TY - GEN
T1 - Characterizing the Modification Space of Signature IDS Rules
AU - Guide, Ryan
AU - Pauley, Eric
AU - Beugin, Yohan
AU - Sheatsley, Ryan
AU - McDaniel, Patrick
N1 - Publisher Copyright:
© 2023 IEEE.
PY - 2023
Y1 - 2023
N2 - Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one-such as researchers studying trends or analyzing modified versions of known exploits-may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes.
AB - Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one-such as researchers studying trends or analyzing modified versions of known exploits-may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes.
UR - http://www.scopus.com/inward/record.url?scp=85182394996&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85182394996&partnerID=8YFLogxK
U2 - 10.1109/MILCOM58377.2023.10356225
DO - 10.1109/MILCOM58377.2023.10356225
M3 - Conference contribution
AN - SCOPUS:85182394996
T3 - MILCOM 2023 - 2023 IEEE Military Communications Conference: Communications Supporting Military Operations in a Contested Environment
SP - 536
EP - 541
BT - MILCOM 2023 - 2023 IEEE Military Communications Conference
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2023 IEEE Military Communications Conference, MILCOM 2023
Y2 - 30 October 2023 through 3 November 2023
ER -