Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
156 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Characterizing the Modification Space of Signature IDS Rules (2402.09644v1)

Published 15 Feb 2024 in cs.CR

Abstract: Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one--such as researchers studying trends or analyzing modified versions of known exploits--may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (15)
  1. H.-J. Liao, C.-H. Richard Lin, Y.-C. Lin, and K.-Y. Tung, “Intrusion detection system: A comprehensive review,” Journal of Network and Computer Applications, vol. 36, no. 1, pp. 16–24, Jan. 2013. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1084804512001944
  2. M. Roesch, “Snort – Lightweight Intrusion Detection for Networks,” 1999.
  3. “Snort - Network Intrusion Detection & Prevention System.” [Online]. Available: https://snort.org/
  4. C.-Y. Ho, Y.-C. Lai, I.-W. Chen, F.-Y. Wang, and W.-H. Tai, “Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems,” IEEE Communications Magazine, vol. 50, no. 3, pp. 146–154, Mar. 2012.
  5. G. Tjhai, M. Papadaki, S. Furnell, and N. Clarke, “Investigating the problem of IDS false alarms: An experimental study using Snort,” in Proceedings of The Ifip Tc 11 23rd International Information Security Conference, S. Jajodia, P. Samarati, and S. Cimato, Eds.   Boston, MA: Springer US, 2008, vol. 278, pp. 253–267. [Online]. Available: http://link.springer.com/10.1007/978-0-387-09699-5_17
  6. E. Pauley, P. Barford, and P. McDaniel, “DScope: A Cloud-Native Internet Telescope,” in Proceedings of the 32nd USENIX Security Symposium (USENIX Security 2023).   Anaheim, CA: USENIX Association, Aug. 2023.
  7. M. Roesch, Snort 3 User Manual. [Online]. Available: https://usermanual.wiki/Document/snortmanual.1752822391.pdf
  8. R. L. Graham, “An efficient algorith for determining the convex hull of a finite planar set,” Information Processing Letters, vol. 1, no. 4, pp. 132–133, Jun. 1972. [Online]. Available: https://www.sciencedirect.com/science/article/pii/0020019072900452
  9. P. Richter and A. Berger, “Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope,” in Proceedings of the Internet Measurement Conference, ser. IMC ’19.   New York, NY, USA: Association for Computing Machinery, Oct. 2019, pp. 144–157. [Online]. Available: https://doi.org/10.1145/3355369.3355595
  10. D. Moore, C. Shannon, G. M. Voelker, and S. Savage, “Network Telescopes: Technical Report,” p. 14.
  11. C. Tsaousis, “firehol_level4 by FireHOL, attacks IPs list, at FireHOL IP Lists.” [Online]. Available: http://iplists.firehol.org/?ipset=firehol_level4
  12. D. Powers, “Evaluation: From Precision, Recall and F-Factor to ROC, Informedness, Markedness & Correlation,” p. 24.
  13. Y. Sasaki, “The truth of the F-measure,” p. 5.
  14. J. Opitz and S. Burst, “Macro F1 and Macro F1,” Feb. 2021. [Online]. Available: http://arxiv.org/abs/1911.03347
  15. U. Aickelin, J. Twycross, and T. Hesketh-Roberts, “Rule Generalisation in Intrusion Detection Systems using Snort,” International Journal of Electronic Security and Digital Forensics, vol. 1, no. 1, p. 101, 2007. [Online]. Available: http://arxiv.org/abs/0803.2973

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now