This paper describes a system for automated generation of attack signatures for network intrusion detection systems. Our system applies pattern-matching techniques and protocol conformance checks on multiple levels in the protocol hierarchy to network traffic captured a honeypot system. We present results of running the system on an unprotected cable modem connection for 24 hours. The system successfully created precise traffic signatures that otherwise would have required the skills and time of a security officer to inspect the traffic manually.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999  [doi>10.1016/S1389-1286(99)00112-7 ]
	2	Martin Roesch, Snort - Lightweight Intrusion Detection for Networks, Proceedings of the 13th USENIX conference on System administration, November 07-12, 1999, Seattle, Washington
	3	C. Stoll, The Cuckoo's Egg. Addison-Wesley, 1986.
	4	W. R. Cheswick, "An Evening with Berferd, in which a Cracker is lured, endured, and studied," in Proceedings of the 1992 Winter USENIX Conference, 1992.
	5	L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2002
	6	N. Provos, "Honeyd - A Virtual Honeypot Daemon," in 10th DFN-CERT Workshop, Hamburg, Germany, February 2003.
	7	Dan Gusfield, Algorithms on strings, trees, and sequences: computer science and computational biology, Cambridge University Press, New York, NY, 1997
	8	P. Weiner, "Linear pattern matching algorithms," in Proceedings of the 14th IEEE Symposium on Switching and Automata Theory, 1973, pp. 1--11.
	9	Edward M. McCreight, A Space-Economical Suffix Tree Construction Algorithm, Journal of the ACM (JACM), v.23 n.2, p.262-272, April 1976  [doi>10.1145/321941.321946]
	10	E. Ukkonen, "On-line construction of suffix trees," Algorithmica, no. 14, pp. 249--260, 1995.
	11	S. McCanne, C. Leres, and V. Jacobson, "tcpdump/libpcap," http://www.tcpdump.org/, 1994.
	12	M. Handley, C. Kreibich, and V. Paxson, "Network Intrusion Detection: Evasion, Traffic Normalization, end End-to-End Protocol Semantics," in Proceedings of the 9th USENIX Security Symposium, 2000.
	13	T. H. Ptacek and T. N. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection," Secure Networks, Inc., Tech. Rep., 1998.

• Data structures for quadtree approximation and compression Communications of the ACM   28, 9
  Hanan Samet
  
  
• A hierarchical single-key-lock access control using the Chinese remainder theorem Proceedings of the 1992 ACM/SIGAPP Symposium on Applied computing
  Kim S. Lee ,  Huizhu Lu ,  D. D. Fisher
  
  
• The GemStone object database management system Communications of the ACM   34, 10
  Paul Butterworth ,  Allen Otis ,  Jacob Stein
  
  
• Putting innovation to work: adoption strategies for multimedia communication systems Communications of the ACM   34, 12
  Ellen Francik ,  Susan Ehrlich Rudman ,  Donna Cooper ,  Stephen Levine
  
  
• An intelligent component database for behavioral synthesis Proceedings of the 27th ACM/IEEE conference on Design automation
  Gwo-Dong Chen ,  Daniel D. Gajski