Measuring Inconsistency in a Network Intrusion Detection Rule Set Based on Snort


Autoria(s): McAreavey, Kevin; Liu, Weiru; Miller, Paul; Mu, Kedian
Data(s)

01/09/2011

Resumo

In this preliminary study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which are based on Snort and incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. We measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the informativeness of these measures. Finally, we propose a new measure of inconsistency for prioritized knowledge which incorporates the normalized number of atoms in a language involved in inconsistency to provide a deeper inspection of inconsistent formulae. We conclude that such measures are useful for the network intrusion domain assuming that introducing expert knowledge for correlation of rules is feasible.

Formato

application/pdf

Identificador

http://pure.qub.ac.uk/portal/en/publications/measuring-inconsistency-in-a-network-intrusion-detection-rule-set-based-on-snort(ce09e0a1-ec48-4944-8489-dd480f1924ad).html

http://dx.doi.org/10.1142/S1793351X11001274

http://pure.qub.ac.uk/ws/files/10410589/Measuring_inconsistency_in_a_network_intrusion_detection_rule_set_based_on_Snort.pdf

Idioma(s)

eng

Direitos

info:eu-repo/semantics/openAccess

Fonte

McAreavey , K , Liu , W , Miller , P & Mu , K 2011 , ' Measuring Inconsistency in a Network Intrusion Detection Rule Set Based on Snort ' International Journal of Semantic Computing , vol 5 , no. 3 , pp. 281-322 . DOI: 10.1142/S1793351X11001274

Tipo

article