wicri :
- topic : Réseau local.
- mix :
English descriptors
- KwdEn :
Abstract
Abstract: Intrusion Detection Systems are becoming necessary tools for system administrators to protect their network. However they find more and more difficulties with high speed networks. To enhance their capacity and deal with evasion techniques, frequently used by hackers, we have introduced a new method to filter the network traffic. The detection method, while being stateful, processes each packet as soon as it is received. We have employed this strategy after a new classification of detection rules. Then, we have used efficient multisearch methods and suitable datastructure for signatures. The method has been successfully implemented as an extension of the Intrusion Detection System “Snort”.
Résumé: Les systèmes de détection d’intrusions sont devenus indispensables pour les administrateurs afin de protéger leurs réseaux. Cependant, ces outils présentent des lacunes pour traiter le haut débit et mener une analyse précise du contenu des paquets. Nous proposons dans cet article une nouvelle approche pour filtrer le trafic réseau. Cette méthode est capable de traiter chaque paquet dès sa réception tout en mémorisant l’état des connexions. Nous nous appuyons sur une organisation intelligente des règles de détection et sur des algorithmes de recherche de plusieurs signatures. Cette méthodologie a été implantée avec succès dans le système de détection d’intrusions «Snort».
Url:
DOI: 10.1007/BF03179710
Affiliations:
Links toward previous steps (curation, corpus...)
- to stream Istex, to step Corpus: 003957
- to stream Istex, to step Curation: 003914
- to stream Istex, to step Checkpoint: 001766
- to stream Main, to step Merge: 006E61
- to stream Hal, to step Corpus: 003767
- to stream Hal, to step Curation: 003767
- to stream Hal, to step Checkpoint: 004D66
- to stream Main, to step Merge: 007315
- to stream PascalFrancis, to step Corpus: 000591
- to stream PascalFrancis, to step Curation: 000447
- to stream PascalFrancis, to step Checkpoint: 000583
- to stream Main, to step Merge: 007018
- to stream Main, to step Curation: 006B57
Le document en format XML
<record><TEI wicri:istexFullTextTei="biblStruct"><teiHeader><fileDesc><titleStmt><title xml:lang="en">On the fly pattern matching for intrusion detection with Snort</title>
<author><name sortKey="Abbes, Tarek" sort="Abbes, Tarek" uniqKey="Abbes T" first="Tarek" last="Abbes">Tarek Abbes</name>
</author>
<author><name sortKey="Bouhoula, Adel" sort="Bouhoula, Adel" uniqKey="Bouhoula A" first="Adel" last="Bouhoula">Adel Bouhoula</name>
</author>
<author><name sortKey="Rusinowitch, Michael" sort="Rusinowitch, Michael" uniqKey="Rusinowitch M" first="Michael" last="Rusinowitch">Michael Rusinowitch</name>
</author>
</titleStmt>
<publicationStmt><idno type="wicri:source">ISTEX</idno>
<idno type="RBID">ISTEX:F0487F892E63939A48548BEF1DBA2C7C2017B7C7</idno>
<date when="2004" year="2004">2004</date>
<idno type="doi">10.1007/BF03179710</idno>
<idno type="url">https://api.istex.fr/ark:/67375/VQC-2VXLKCNV-3/fulltext.pdf</idno>
<idno type="wicri:Area/Istex/Corpus">003957</idno>
<idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Corpus" wicri:corpus="ISTEX">003957</idno>
<idno type="wicri:Area/Istex/Curation">003914</idno>
<idno type="wicri:Area/Istex/Checkpoint">001766</idno>
<idno type="wicri:explorRef" wicri:stream="Istex" wicri:step="Checkpoint">001766</idno>
<idno type="wicri:doubleKey">0003-4347:2004:Abbes T:on:the:fly</idno>
<idno type="wicri:Area/Main/Merge">006E61</idno>
<idno type="wicri:source">HAL</idno>
<idno type="RBID">Hal:inria-00100005</idno>
<idno type="url">https://hal.inria.fr/inria-00100005</idno>
<idno type="wicri:Area/Hal/Corpus">003767</idno>
<idno type="wicri:Area/Hal/Curation">003767</idno>
<idno type="wicri:Area/Hal/Checkpoint">004D66</idno>
