Characterizing the Modification Space of Signature IDS Rules
Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount...
Gespeichert in:
| Veröffentlicht in: | arXiv.org 2024-02 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Guide, Ryan Pauley, Eric Beugin, Yohan Ryan Sheatsley McDaniel, Patrick |
| description | Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one--such as researchers studying trends or analyzing modified versions of known exploits--may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes. |
| doi_str_mv | 10.48550/arxiv.2402.09644 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_arxiv</sourceid><recordid>TN_cdi_arxiv_primary_2402_09644</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2927732335</sourcerecordid><originalsourceid>FETCH-LOGICAL-a525-917546b7f3fe468ee94d94023f2517c19ffbed8294bc6ac610d1cab08ef319603</originalsourceid><addsrcrecordid>eNotkF1LwzAYhYMgOOZ-gFcGvG5N3nw14I1UnYOJYHdf0jTZMmZb01bUX2_dvDo3h8PzHISuKEl5JgS5NfErfKbACaRES87P0AwYo0nGAS7Qou_3hBCQCoRgM3SX70w0dnAx_IRmi4edwy9tHXywZghtg4vOWIdbj4uwbcwwRodXDwV-Gw-uv0Tn3hx6t_jPOdo8PW7y52T9ulzl9-vECBCJpkpwWSnPvOMyc07zWk94zIOgylLtfeXqDDSvrDRWUlJTayqSOc-oloTN0fVp9qhWdjG8m_hd_imWR8WpcXNqdLH9GF0_lPt2jM3EVIIGpdj0gGC__G9Stg</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2927732335</pqid></control><display><type>article</type><title>Characterizing the Modification Space of Signature IDS Rules</title><source>arXiv.org</source><source>Free E- Journals</source><creator>Guide, Ryan ; Pauley, Eric ; Beugin, Yohan ; Ryan Sheatsley ; McDaniel, Patrick</creator><creatorcontrib>Guide, Ryan ; Pauley, Eric ; Beugin, Yohan ; Ryan Sheatsley ; McDaniel, Patrick</creatorcontrib><description>Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one--such as researchers studying trends or analyzing modified versions of known exploits--may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes.</description><identifier>EISSN: 2331-8422</identifier><identifier>DOI: 10.48550/arxiv.2402.09644</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Communications traffic ; Computer Science - Cryptography and Security ; Constraints ; Intrusion detection systems</subject><ispartof>arXiv.org, 2024-02</ispartof><rights>2024. This work is published under http://creativecommons.org/licenses/by-nc-nd/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><rights>http://creativecommons.org/licenses/by-nc-nd/4.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,777,781,882,27906</link.rule.ids><backlink>$$Uhttps://doi.org/10.1109/MILCOM58377.2023.10356225$$DView published paper (Access to full text may be restricted)$$Hfree_for_read</backlink><backlink>$$Uhttps://doi.org/10.48550/arXiv.2402.09644$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Guide, Ryan</creatorcontrib><creatorcontrib>Pauley, Eric</creatorcontrib><creatorcontrib>Beugin, Yohan</creatorcontrib><creatorcontrib>Ryan Sheatsley</creatorcontrib><creatorcontrib>McDaniel, Patrick</creatorcontrib><title>Characterizing the Modification Space of Signature IDS Rules</title><title>arXiv.org</title><description>Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one--such as researchers studying trends or analyzing modified versions of known exploits--may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes.</description><subject>Communications traffic</subject><subject>Computer Science - Cryptography and Security</subject><subject>Constraints</subject><subject>Intrusion detection systems</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><sourceid>GOX</sourceid><recordid>eNotkF1LwzAYhYMgOOZ-gFcGvG5N3nw14I1UnYOJYHdf0jTZMmZb01bUX2_dvDo3h8PzHISuKEl5JgS5NfErfKbACaRES87P0AwYo0nGAS7Qou_3hBCQCoRgM3SX70w0dnAx_IRmi4edwy9tHXywZghtg4vOWIdbj4uwbcwwRodXDwV-Gw-uv0Tn3hx6t_jPOdo8PW7y52T9ulzl9-vECBCJpkpwWSnPvOMyc07zWk94zIOgylLtfeXqDDSvrDRWUlJTayqSOc-oloTN0fVp9qhWdjG8m_hd_imWR8WpcXNqdLH9GF0_lPt2jM3EVIIGpdj0gGC__G9Stg</recordid><startdate>20240215</startdate><enddate>20240215</enddate><creator>Guide, Ryan</creator><creator>Pauley, Eric</creator><creator>Beugin, Yohan</creator><creator>Ryan Sheatsley</creator><creator>McDaniel, Patrick</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20240215</creationdate><title>Characterizing the Modification Space of Signature IDS Rules</title><author>Guide, Ryan ; Pauley, Eric ; Beugin, Yohan ; Ryan Sheatsley ; McDaniel, Patrick</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a525-917546b7f3fe468ee94d94023f2517c19ffbed8294bc6ac610d1cab08ef319603</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Communications traffic</topic><topic>Computer Science - Cryptography and Security</topic><topic>Constraints</topic><topic>Intrusion detection systems</topic><toplevel>online_resources</toplevel><creatorcontrib>Guide, Ryan</creatorcontrib><creatorcontrib>Pauley, Eric</creatorcontrib><creatorcontrib>Beugin, Yohan</creatorcontrib><creatorcontrib>Ryan Sheatsley</creatorcontrib><creatorcontrib>McDaniel, Patrick</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection><collection>arXiv Computer Science</collection><collection>arXiv.org</collection><jtitle>arXiv.org</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Guide, Ryan</au><au>Pauley, Eric</au><au>Beugin, Yohan</au><au>Ryan Sheatsley</au><au>McDaniel, Patrick</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Characterizing the Modification Space of Signature IDS Rules</atitle><jtitle>arXiv.org</jtitle><date>2024-02-15</date><risdate>2024</risdate><eissn>2331-8422</eissn><abstract>Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one--such as researchers studying trends or analyzing modified versions of known exploits--may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><doi>10.48550/arxiv.2402.09644</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2024-02 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_arxiv_primary_2402_09644 |
| source | arXiv.org; Free E- Journals |
| subjects | Communications traffic Computer Science - Cryptography and Security Constraints Intrusion detection systems |
| title | Characterizing the Modification Space of Signature IDS Rules |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-18T04%3A18%3A54IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_arxiv&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Characterizing%20the%20Modification%20Space%20of%20Signature%20IDS%20Rules&rft.jtitle=arXiv.org&rft.au=Guide,%20Ryan&rft.date=2024-02-15&rft.eissn=2331-8422&rft_id=info:doi/10.48550/arxiv.2402.09644&rft_dat=%3Cproquest_arxiv%3E2927732335%3C/proquest_arxiv%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2927732335&rft_id=info:pmid/&rfr_iscdi=true |