SSL Automated Signatures

Transcription

1 SSL Automated Signatures WilliamWilsonandJugalKalita DepartmentofComputerScience UniversityofColorado ColoradoSprings,CO80920USA and Abstract In the last few years there has been considerable research on automated intrusion signature generation. Automated signature generation helps mitigate the limitation signature based intrusion detection systems have with classifying novel exploits. The problem has been approached with a few different solutions. Systems that generate automaton based on system calls typically provide the least false negatives and least false positives, however they are significantly more resource intensive than basic signatures. In many cases they also require changes to each application they protect. Even though signatures that are generated using features extracted fromnetworkpayloadandprotocolcontextarenotasrobustasautomatonmodelingillegaloperations,theyare muchfastertobothgenerateandevaluate.thesslautomatedsignatures(sas)reportedheresystemfallsinthe categoryofruleinductionsystems.itcombinesmanyoftheadvantagesofbothhostbasedandnetworkbased intrusiondetection.itovercomesthelimitationsthatnetworkintrusiondetectionhaswithencryptedtrafficand novelexploits.thecomputationalexpenseandhighfalsepositiverateofclassichostbasedanomalydetectionis mitigatedthroughthecombinationofruleinductionandsensorcollaboration. 1 Introduction 1.1 Intrusion Detection Withtherapidgrowthofsociety sdependenceoninformationsystems,theriskfrommaliciousactivity has also grown rapidly. Intrusion detection systems provide some control against malicious activity. Intrusion detection systems look for patterns that are either known to be malicious or are not encountered during normal operations, then either prevent the activity or alert an administrator. Intrusiondetectionsystemsaregenerallyclassifiedintwosetsofcategories:networkorhostbased,and signatureoranomalybased.combinationswithinthesetsareusuallyreferredtoashybridsystems. Figure 1: Intrusion Detection System Types A signature based system utilizes expert knowledge to detect exploits. Signature based detection

2 systems are fast compared to anomaly based systems and are very accurate in detecting known exploits. The main drawback of signature based systems is their inability to detect most novel and obscuredexploits. Anomybasedsystemsanalyzeeithernetworktrafficorstatesofindividualhosts.Manyanomaly based systems that use network traffic rely on protocol information of network traffic as opposed to packet content.thesesystemsbuildprofilesofprotocolbehaviorforthedifferenthostsandgeneratealerts when traffic deviates from the profile. The advantage of anomaly based systems is they can detect novelexploitsthatcannotbeclassifiedusingsignatures. Networkbasedsensorsareusuallydedicatedhoststhatreadalldatafromanetworksegmentforusein detectingattacks.theprimaryadvantageofnetwork basedsensorsisintheirviewofanentirenetwork segment. A network sensor can detect if the same source was attempting to access multiple destinationsnearthesametime,whilesensorswithouttheabilitytoseetheentirenetworkcouldnot detectthosetypesofpatterns.networksensorsarealsonecessarytodetectattacksagainstnodesthat donothosttheirownintrusiondetectionagents,suchasmanyrouters,switches,andhoststhateither don thaveorcan tsparethenecessaryresources. Ahostbasedintrusiondetectionsystemisprettymuchexactlyasitsounds.Itinvolvesagentsthatrun on end systems. Host based intrusion detection systems can monitor operating system state, applicationstate,orevaluateprocessesandtrafficbasedonsignatures.itiscommonforhoststohave severalautonomousintrusiondetectionprogramsthatdonotinteractatall,whichleadstoscalability problems.whenaseparateagentisneededforeachprogram,theoverheadissignificant.however,a singleagentthatunderstandsthevalidoperationsofeveryprogramisimpractical.asmentionedinthe previoussection,themainadvantageofhostbasedsystemsisthatitcanmonitorstate,soitcandetect ifarequestwassuccessfulandifseeminglynormaltrafficleadstoaninvalidstate. Systemsthatcontainmorethanonecooperativehostornetworkbasedsensorareusuallyreferredtoas distributedintrusiondetectionsystems. 