Zero-Day Signature Extraction for High-Volume Attacks

Yehuda Afek; Anat Bremler-Barr; Shir  Landau Feibish

doi:10.1109/TNET.2019.2899124

Zero-Day Signature Extraction for High-Volume Attacks

Yehuda Afek, Anat Bremler-Barr, Shir Landau Feibish

Computer Science

Research output: Contribution to journal › Article › peer-review

Abstract

We present a basic tool for zero day attack signature extraction. Given two large sets of messages, P the messages captured in the network at peacetime (i.e., mostly legitimate traffic) and A the messages captured during attack time (i.e., contains many attack messages), we present a tool for extracting a set S of strings that are frequently found in A and not in P, thus allowing the identification of the attack packets. This is an important tool in protecting sites on the Internet from worm attacks and distributed denial of service attacks and may also be useful for other problems, including command and control identification and the DNA-sequences analysis. The main contributions of this paper are the system we developed to extract the required signatures together with the string-heavy hitters problem definition and the algorithm for solving this problem. This algorithm finds popular strings of variable length in a set of messages, using, in a tricky way, the classic heavy-hitter algorithm as a building block. The algorithm runs in linear time requiring one-pass over the input. Our system makes use of this algorithm to extract the desired signatures. Furthermore, we provide an extended algorithm which is able to identify groups of signatures, often found together in the same packets, which further improves the quality of signatures generated by our system. Using our system, a yet unknown attack can be detected and stopped within minutes from attack start time.

Original language	English
Article number	8661792
Pages (from-to)	691-706
Number of pages	16
Journal	IEEE/ACM Transactions on Networking
Volume	27
Issue number	2
DOIs	https://doi.org/10.1109/TNET.2019.2899124
State	Published - Apr 2019

Bibliographical note

Funding Information:
This work was supported in part by The Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University, in part by the European Research Council (ERC) under Grant 259085, in part by the Ministry of Science and Technology, Israel, and in part by the Kabarnit-Cyber Consortium (2012-2014) under Magnet Program through the Israeli Ministry of Industry, Trade and Labor. The authors thank Z. Gadot from Red Button, and M. Atad and S. Shitrit from Radware Ltd., for helpful discussions. They also thank G. Parashi for his help with code implementation.

Funding Information:
Manuscript received December 6, 2016; revised April 29, 2018; accepted January 13, 2019; approved by IEEE/ACM TRANSACTIONS ON NETWORK-ING Editor W. Wang. Date of publication March 6, 2019; date of current version April 16, 2019. This work was supported in part by The Blavatnik Interdisciplinary Cyber Research Center, Tel Aviv University, in part by the European Research Council (ERC) under Grant 259085, in part by the Ministry of Science and Technology, Israel, and in part by the Kabarnit-Cyber Consortium (2012–2014) under Magnet Program through the Israeli Ministry of Industry, Trade and Labor. (Corresponding author: Shir Landau Feibish.) Y. Afek is with the Blavatnik School of Computer Science, Tel Aviv University, Tel Aviv 6997801, Israel.

Publisher Copyright:
© 2019 IEEE.

Keywords

DDoS
High volume attacks
heavy hitters
signature extraction
zero-day attacks

Access to Document

10.1109/TNET.2019.2899124

Cite this

@article{781346002d714db6a12e8dd4294d5c08,

title = "Zero-Day Signature Extraction for High-Volume Attacks",

abstract = "We present a basic tool for zero day attack signature extraction. Given two large sets of messages, P the messages captured in the network at peacetime (i.e., mostly legitimate traffic) and A the messages captured during attack time (i.e., contains many attack messages), we present a tool for extracting a set S of strings that are frequently found in A and not in P, thus allowing the identification of the attack packets. This is an important tool in protecting sites on the Internet from worm attacks and distributed denial of service attacks and may also be useful for other problems, including command and control identification and the DNA-sequences analysis. The main contributions of this paper are the system we developed to extract the required signatures together with the string-heavy hitters problem definition and the algorithm for solving this problem. This algorithm finds popular strings of variable length in a set of messages, using, in a tricky way, the classic heavy-hitter algorithm as a building block. The algorithm runs in linear time requiring one-pass over the input. Our system makes use of this algorithm to extract the desired signatures. Furthermore, we provide an extended algorithm which is able to identify groups of signatures, often found together in the same packets, which further improves the quality of signatures generated by our system. Using our system, a yet unknown attack can be detected and stopped within minutes from attack start time.",

