Automatic Generation of Robust Network Intrusion Detection Signatures

Irvine Sensors Corporation (ISC) together with North Carolina State University propose to develop a novel behavioral technique that is capable of detecting network based intrusions, and can then be used to identify signatures for an Intrusion Prevent Engine (IPE). The behavioral technique proposed detects attacks embedded in different network layers using assertions that can be dynamically updated in real time. The technique involves performing deep packet inspection and making access control decisions based on behavioral compliance. Network traffic behavior is modeled by using theories. Our Behavioral IDS use models of correct and incorrect behaviors, rather than search for signatures. Furthermore, most current approaches do not provide application layer defense. In our approach, the network transactions can be verified as being incorrect or correct, by comparing them against a written set of high-level assertions (“theories”) as to proper behavior. This approach has the potential to detect and prevent network based attacks in real time and also permits theories to be updated in real time.