ABSTRACT

Byte sequences are used in multiple network intrusion detection systems (NIDS) as signatures to detect nasty activity. Though being highly competent, a high rate of false-positive rate is found. Here we suggest the concept of contextual signatures as an enhancement to string-based signaturematching. Instead of matching isolated fixed strings, we enhance the matching process with added context. While designing a proficient signature engine for the NIDS, we provide low-level perspective by using regular expressions for matching, and high-level perspective by taking advantage of the semantic information made available by protocol analysis and scripting language. Thereafter, we greatly augment the signature’s articulateness and hence the ability to reduce false positives. Multiple examples are presented such as matching request matching with replies, using environmental knowledge, defining dependencies between signatures to model step-wise attacks, and recognizing exploit scans.