Title: Syntax vs. semantics: competing approaches to dynamic network intrusion detection

Authors: Walter Scheirer, Mooi Choo Chuah

Addresses: Department of Computer Science, University of Colorado, Colorado Springs, CO 80918, USA. ' Department of Computer Science and Engineering, Lehigh University, 19 Memorial Drive West, Bethlehem PA 18015, USA

Abstract: Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-based approach can cope with sophisticated polymorphic and metamorphic worms better than the syntax-based approach. Our contribution in this work is threefold: our syntax-based scheme that uses variable-length partition with multiple breakmarks can detect many polymorphic worms; we believe our semantic-based prototype is the first NIDS that provides semantics-aware capability and our system is more efficient than what is reported by Christodorescu et al. (2005); our designed templates capture polymorphic shellcodes with added sequences of stack and mathematic operations.

Keywords: network security; computer security; intrusion detection; semantics; worm attacks; polymorphic worms; metamorphic worms; internet; syntax; malicious network traffic.

DOI: 10.1504/IJSN.2008.016199

International Journal of Security and Networks, 2008 Vol.3 No.1, pp.24 - 35

Published online: 09 Dec 2007 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article