Skip to content

Results and Supplimentaries

Performance Evaluation and Comparison

SWIDE outperforms other commercial NIDS on attack attempts detection tasks (easier than identifying successful attacks) achieves high recall (75% - 90%) on succesful attack dataset with 5 different types of attacks and relative high precision (> 70%) on 500M realworld samples.

Evaluation Table

Weekly Alarms Triggered in Online Deployment

We deployed SWIDE for 5,000+ enterprise users for more than 28 weeks till the time of paper writing. It generates on average 79,388,689 attack alerts per day (originating from the Attack Payload Identification module), with around 34,107 of these alerts flagged as successful attack incidents (originating from the Consequence Matching module). This implies that one in every 2,328 attacks is deemed successful. On average, around 750 enterprises have been attacked successfully at least once per week.

The below diagram highlights a spike of attack events during two weeks in November 2023, attributed to the extensive exploitation of a zero-day command execution vulnerability in a prevalent IP camera management system.

Weekly Alarms

List of Filtering Keywords for PHP Code Injection

We provide the list for PHP code execution filtering as a sample. More description can be found in Section 3.2 of our paper.

Global Variables
  • GLOBALS
  • _SERVER
  • HTTP_SERVER_VARS
  • _COOKIE

  • _GET

  • HTTP_GET_VARS
  • _POST
  • HTTP_POST_VARS
  • _FILES
  • HTTP_POST_FILES
  • _REQUEST
  • HTTP_SESSION_VARS
  • _ENV
  • HTTP_ENV_VARS
  • HTTP_COOKIE_VARS
  • HTTP_RAW_POST_DATA
Functions w/o Parentheses
  • exit
  • print
  • echo
  • use
  • new
  • class
  • function
  • clone
  • include
  • include_once
  • require
  • require_once
  • __halt_compiler
Characters in Data Fields
  • `
  • (
  • )
  • $
  • "
  • '
  • [
  • ]
  • ;
  • {
  • }