1.2 Automated Signature Generation Automated signature generate (ASG) refers to the process of dynamically creating rules for detecting networkintrusions.thestrictdefinitionofautomatedsystemgenerationshouldonlyincludesignature based intrusion detection systems; however modeling for anomaly based detection is frequently associated with ASG. In the last few years there has been considerable research on this topic. Automated signature generation helps mitigate the limitation signature based intrusion detection systems have with classifying novel exploits. Up until the advent of automated signature generation systemsthebestsolutiontoalertagainstnovelattackswastoemployanomalydetectionagentsonthe networkandoncriticalhosts.signaturesareonlyabletodetectexploitsagainstknownvulnerabilities. Anomaly detection systems are used to look at changes in usage network or application patterns or invalidstatesonahost.thisadditionalinformationgivesthemtheabilitytodetectexploitsonzeroday vulnerabilitiesthatwouldeasilypassthroughasignature basedsystem. Automatedsignaturegenerationhelpsfillthegaptoallowsignaturebasedsystemstodetectattackson novel exploits, which gives security experts time to analyze the vulnerability and create permanent signatures. ASG systems use data from anomaly detection systems and honeypots as input to their learningalgorithms.theoutputsaredeployablesignatures. Thequestioncanstillbeaskedastowhyuseautomaticallygeneratedsignaturesatallwhenanomaly detection can detect these zero day vulnerabilities. The answer is in the mean resource utilization requiredtodetectanattackwithhighconfidence.insomecases,theattackmightnotbedetecteduntil

3 after it was successful. In these cases, the automatically generated signature will protect other hosts even though it has already caused damage to at least one host. In other cases, the signature can be usedonhostsornetworksensorsthatdonothavetheresourcesforanomalydetection.evenonhosts thatusedanomalydetectiontosuccessfullythwarttheattack,theuseofasignaturewillprotectagainst futureattackswithoutrequiringtheperformancetaxassociatedwithanomalydetection. Oneofthemostaccuratemethodsformodelgenerationisananalysisofsystemcalls.Therehavebeen severalintrusiondetectionsystemsbasedonthisconcept.(wagner,etal.,2001)describeasystemin whichstaticanalysisisusedtocreatepushdownautomatathatmodelsalloftheallowedsystemcalls foranapplication.theresultsintermsofdetectionrateandfalsepositiveratewereverypromising,but the resources required for both generation and evaluation of the automata limited the scalability to applicationsupto32,000lines.(gopalakrishna,etal.,2005)describeasimilarsystemas(wagner,etal., 2001)thatusesinlineautomatonmodels.Theirsystemgreatlyreducescomplexitywithoutasignificant raiseinthefalsenegativerate. Evenwiththereducedcomplexityofinlineautomatonmodels,anomalydetectionsystemssuchasthis areconsiderablymorecomputationallyintensivethansignaturesbasedonnetworktraffic.mostofthe original work in generation of network based intrusion detection systems used longest common substringsfoundinknownnetworkflowsknowntobeanomalous(kreibich,etal.,2003).inthelastfew years,theasgsystemsandtheirresultingsignatureshavebeengrowingmorecomplex.thenemean systemcreatessemanticawaresignatures(yegneswaran,etal.,2005).nemeanbuildsuponthetheory from Autograph, Earlybird, and Honeycomb and adds a component of normalization and application awareness.thesslautomatedsignaturessystemdescribedinthispaperbuildsontheconceptsused in Nemean with improvements in methods use to separate anomalous data from normal data, use of protocolcontextinformation,andinthenumberofsupportedprotocols. 