keywords = "DDoS, High volume attacks, heavy hitters, signature extraction, zero-day attacks",

author = "Yehuda Afek and Anat Bremler-Barr and {Landau Feibish}, Shir",

note = "Publisher Copyright: {\textcopyright} 2019 IEEE.",

year = "2019",

month = apr,

doi = "10.1109/TNET.2019.2899124",

language = "אנגלית",

volume = "27",

pages = "691--706",

journal = "IEEE/ACM Transactions on Networking",

issn = "1063-6692",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "2",

}

TY - JOUR

T1 - Zero-Day Signature Extraction for High-Volume Attacks

AU - Afek, Yehuda

AU - Bremler-Barr, Anat

AU - Landau Feibish, Shir

PY - 2019/4

Y1 - 2019/4

N2 - We present a basic tool for zero day attack signature extraction. Given two large sets of messages, P the messages captured in the network at peacetime (i.e., mostly legitimate traffic) and A the messages captured during attack time (i.e., contains many attack messages), we present a tool for extracting a set S of strings that are frequently found in A and not in P, thus allowing the identification of the attack packets. This is an important tool in protecting sites on the Internet from worm attacks and distributed denial of service attacks and may also be useful for other problems, including command and control identification and the DNA-sequences analysis. The main contributions of this paper are the system we developed to extract the required signatures together with the string-heavy hitters problem definition and the algorithm for solving this problem. This algorithm finds popular strings of variable length in a set of messages, using, in a tricky way, the classic heavy-hitter algorithm as a building block. The algorithm runs in linear time requiring one-pass over the input. Our system makes use of this algorithm to extract the desired signatures. Furthermore, we provide an extended algorithm which is able to identify groups of signatures, often found together in the same packets, which further improves the quality of signatures generated by our system. Using our system, a yet unknown attack can be detected and stopped within minutes from attack start time.

AB - We present a basic tool for zero day attack signature extraction. Given two large sets of messages, P the messages captured in the network at peacetime (i.e., mostly legitimate traffic) and A the messages captured during attack time (i.e., contains many attack messages), we present a tool for extracting a set S of strings that are frequently found in A and not in P, thus allowing the identification of the attack packets. This is an important tool in protecting sites on the Internet from worm attacks and distributed denial of service attacks and may also be useful for other problems, including command and control identification and the DNA-sequences analysis. The main contributions of this paper are the system we developed to extract the required signatures together with the string-heavy hitters problem definition and the algorithm for solving this problem. This algorithm finds popular strings of variable length in a set of messages, using, in a tricky way, the classic heavy-hitter algorithm as a building block. The algorithm runs in linear time requiring one-pass over the input. Our system makes use of this algorithm to extract the desired signatures. Furthermore, we provide an extended algorithm which is able to identify groups of signatures, often found together in the same packets, which further improves the quality of signatures generated by our system. Using our system, a yet unknown attack can be detected and stopped within minutes from attack start time.

KW - DDoS

KW - High volume attacks

KW - heavy hitters

KW - signature extraction

KW - zero-day attacks

UR - http://www.scopus.com/inward/record.url?scp=85064615736&partnerID=8YFLogxK

U2 - 10.1109/TNET.2019.2899124

DO - 10.1109/TNET.2019.2899124

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:85064615736

SN - 1063-6692

VL - 27

SP - 691

EP - 706

JO - IEEE/ACM Transactions on Networking

JF - IEEE/ACM Transactions on Networking

IS - 2

M1 - 8661792

ER -

Zero-Day Signature Extraction for High-Volume Attacks

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this