Improving the Efficiency of Misuse Detection

  • Michael Meier
  • Sebastian Schmerl
  • Hartmut Koenig
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3548)


In addition to preventive mechanisms intrusion detection systems (IDS) are an important instrument to protect computer systems. Most IDSs used today realize the misuse detection approach. These systems analyze monitored events for occurrences of defined patterns (signatures), which indicate security violations. Up to now only little attention has been paid to the analysis efficiency of these systems. In particular for systems that are able to detect complex, multi-step attacks not much work towards performance optimizations has been done. This paper discusses analysis techniques of IDSs used today and introduces a couple of optimizing strategies, which exploit structural properties of signatures to increase the analyze efficiency. A prototypical implementation has been used to evaluate these strategies experimentally and to compare them with currently deployed misuse detection techniques. Measurements showed that significant performance improvements can be gained by using the proposed optimizing strategies. The effects of each optimization strategy on the analysis efficiency are discussed in detail.


Expert System Intrusion Detection Intrusion Detection System Audit Trail Audit Data 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Roesch, M.: Snort – Lightweight Intrusion Detection for Networks. In: Proc. of the 13th System Administration Conference (LISA 1999), Seattle, WA, USA, pp. 229–238. USENIX Assoc. (1999)Google Scholar
  2. 2.
    Cisco Systems Inc.: NetFlow Services and Applications. White Paper, July 15 (2002),
  3. 3.
    McHugh, J.: Set, Bags and Rock and Roll – Analyzing Large Datasets of Network Data. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 407–422. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Sommer, R., Feldmann, A.: NetFlow: Information Loss or Win? In: Proc. of the 2nd ACM SIG-COMM and USENIX Internet Measurement Workshop (IMW 2002), Marseille, France (2002)Google Scholar
  5. 5.
    Kruegel, C., Toth, T.: Using Decision Trees to Improve Signature-based Intrusion Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 173–191. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Anagnostakis, K.G., Markatos, E.P., Antonatos, S., Polychronakis, M.: E2xB: A domain specific string matching algorithm for intrusion detection. In: Proc. of the 18th IFIP International Information Security Conference (SEC 2003), pp. 217–228. Kluwer Academic Publishing, Dordrecht (2003)Google Scholar
  7. 7.
    Meier, M.: A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 158–169. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  8. 8.
    Flegel, U., Meier, M.: Towards a Scalable Approach to Tailoring the Disclosure of Pseu-donymous Audit Data to Misuse Detection Signatures. Internal discussion paper (2002)Google Scholar
  9. 9.
    Schmerl, S.: Entwurf und Entwicklung einer effizienten Analyseeinheit für Intrusion-Detection-Systeme (in German). Diploma Thesis, Chair Computer Networks and Communication Systems, Brandenburg University of Technology, Cottbus, Germany (2004)Google Scholar
  10. 10.
    Vigna, G., Eckmann, S.T., Kemmerer, R.A.: The STAT Tool Suite. In: Proc. of DARPA Information Survivability Conference and Exposition (DISCEX) 2000, vol. 2, pp. 46–55. IEEE Press, Hilton Head (2000)CrossRefGoogle Scholar
  11. 11.
    Kumar, S.: Classification and Detection of Computer Intrusions. PhD Thesis, Dept. of Computer Science, Purdue University, West Lafayette, IN (August 1995)Google Scholar
  12. 12.
    Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack Language for State-based Intrusion Detection. Journal of Computer Securit 10(1/2), 71–104 (2002)Google Scholar
  13. 13.
    Puppe, F.: Einführung in Expertensysteme (in German). Springer, Berlin (1991) ISBN 3-540-54023-7Google Scholar
  14. 14.
    Neumann, P.G., Porras, A.P.: Experience with EMERALD to Date. In: Proc. of the First USENIX Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, USA, pp. 73–80 (1999)Google Scholar
  15. 15.
    Proctor, P.E.: Audit reduction and misuse detection in heterogeneous environments: Framework and application. In: Proc. of the 10th Annual Computer Security Applications Conference, Orlando, FL, pp. 117–125 (1994)Google Scholar
  16. 16.
    Sobirey, M., Richter, B., König, H.: The Intrusion Detection System AID. Architecture, and experiences in automated audit analysis. In: Proc. of the IFIP TC6/TC11 Conference on Commnications and Multimedia Security, Essen, Germany, pp. 278–290. Chapman & Hall, London (1996)Google Scholar
  17. 17.
    Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse Through the Production-Based Expert System Toolset (P-BEST). In: Proc. of the IEEE Symposium on Security and Privacy, Los Alamitos, CA, pp. 146–161. IEEE Press, Los Alamitos (1999)Google Scholar
  18. 18.
    Riley, G.: CLIPS – A Tool for Building Expert Systems (May 2004),
  19. 19.
    Talarian Corporation: RTie Inference Engine. In: Talarian Corporation (eds.): RTworks 3.5. Mountain View, Ca, USA (1995)Google Scholar
  20. 20.
    Krauz, R.: Implementierung eines auf dem Expertensystem-Tool CLIPS basierenden Intrusion Detection Systems (in German). Student Research Thesis, Chair Computer Networks and Communication Systems, Brandenburg University of Technology, Cottbus, Germany (2004)Google Scholar
  21. 21.
    Forgy, C.L.: Rete: A Fast Algorithm for the Many Pattern/Many Object Pattern Match Problem. Artificial Intelligence 19(10), 17–37 (1982)CrossRefGoogle Scholar
  22. 22.
    Aho, A.V., Sethi, R., Ullman, J.D.: Compilers - Principles, Techniques and Tools. Addison-Wesley, Reading (1988)Google Scholar
  23. 23.
    Using RDTSC for benchmarking code on Pentium computers,

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Michael Meier
    • 1
  • Sebastian Schmerl
    • 1
  • Hartmut Koenig
    • 1
  1. 1.Computer Science DepartmentBrandenburg University of Technology CottbusCottbusGermany

Personalised recommendations