1.3 Feature Selection Featureselectionandweightingarekeyfactorsinautomatedsignaturegeneration.Thebasisofmany networkanomalybasedintrusiondetectionsystemsisanalysisofprotocolcontext.networkanomaly detection relies on creating a baseline for normal protocol behavior and determining when there is a deviation.inthe1999kddcupcompetition,mostofdatawasnetworkprotocolandoperatingsystem contextdataextractedfromthe1998darpaintrusiondetectiondataset.the1998darpaintrusion detectiondatasetcontainedprimarilydenialofserviceexploitsthatcouldbedetectedusingprotocol contextandafewcommonpayloadstrings.forcasessuchasthedenialofserviceattackspresentin the1998darpadataset,featureselectionisrelativelysimpleandcouldbecapturedinthe47features usedinthe1999kddcup. Theusertorootandremotetolocalexploitclassesprovedmoreofaproblemforfeatureselection.For the 1999 KDD Cup, features specific to the protected application needed to be selected using expert knowledge. The developers of the KDD 1999 data set extracted content strings statically from the payloadbasedonananalysisoftheexploitscontainedinthetestset.whenleavingtheconfinesofa small test set a more dynamic approach is needed for feature selection. Modeling the intended behavior of an application is one approach, but it has scalability limits (Yegneswaran, et al., 2005). Anotherapproachistomodelbehaviorthatiscommoninexploitsagainstanapplication.Forexample, (Kloft,Brefeld,Dussel,Gehl,&Laskov,2008)usetraitsthatarecommonlyfoundinmaliciouswebtraffic, such as excessively long URLs and POST variables, non printable characters, control characters, and otheruncommoncharactersasabasisforfeatures. These types of models require expert knowledge about the protected application or the class of vulnerability exploited. When there isn t knowledge about the exploit available to the intrusion

4 detectionsystem,genericalgorithmsmustbeusedtofindsimilaritiesinanomalouspayloads.longest common substrings from payloads can be used after removing similarities from normal traffic. Polymorphic worms will slip past detection when using longest common substrings. Polygraph uses a statistical analysis of short payload substrings to find invariant segments in polymorphic payloads (Newsome, Karp, & Song, 2005). This technique performs reasonably well without any application specific knowledge. The intent of the SSL Automated Signatures (SAS) system is to protect against applicationvulnerabilitiesandnottoprotectfromworms,however,theconceptusedinpolygraphstill providesausefultechniqueforpayloadanalysiswithoutanyexpertknowledge. SASusesamulti tierapproachforfeatureselection.protocolfeaturesatthenetworkandssllayerare used as a first tier. The second tier includes application knowledge to find features in decrypted payloads. The third tier uses an algorithm similar to what was used in Polygraph to find correlations withtheabsenceofexpertknowledge. 2 Learning in Intrusion Detection 2.1 Rule Induction Once anomalous data is separated into categories and features have been selected, one can use rule induction to create signatures. The general concept of rule induction is to evaluate the values of the featureagainstthesetofclassestomaximizegain(quinlan,1993). TherawoutputofagreedyentropyminimizationalgorithmsuchasC5canbeusedasbasicsignatures. Iftheprocessforobtainingandlabelingdataisnotguaranteedaccurate,theresultingrulesshouldnot betreatedasabsolutetruths.theerrorratedeterminedfromtheinductiontestandtrainingdatamust becombinedwiththeconfidencefromtheanomalydetectionandcollectionsystemtocreateasetof possible classifications with probabilities for the rule sets. The use of probabilities on rule sets also allowsformorepruningthandiscreetrules.inthiscase,aneventmaymeetthecriteriaformorethan one rule and a classification decision will be calculated according to the probabilities of the triggered rules. 2.2 Collaboration and Data Fusion The SSL Automated Signature system requires collaboration in both anomalous data collection and combining generated signatures. Plurality voting, neural networks, Dempster Schafer, and Bayesian Inferencewereevaluatedforuseinthisproject.Pluralityvotingisthefastestandinmostcasesitisthe least accurate. When using plurality voting, the features with the most votes are selected for a classificationrule.neuralnetworkscanbeemployedinafewdifferentways.forthisprojecttheywere evaluated to determine weights each feature. As new decision trees were induced, the weights associatedtoeachclassifierwereadjusted.bayesianinferencechangestheprobabilityofaneventas newevidenceisintroduced.asnewevidenceisintroducedtheposteriorprobabilityiscalculatedusing thepriorprobability,theconditionalprobability,andthemarginalprobability.dempster Shafertheory is a method for combining evidence that is based on Bayesian theory. It introduces concepts of ignorance, belief, disbelief, and plausibility instead of probabilities. This removes the requirement for

