Detecting and Resolving Inconsistencies in Snort

Intrusion Detection Systems (IDSs) are part of the network security systems that can take active measures when they detect suspicious intrusions through monitoring network transmissions. By matching the incoming packets with the patterns established through access control rules, an IDS system can identify and detect network attacks, and take proactive responses. However, one of the major challenges for an IDS is that its effectiveness is only as good as the rules that collectively define the profiles of all the attacks it is capable of capturing. The detection knowledge as embodied in the rules can be incomplete, inconsistent, deficient, or not well-defined, making the network defense less effective, still vulnerable, or suffering from realtime performance degradation. In this paper, we use Snort as a backdrop to formally define eighteen types of knowledge deficiencies that can be found in an IDS, describe approaches to automatically detect those knowledge deficiencies, and propose resolution algorithms to eliminate the deficiencies in an attempt to incrementally improve the quality of its network defense knowledge. Our ultimate goal is to rely on perpetual learning to automatically, consistently, and contiuously improve an IDS's network defense performance over time.

[1]  Stan Matwin,et al.  Formal correctness of conflict detection for firewalls , 2007, FMSE '07.

[2]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[3]  Ehab Al-Shaer,et al.  Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[4]  Du Zhang,et al.  Learning through overcoming temporal inconsistencies , 2015, 2015 IEEE 14th International Conference on Cognitive Informatics & Cognitive Computing (ICCI*CC).

[5]  Du Zhang,et al.  Detecting and resolving inconsistencies in firewalls , 2014, Proceedings of the 2014 IEEE 15th International Conference on Information Reuse and Integration (IEEE IRI 2014).

[6]  Alessandra Russo,et al.  Using Argumentation Logic for Firewall Policy Specification and Analysis , 2006, DSOM.

[7]  Mohamed G. Gouda,et al.  Structured firewall design , 2007, Comput. Networks.