Characterizing the Modification Space of Signature IDS Rules

Ryan Guide, Eric Pauley, Yohan Beugin, Ryan Sheatsley, Patrick McDaniel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one-such as researchers studying trends or analyzing modified versions of known exploits-may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes.

Original languageEnglish (US)
Title of host publicationMILCOM 2023 - 2023 IEEE Military Communications Conference
Subtitle of host publicationCommunications Supporting Military Operations in a Contested Environment
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages536-541
Number of pages6
ISBN (Electronic)9798350321814
DOIs
StatePublished - 2023
Event2023 IEEE Military Communications Conference, MILCOM 2023 - Boston, United States
Duration: Oct 30 2023Nov 3 2023

Publication series

NameMILCOM 2023 - 2023 IEEE Military Communications Conference: Communications Supporting Military Operations in a Contested Environment

Conference

Conference2023 IEEE Military Communications Conference, MILCOM 2023
Country/TerritoryUnited States
CityBoston
Period10/30/2311/3/23

All Science Journal Classification (ASJC) codes

  • Artificial Intelligence
  • Computer Networks and Communications
  • Signal Processing
  • Safety, Risk, Reliability and Quality

Cite this