5 prior probabilities on all features and accommodates for feature sets that do not have complete intersections(alani,etal.,2002). 3 SSL Signatures 3.1 SSL and Limitation of Current Systems Most of the current systems in automated signature generation are designed to thwart new worms. Theyarenotabletoclassifyattacksthatareencryptedordonothavesufficienttraffictoshowupusing theiranomalousdatacollectiontechniques. The SSL Automated Signature systems provides both a new approach at evaluating signatures and improvesonexistingtechniquesforcollectinganomalousdata. The Secure Sockets Layer (SSL) is a presentation layer protocol that provides confidentiality and integrity. It uses symmetric cryptography to encrypt application data and uses a key message authenticationcode(mac)toensuredatagramintegrity(dierks,etal.,1999).theprotocolallowsfor secure key negotiation and mutual authentication. It is designed to provide a flexible framework. Parameters such as encryption algorithm and bit length can be negotiated between hosts. This also allows for implementations of SSL to update the underlying encryption algorithms with relative ease. Sinceitisdefinedasapresentationlayerprotocol,itisindependentofapplicationlayerprotocols.This allowsittobeintegratedintocountlessapplications. One of the most common implementations of SSL is OpenSSL. The most recent version of OpenSSL provides support for each version of the SSL specification including TLSv1. OpenSSL makes it easy for programmers to secure their network communication. The push for security and the ease of use of librariessuchasopensslhasimprovedconfidentialityofinternetcommunicationswhilecreatinganew issue.securitycontrolssuchasnetworkinstructiondetectionsystemsandproxyfirewallsarenolonger abletoinspectthecontentoftheapplicationpayload.theaddedassurancetoconfidentialitydoesnot remove any application vulnerabilities. In most cases applications are just as vulnerable to buffer overflowandotherattacksthatresultinnotproperlycheckinginput.whilesslcanbeusedtomutually authenticateaclientandserver,thisfeatureisnotalwaysused.thecasewithoutauthenticationcanbe vulnerabletomaninthemiddleattacksorotherformsofimpersonation. TheuseofanSSLterminationproxyisonesolutiontohelpdetectanomaliesindataencryptedwithSSL. Thesesystems,however,haveafewlimitations.Fromthefunctionalityperspective,theyarelimitedby theirprocessingpowerandthespeedoftheirnetworkinterface.theresourcesrequiredtoterminate, inspect,andthenrecreateansslsessionlimitsthescalabilityofthesedevices.theyarealsoconsidered bysomesecurityexpertstocreateasecurityvulnerabilityjustasbadastheonetheyaresolving.since thesedevicesaretrustedtoactonthebehalfofclientsbyterminatingtheirsslsessions,theymustbe truly trusted devices. If one of these appliances exploited, the attacker has access to every flow that movesthroughit. Anothersolutiontoallowinspectionofthedataispushingtheresponsibilityofintrusiondetectionand responsedowntothehost.inadditiontobeingabletodecryptdatapriortoinspection,theuseofhost intrusiondetectionbringsadvantagessuchasbeingabletomonitorthestateofthesystemandblock theexecutionofcode. TheconceptofSSLsignaturesisbeingintroducedaspartoftheSSLAutomatedSignaturessystem.The SSL signature component introduces the ability to evaluate SSL payload and protocol context prior to returningareadrequesttoanapplication.evenwithoutthedynamiccapabilityofthesassystem,ssl signaturesstillprovidevaluableprotectionbecausetheyareabletoreaddataafterdecryptionanduse fewerresourcesthananomalybasedhostintrusiondetectionsystems.

