Résumé: Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-based approach can cope with sophisticated polymorphic and metamorphic worms better than the syntax-based approach. Our contribution in this work is threefold: • our syntax-based scheme that uses variable-length partition with multiple breakmarks can detect many polymorphic worms • we believe our semantic-based prototype is the first NIDS that provides semantics-aware capability and our system is more efficient than what is reported by Christodorescu et al. (2005) • our designed templates capture polymorphic shellcodes with added sequences of stack and mathematic operations.

Langue: Anglais