1. Field
An aspect of the present disclosure relates to a method and an apparatus for detecting network attacks and automatically generating attack signatures based on signature merging.
2. Description of the Related Art
Snort is one of the most frequently used signature based network intrusion detection techniques (snort.org). Snort manages an attack signature database and periodically updates the attack signature to cope with recently discovered attacks.
The number of attack signatures in Snort has increased gradually from 3997 in Snort version 2.1 to 31165 in Snort version 2.9. The Increment in attack signatures not only requires a large number of IPS memories but also increases the time required to detect attacks. Nevertheless, at least 6000 to 8000 attack signatures need to be generated to detect newly released malicious attacks every, and thus the size of the attack signature database is continuously growing. The growing size of the attack signature database delays a search speed and makes it difficult for the attack signature data base to be applied to a high-speed network in real time.
In order to solve this, Snort supports user configurable option to activate only subset of signature database: connectivity, balanced, and security. When Snort is in connectivity mode, only a small number of signatures become active and it can support a large traffic volume, whereas most of signatures are active when in security mode. Thus, a system delay is unavoidable when it is in security mode, and the misdetection of attacks is inevitable when it is in connectivity mode. Therefore, it is required to develop a network attack detection method for efficiently managing the increasing number of attack signatures.
Attack signatures should be generated in advance for an IPS detects all the known attacks. Signature generation techniques can be categorized by host-based and network-based techniques in general
The network-based technique is a general method frequently used in generation of signatures. In the network-based technique, it is assumed that there is a unique byte sequence in a malicious attack traffic, which is necessarily required to attack a target network. Accordingly, traffic (session) exhibiting a suspicious feature is separated from network traffic, and a common character string is extracted from the separated traffic to be generated as an attack signature in the network-based technique. However, an attacker can easily circumvent the detection mechanism of the network based signature generation techniques by inducing a meaningless arbitrary character string into an attack traffic and can be used as false attack signatures.
In host-based techniques, network traffics are induced to a controlled environment and an abnormal code is detected in an execution process. In host-based technique, an attack signature may be generated only after the target systems are damage, and it takes a long time until the signature generation. This is because a signature should be carefully tested not to harm a normal traffic. To this end, a separate apparatus different from the IPS for testing the signature candidate is required.
In signature-based network security techniques, a technique for generating attack signatures and an IPS technique for detecting signature-based attacks are implemented in separated devices. Therefore, separate systems and transmission devices are required to generate attack signatures and apply them for IPS, and a delay is also inevitable in these processes.