<idno type="wicri:explorRef" wicri:stream="Hal" wicri:step="Checkpoint">004D66</idno>
<idno type="wicri:doubleKey">0003-4347:2004:Abbes T:on:the:fly</idno>
<idno type="wicri:Area/Main/Merge">007315</idno>
<idno type="wicri:source">INIST</idno>
<idno type="RBID">Pascal:05-0081977</idno>
<idno type="wicri:Area/PascalFrancis/Corpus">000591</idno>
<idno type="wicri:Area/PascalFrancis/Curation">000447</idno>
<idno type="wicri:Area/PascalFrancis/Checkpoint">000583</idno>
<idno type="wicri:explorRef" wicri:stream="PascalFrancis" wicri:step="Checkpoint">000583</idno>
<idno type="wicri:doubleKey">0003-4347:2004:Abbes T:on:the:fly</idno>
<idno type="wicri:Area/Main/Merge">007018</idno>
<idno type="wicri:Area/Main/Curation">006B57</idno>
<idno type="wicri:Area/Main/Exploration">006B57</idno>
</publicationStmt>
<sourceDesc><biblStruct><analytic><title level="a" type="main" xml:lang="en">On the fly pattern matching for intrusion detection with Snort</title>
<author><name sortKey="Abbes, Tarek" sort="Abbes, Tarek" uniqKey="Abbes T" first="Tarek" last="Abbes">Tarek Abbes</name>
<affiliation wicri:level="3"><country xml:lang="fr">France</country>
<wicri:regionArea>LORIA-INRIA Lorraine, 615, rue du Jardin Botanique, B.P. 101, 54602, Villers-Les-Nancy cedex</wicri:regionArea>
<placeName><region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
<settlement type="city">Villers-Les-Nancy</settlement>
</placeName>
</affiliation>
<affiliation wicri:level="1"><country wicri:rule="url">France</country>
</affiliation>
</author>
<author><name sortKey="Bouhoula, Adel" sort="Bouhoula, Adel" uniqKey="Bouhoula A" first="Adel" last="Bouhoula">Adel Bouhoula</name>
<affiliation wicri:level="1"><country xml:lang="fr">Tunisie</country>
<wicri:regionArea>Ecole Supérieure des Communications de Tunis, 2083, Ariana</wicri:regionArea>
<wicri:noRegion>Ariana</wicri:noRegion>
</affiliation>
<affiliation wicri:level="1"><country wicri:rule="url">Tunisie</country>
</affiliation>
</author>
<author><name sortKey="Rusinowitch, Michael" sort="Rusinowitch, Michael" uniqKey="Rusinowitch M" first="Michael" last="Rusinowitch">Michael Rusinowitch</name>
<affiliation wicri:level="3"><country xml:lang="fr">France</country>
<wicri:regionArea>LORIA-INRIA Lorraine, 615, rue du Jardin Botanique, B.P. 101, 54602, Villers-Les-Nancy cedex</wicri:regionArea>
<placeName><region type="region" nuts="2">Grand Est</region>
<region type="old region" nuts="2">Lorraine (région)</region>
<settlement type="city">Villers-Les-Nancy</settlement>
</placeName>
</affiliation>
<affiliation wicri:level="1"><country wicri:rule="url">France</country>
</affiliation>
</author>
</analytic>
<monogr></monogr>
<series><title level="j">Annales des Télécommunications</title>
<title level="j" type="abbrev">Ann. Télécommun.</title>
<idno type="ISSN">0003-4347</idno>
<idno type="eISSN">1958-9395</idno>
<imprint><publisher>Springer-Verlag</publisher>
<pubPlace>Paris</pubPlace>
<date type="published" when="2004-09-01">2004-09-01</date>
<biblScope unit="volume">59</biblScope>
<biblScope unit="issue">9-10</biblScope>
<biblScope unit="page" from="1045">1045</biblScope>
<biblScope unit="page" to="1071">1071</biblScope>
</imprint>
<idno type="ISSN">0003-4347</idno>
</series>
</biblStruct>
</sourceDesc>
<seriesStmt><idno type="ISSN">0003-4347</idno>
</seriesStmt>
</fileDesc>
<profileDesc><textClass><keywords scheme="KwdEn" xml:lang="en"><term>Computer security</term>
<term>Filtering</term>
<term>Intruder detector</term>
<term>Intrusion detection systems</term>
<term>Local Area Network</term>
<term>Local network</term>
<term>Network management</term>
<term>Optimization</term>
<term>Packet switching</term>
<term>Packet transmission</term>
<term>Pattern matching</term>
<term>Protection</term>
</keywords>
<keywords scheme="Pascal" xml:lang="fr"><term>Commutation paquet</term>
<term>Concordance forme</term>