6 3.2 SAS Signature Generation InexamplesliketheDARPA1998testset,themajorityoftheanomalousdataisfromdenialofservice attacks.fordenialofserviceattacks,protocolanalysiswithlimiteduseofpayloadfeaturesisadequate. For remote to local, user to root attacks and other types of data access exploits this is often not the case. The SSL signature architecture makes use of TCP/IP protocol features, as well as SSL protocol features,andpayloadfeaturestoassistinclassifyingexploitsthataretailoredtowardsdataaccess.the intrusiondetectionmessageexchangeformat(idmef)dtdprovidesthetemplateforfeaturesthatare evaluated.itincludesthetcp/ipfeaturesthatareseenintraditionalintrusiondetectionsystemsand add some entities for upper layer protocol information. It also includes impact, category, and data sourceentities.theadditionalsslprotocoldataisaddedasanewentity.atthisstageofdevelopment, thesystemerrsonthesideoftoomuchdata.mostofthepropertiesthatareprovidedbytheopenssl encryptioncontextstructuresaredefinedinthesslentity.astestingprogresses,unneededattributes willberemoved. Thesignaturegenerationcomponentreliesontheresultsfromtheframeworkforsensorcollaboration. When the signature generation component gets data, it is expected that data has already been normalizedandassignedconfidencevaluesfromthesensorcollaborationcomponent. Thepayloadfeaturesarenotassimpletodefineastheprotocolcontextfeaturesunlessknowledgeof anapplicationisused.innon obfuscatedatomicattacks,alongestcommonsubstringcanbeusedto extractrelevantinformationfromapayload.eventhoughitisnotsufficientformanyattacks,itisworth includingasalowcomplexityfirstpass.adisadvantageofthelongestcommonsubstringmethodisit willgeneratesignaturesthatarelongerthanneededtobetoclassifytheattack.itwillalsooftenmiss components that are common to normal traffic, but are required as part of the attack. To improve accuracy over the longest common substring method, sets of smaller byte sequences are evaluated. Severalmethodsforcomparingstringswereevaluatedforoptimalperformanceandaccuracy.Settinga minimumandmaximumthresholdforbytesequencecanbeusedtocreatesmallersignaturesthanthe longest common substring method with comparable accuracy. To further increase accuracy, exact matchesatthebitlevelareevaluatedforthefirst32bitsofthepayload.thisisusedtohelpcapture applicationdirectivesthatarefrequentlyfoundatthebeginningofthepayload.atthistimeonlyunions ofthesetsarebeingevaluated.inthefuture,orderingandmorecomplexbooleanexpressionswillbe evaluated. Individual rules are generated using established rule induction techniques. Code from the C4.5 applicationisusedforthebasisoftheruleinductioncomponent.sincetheconfidenceofeachrulecan belowandthefeaturesselectedforeachrulemightnotbecomplete,therulesarecombinedasnew dataispresentedtothesystem.themethodproposedin(alani,etal.,2002)isbeingevaluatedforuse incombiningtherules.ithasahighercomputationalcostforcombininginitialsetsofclassifiersthan othersystemsbasedonsimilartheory,butcostdecreasesforadditionalclassifiersastheyareadded. Partofthecombiningprocessreducesthecomplexityofeachrule.Featureswithahighconfidencethat arepresentinmostrulesareincludedintheprimaryrulewithahighconfidence.inordertoprevent loss of decisions based on features that were not consistent in the data provided to the combiner process,supplementaryrulesaregeneratedwithalowconfidence.useofthesupplementaryrulesis helpfulinraisingtheconfidencewhentheprimaryruledoesnotprovideahighenoughconfidenceto createanalert.mostintrusiondetectionsystemsonlyhaveclassifiersformaliciousdata.thedynamic nature of the SAS and the simplified signatures creates an issue that an event may have a high confidence in different classes. When all of the classes are malicious, the impact of an overlap is minimal, but one must also take the normal class into account. To ensure that the overlap is not the resultofthetrafficactuallybeingnormal,signaturesareincludedtoclassifynormalevents.ingeneral, thetriggerfortheclasswiththehighestconfidenceisexecuted.

