Conflict-free IDS Rule Management

Overview

Generally, misuse and specification-based approaches are implemented in a form of rule-based intrusion detection system (IDS) that aims to detect attacks by analyzing network traffic against a predefined set of rules. These rules generally describe the various IDS-defined features of the searched traffic (e.g. destination port, payload content, confidence level of the IDS, etc.) and the response action to be deployed in case the observed traffic matches the description.

Although, the rule-based IDS provides many benefits including accurate detection of the known attacks and indication of suspicious behavior, it is highly dependent on the expert knowledge in developing and maintaining the detection rules. As number of discovered vulnerabilities raises, the complexity of rule set increases significantly, resulting in a complex, overlapping and often redundant set of security rules.

In this project, we aim to develop an efficient rule management framework for the analysis of the intrusion detection rules.  The focus of our work is two-fold:
1. to develop an efficient set of structure to optimize rule handling process
2. to develop an approach for automatic discovery of potential conflicts in IDS rule sets on syntactic as well as semantic level.

Related Publications

N. Stakhanova, Y. Li and A. A. Ghorbani. Classification and Discovery of Rule Misconfigurations in Intrusion Detection and Response Devices. Accepted to the Congress on Privacy, Security, Trust and the Management of e-Business, 2009.[PDF] [PPT] 

Results

   http://iscx.ca/results/