<term>Filtrage</term>
<term>Gestion réseau</term>
<term>Optimisation</term>
<term>Réseau local</term>
<term>Système détection intrusion</term>
<term>Sécurité informatique</term>
</keywords>
<keywords scheme="Wicri" type="topic" xml:lang="fr"><term>Réseau local</term>
</keywords>
<keywords scheme="mix" xml:lang="fr"><term>détection d'intrusions</term>
<term>intrusion detection</term>
<term>pattern matching</term>
<term>reconnaissance de motifs</term>
<term>évasion</term>
</keywords>
</textClass>
<langUsage><language ident="en">en</language>
</langUsage>
</profileDesc>
</teiHeader>
<front><div type="abstract" xml:lang="en">Abstract: Intrusion Detection Systems are becoming necessary tools for system administrators to protect their network. However they find more and more difficulties with high speed networks. To enhance their capacity and deal with evasion techniques, frequently used by hackers, we have introduced a new method to filter the network traffic. The detection method, while being stateful, processes each packet as soon as it is received. We have employed this strategy after a new classification of detection rules. Then, we have used efficient multisearch methods and suitable datastructure for signatures. The method has been successfully implemented as an extension of the Intrusion Detection System “Snort”.</div>
<div type="abstract" xml:lang="fr">Résumé: Les systèmes de détection d’intrusions sont devenus indispensables pour les administrateurs afin de protéger leurs réseaux. Cependant, ces outils présentent des lacunes pour traiter le haut débit et mener une analyse précise du contenu des paquets. Nous proposons dans cet article une nouvelle approche pour filtrer le trafic réseau. Cette méthode est capable de traiter chaque paquet dès sa réception tout en mémorisant l’état des connexions. Nous nous appuyons sur une organisation intelligente des règles de détection et sur des algorithmes de recherche de plusieurs signatures. Cette méthodologie a été implantée avec succès dans le système de détection d’intrusions «Snort».</div>
</front>
</TEI>
<affiliations><list><country><li>France</li>
<li>Tunisie</li>
</country>
<region><li>Grand Est</li>
<li>Lorraine (région)</li>
</region>
<settlement><li>Villers-Les-Nancy</li>
</settlement>
</list>
<tree><country name="France"><region name="Grand Est"><name sortKey="Abbes, Tarek" sort="Abbes, Tarek" uniqKey="Abbes T" first="Tarek" last="Abbes">Tarek Abbes</name>
</region>
<name sortKey="Abbes, Tarek" sort="Abbes, Tarek" uniqKey="Abbes T" first="Tarek" last="Abbes">Tarek Abbes</name>
<name sortKey="Rusinowitch, Michael" sort="Rusinowitch, Michael" uniqKey="Rusinowitch M" first="Michael" last="Rusinowitch">Michael Rusinowitch</name>
<name sortKey="Rusinowitch, Michael" sort="Rusinowitch, Michael" uniqKey="Rusinowitch M" first="Michael" last="Rusinowitch">Michael Rusinowitch</name>
</country>
<country name="Tunisie"><noRegion><name sortKey="Bouhoula, Adel" sort="Bouhoula, Adel" uniqKey="Bouhoula A" first="Adel" last="Bouhoula">Adel Bouhoula</name>
</noRegion>
<name sortKey="Bouhoula, Adel" sort="Bouhoula, Adel" uniqKey="Bouhoula A" first="Adel" last="Bouhoula">Adel Bouhoula</name>
</country>
</tree>
</affiliations>
</record>
Pour manipuler ce document sous Unix (Dilib)
EXPLOR_STEP=$WICRI_ROOT/Wicri/Lorraine/explor/InforLorV4/Data/Main/Exploration
HfdSelect -h $EXPLOR_STEP/biblio.hfd -nk 006B57 | SxmlIndent | more
Ou
HfdSelect -h $EXPLOR_AREA/Data/Main/Exploration/biblio.hfd -nk 006B57 | SxmlIndent | more
Pour mettre un lien sur cette page dans le réseau Wicri
{{Explor lien |wiki= Wicri/Lorraine |area= InforLorV4 |flux= Main |étape= Exploration |type= RBID |clé= ISTEX:F0487F892E63939A48548BEF1DBA2C7C2017B7C7 |texte= On the fly pattern matching for intrusion detection with Snort }}
This area was generated with Dilib version V0.6.33. |