7 3.3 SSL Interception Architecture TheSSLAutomatedSignatures(SAS)systemhastheuniqueabilitytonotjustlookattrafficasitcomes fromthenetworkinterface,butitcanalsoevaluatedecryptedssltrafficandmetadata.themetadata includes information such as the typical TCP/IP features, SSL connection state, SSL alert value, SSL version,encryptionalgorithm,andafewotherattributes. TheSSLsignatureevaluationprocesshooksintotheSSL_ReadfunctionofOpenSSL.Whenasignatureis triggered,theuser_cancellederrorisraisedinopenssl.thistriggersthesslconnectiontoclose. Figure 2 SSL Signature Flow FordynamicgenerationofSSLsignatures,afewcomponentsinadditiontothesignatureevaluationare required.inordertoassociateanomalieswithssltraffic,arotatinglogfileisused.onthesassystems, every read and write and their associated metadata is stored. When an anomaly is detected the host_agent requests SSL data from the relevant time and protocol so it can be used for signature generation. 3.4 Signature Structure The signatures structure of SAS is a compromise between succinct signatures and complex fuzzy signatures.thefirsttierofsignaturesisinthesnortformat.thesesignaturesdon tcontainanyfuzzy information, but the action of the signature indicates if a fuzzy signature should be evaluated. This allowsthesignatureprocessortoquicklymoveoversignaturesthatareclearlyirrelevant. Thisexamplecreatesanalertwithoutanyadditionalprocessing: alert ssl $SRC_NET $SRC_PORT -> $DST_NET $DST_PORT (content: " PAYLOAD_SEG1" && "PAYLOAD_SEG2" ; ssl_options: "v2,aes168,md5,dh") Changing the rule to a trigger rule will make it so it will trigger additional rules. The trigger rule also needs to list the rule_id so the system can look up follow on rules in the rule database. This small changeenablesconvertsastrictruleintoatriggerforafuzzyrule:

8 trigger ssl $SRC_NET $SRC_PORT -> $DST_NET $DST_PORT (content: " PAYLOAD_SEG1" && "PAYLOAD_SEG2"; ssl_options: "v2,aes168,md5,dh"; rule_id:32767) Thefollowonrulesaresetsofprobabilitiesstoredinarelationaldatabasethatcanbereferencedbythe rule_id.arecordinthedatabaseisaconditionalprobability,p(class Event)=probability,wherethe Eventcanbeasingleobservationoracombinationofobservations,includingnegations.Forexample P(some_class PAYLOAD_SEG1 Λ PAYLOAD_SEG2 Λ (content_feature1 V content_feature2)) requires three conditions to be met to include the probability. Bayesian inference is used combine probabilitiesofrelevantrulestodeterminethemostprobableclass. 4 Results Theproofofconceptmodelwasevaluatedusingapplicationsdesignedwithintentionalsecurityflaws. Theintentionalsecurityflawsinsimpleapplicationsprovidedacontrolledenvironmentfortesting.The host anomaly detection components were designed with knowledge of the expected behavior of the testapplications.thetestapplicationsprimarilyincludedvulnerabilitiesfromuncheckedinputs.atthis time, all of the attacks used against the applications were atomic so a correlation could be made between data captured from the SSL intercept component and the anomaly detection agents without theadditionalstatetrackingrequiredtodetectcompositeattacks. Theapplicationsincludedanemulationofawebserverandatwosimpleclient serverapplication.the emulatedwebservercontainedsampleapplicationsthathadsqlinjectionvulnerabilitiesandscripting errors from unchecked inputs. The client server applications contained mostly buffer overflow vulnerabilities.thetestapplicationsalsocontainedsomecompletelysyntheticvulnerabilities,inwhich theapplicationswouldcreatelogentrieswhencertaininputconditionsweremetthatwouldallowthe anomalysensorstobelievetherewasanattack.thiswasnecessarysothetestsetcouldbeexpanded