Rule Generalisation in Intrusion Detection Systems using Snort
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks, and are becoming more and more necessary as reliance on Internet services increases and systems with sensitive data are more commonly open to Internet access. An IDS’s responsibility is to d...
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Published: |
Inderscience
2007
|
| Online Access: | https://eprints.nottingham.ac.uk/657/ |
| _version_ | 1848790456625790976 |
|---|---|
| author | Aickelin, Uwe Twycross, Jamie Hesketh-Roberts, Thomas |
| author_facet | Aickelin, Uwe Twycross, Jamie Hesketh-Roberts, Thomas |
| author_sort | Aickelin, Uwe |
| building | Nottingham Research Data Repository |
| collection | Online Access |
| description | Intrusion Detection Systems (IDSs) provide an important
layer of security for computer systems and networks, and are becoming more and more necessary as reliance on Internet services increases and systems with sensitive data are more commonly open to Internet access. An IDS’s responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and Snort is one popular and actively developing open-source IDS that uses such a set of signatures known as Snort rules. Our aim is to identify a way in which Snort could be developed further by generalising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current Snort rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the effectiveness of our approach through experiments with standard datasets and
show that we are able to detect previously undetected variants of various attacks. We conclude by discussing the general effectiveness and appropriateness of generalisation in Snort based IDS rule processing.
Keywords: anomaly detection, intrusion detection, Snort, Snort rules |
| first_indexed | 2025-11-14T18:12:54Z |
| format | Article |
| id | nottingham-657 |
| institution | University of Nottingham Malaysia Campus |
| institution_category | Local University |
| last_indexed | 2025-11-14T18:12:54Z |
| publishDate | 2007 |
| publisher | Inderscience |
| recordtype | eprints |
| repository_type | Digital Repository |
| spelling | nottingham-6572020-05-04T20:28:37Z https://eprints.nottingham.ac.uk/657/ Rule Generalisation in Intrusion Detection Systems using Snort Aickelin, Uwe Twycross, Jamie Hesketh-Roberts, Thomas Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks, and are becoming more and more necessary as reliance on Internet services increases and systems with sensitive data are more commonly open to Internet access. An IDS’s responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and Snort is one popular and actively developing open-source IDS that uses such a set of signatures known as Snort rules. Our aim is to identify a way in which Snort could be developed further by generalising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current Snort rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the effectiveness of our approach through experiments with standard datasets and show that we are able to detect previously undetected variants of various attacks. We conclude by discussing the general effectiveness and appropriateness of generalisation in Snort based IDS rule processing. Keywords: anomaly detection, intrusion detection, Snort, Snort rules Inderscience 2007 Article PeerReviewed Aickelin, Uwe, Twycross, Jamie and Hesketh-Roberts, Thomas (2007) Rule Generalisation in Intrusion Detection Systems using Snort. International Journal of Electronic Security and Digital Forensics, 1 (1). pp. 101-116. http://www.inderscience.com/storage/f785311121421069.pdf doi:10.1504/IJESDF.2007.013596 doi:10.1504/IJESDF.2007.013596 |
| spellingShingle | Aickelin, Uwe Twycross, Jamie Hesketh-Roberts, Thomas Rule Generalisation in Intrusion Detection Systems using Snort |
| title | Rule Generalisation in Intrusion Detection Systems using Snort |
| title_full | Rule Generalisation in Intrusion Detection Systems using Snort |
| title_fullStr | Rule Generalisation in Intrusion Detection Systems using Snort |
| title_full_unstemmed | Rule Generalisation in Intrusion Detection Systems using Snort |
| title_short | Rule Generalisation in Intrusion Detection Systems using Snort |
| title_sort | rule generalisation in intrusion detection systems using snort |
| url | https://eprints.nottingham.ac.uk/657/ https://eprints.nottingham.ac.uk/657/ https://eprints.nottingham.ac.uk/657/ |