LARGen: Automatic Signature Generation for Malwares Using Latent Dirichlet Allocation

As the quantity and complexity of network threats grow, Intrusion Detection Systems (IDSs) have become critical for securing networks. Achieving computer network intrusion detection with these IDSs requires high-level information technology and security expertise because malicious traffic has to be rigorously analyzed and the appropriate IDS rules written to effectively detect vulnerabilities that may potentially be exploited. However, incorrect IDS rules may produce numerous false positives, thereby degrading the performance of the IDS, and even worse, paralyzing the network. In this paper, we present a novel approach that exploits the Latent Dirichle Allocation (LDA) algorithm to generate IDS rules. Our proposed method, called LDA-based Automatic Rule Generation (LARGen), automatically performs an analysis of the malicious traffic and extracts the appropriate attack signatures that will be used for IDS rules. LARGen first extracts multiple signature strings embedded in network flows. Then, the flows are classified based on the extracted signature strings, and key content strings for malicious traffic are identified through the LDA inferential topic model. Those key content strings are the core of an IDS rule that can detect malicious traffic. We study the effectiveness of LDA in the context of network attack signature generation via extensive experiments with real network trace data, consisting of both benign and malicious traffic. Experimental results confirm that threat rules generated from LARGen accurately detect every cyber attack with high accuracy.