Harnessing the Power of P2P Systems for Fast Attack Signature Validation

Attack signature validation plays a key role in intrusion detection and prevention technologies. Usually, when new attacks, particularly worms, appear, security software analyzes and generates signatures for these attacks. Since inaccurate signatures may block legitimate traffic that is similar to the attack traffic (false positives), security software is reluctant to deploy new signatures without extensive testing. The testing procedure, however, can be time consuming, resulting in significant delays (hours or even days) in signature dissemination. To alleviate this problem, in this paper, we propose a novel architecture based on P2P technology for fast content signature validation. The basic idea is to collect and store recent network traffic at peers participating in the system in advance and use it to validate new signatures. Since the amount of traffic that needs to be checked against is huge, we also propose a high-performance validation algorithm over stored traffic data. Experimental results show that our proposed system can validate candidate attack signatures and determine potential false positives rates in just a few seconds.