Signature-based Techniques

Signature-based ID systems detect intrusions by observing events and identifying patterns which match the signatures of known attacks. An attack signature defines the essential events required to perform the attack, and the order in which they must be performed. Different ID systems represent signatures in different ways. The State Transition Analysis Tool (STAT) [5], for example, represents signatures with state transition diagrams. During run-time, these diagrams direct the operation of finite state machines that represent possible intrusions in progress. The STAT system advances these state machines from state to state as it observes events that match parts of attack signatures. If the STAT system observes a sequence of events that ultimately moves one of these finite state machines to its final state, the STAT system declares that it has detected an intrusion. We have implemented the Mailstat wrapper, an example of STAT-like ID which attempts to detect a well-known attack on a commonly-used UNIX mail daemon. The signature of this mail daemon attack is effectively hard-coded in the structure of the Mailstat wrapper. When deployed, the Mailstat wrapper wraps all processes on the system, and intercepts and examines every system call that might correspond to an event in the mail daemon attack signature. It uses a database table to store the state of the finite state machines representing possible attacks in progress. Whenever Mailstat observes a system call that matches the first event in the mail daemon attack signature, it creates a new finite state machine by adding a new line to the table. As it intercepts system calls and observes events, it advances the state of the appropriate finite state machines according to the mail daemon attack signature's state transition diagram. When any finite state machine in the table reaches its final state, the Mailstat wrapper indicates an intrusion and reports the identities of the processes which caused the events leading to its detection.