pastcommonexploitclasses. Scripts were used to generate test data. Semi random permutations of valid input were provided for 98%oftheinputcases.Fortheremaining2%ofthetestdata,randomlyselectedexploitswereused. Theexploittestsetincludedcaseswithvalidinputsmixedwithmalicious,randommixedwithmalicious, andstrictlymalicious.thetestswiththesescriptshadahighdetectionrate,butwhentechniqueswere usedtoattempttoconfusethesignaturegenerationsystemthefalsepositiverateincreased. Predicted Actual Normal BufferOverflow Injection Unique % Correct Normal BufferOverflow Injection Unique %Correct Figure 3 Results Theadditionalscriptcreatedinputswithdifferentmalicioussegmentsanddatathatcontainedseveral setsofidenticalsegmentsthanarecommonlyseeninnormaltraffic.thiscausedhigherfalsepositive and lower true positive rates because some of the generated signatures contained primarily normal segments.apossiblesolutiontothisattackagainstthesignaturegenerationsystemistoincludemore training with known normal data to reduce the weight of the normal segments when they are intentionallyinjectedwithmaliciousdata. Predicted Normal BufferOverflow Injection Unique %

9 Actual Correct Normal BufferOverflow Injection Unique %Correct Figure 4 Results with obfuscation Whencollapsingthecategoriestoonlynormalormalicious,theF 1 scoreforretrievingofnormaldatain thefirstexperimentis whenaddingtheobfuscationscript,thescoredropsto dueto theamountofnormaldatathereisn tasubstantialchange,butthedifferencecanbeeasilyseeninthe rawdata. 5 Future Work Atthispoint,allofthetestsaresyntheticusingproofofconceptapplications.Thesystemwillnothave anyrealvalueuntilitcanbesuccessfullyintegratedintorealapplications. Amajordrawbackfromthemethodusedtotesttheproofofconceptapplicationisthatthetypeofdata usedfortestingwasthetypeexpectedbythesystem.italsohadmoremaliciousdatainthetrainingset thanwouldbeseenwhencollectingfromalivenetwork.agreaterthan0.99f 1 scoreintheproofof conceptmodelispromising,butforausableintrusiondetectionsystemthefalsepositiveratemustbe muchlower.workiscurrentlybeingdonetodecreasethefalsepositiverate,butthemodulesarenot readytobeintegratedintothesystemfortesting. Theframeworkforsensorcollaborationusedtocollectanomalousdataisstillunderdevelopmentandis limited in its ability to provide data from distributed and non atomic attacks. Once the framework is mature,workmustbedonetoensuresignaturereliabilityisnotlostwhendataisnotprovidedfroma controlledenvironment. 6 Works Cited AlAniAhmedandDericheMohamedAnewTechniqueforCombiningMultipleClassifiersusing Dempster ShaferTheoryofEvidence[Journal] pages :Vol.17. DierksTandAllenCTheTLSProtocolVersion1.0,RFC2246[Online]//IETF GopalakrishnaRajeevandSpaffordEugeneEfficientIntrusionDetectionusingAutomatonInlining [Online]/prod.PrivacyProceedingsoftheIEEESymponiumonSecurityand. May KloftMarius[etal.]AutomaticFeatureSelectionforAnomalyDetection[Journal]//AISec KreibichChristianandCrowcroftJonHoneycomb CreatingIntrusionDetectionSignaturesUsing Honeypots[Journal]//InProceedingsoftheSecondWorkshoponHotTopicsinNetworks NewsomeJames,KarpBradandSongDawnPolygraph:AutomaticallyGeneratingSignaturesfor PolymorphicWorms[Conference]//Proceedingsofthe2005IEEESymposiumonSecurityandPrivacy

10 QuinlanJRossC4.5ProgramsforMachineLearning[Book]. SanMateo,CA:MorganKaufmann Publishers,1993. WagnerDavidandDeanDrewIntrusionDetectionviaStaticAnalysis[Journal]//Proceedingsofthe IEEESymposiumonSecurityandPrivacy pp YegneswaranVinod[etal.]Anarchitectureforgeneratingsemantics awaresignatures[conference]// InUSENIXSecuritySymposium