Managing intrusion detection rule sets

  • Authors:
  • Natalia Stakhanova;Ali A. Ghorbani

  • Affiliations:
  • University of New Brunswick, Fredericton, Canada;University of New Brunswick, Fredericton, Canada

  • Venue:
  • Proceedings of the Third European Workshop on System Security
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

The prevalent use of the signature-based approach in modern intrusion detection systems (IDS) emphasizes the importance of the efficient management of the employed signature sets. With the constant discovery of new threats and vulnerabilities, the complexity and size of signature sets reach the point where the manual management of rules becomes a challenging (if not impossible) task for the system administrators. While the automated support of signature management is desirable, the main difficulty that arises in this context is the diversity in syntactical representations of signatures generally allowed in IDS. In this paper, we focus on the automated approach to signature management. Specifically, we propose a model for signature analysis that brings out the semantic inconsistencies in the IDS rule sets. To address the syntactical diversity of the signatures, we use the strengths of a nondeterministic automaton (NFA) and model the individual rules as finite machines to analyze their equivalence. The effectiveness of the proposed approach is evaluated on two collections of attack signatures: the rule sets of the open source Snort IDS and Bleeding Edge Threats.