Rule Generalisation in Intrusion Detection Systems using Snort

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks, and are becoming more and more necessary as reliance on Internet services increases and systems with sensitive data are more commonly open to Internet access. An IDS’s responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and Snort is one popular and actively developing open-source IDS that uses such a set of signatures known as Snort rules. Our aim is to identify a way in which Snort could be developed further by generalising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current Snort rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the effectiveness of our approach through experiments with standard datasets and show that we are able to detect previously undetected variants of various attacks. We conclude by discussing the general effectiveness and appropriateness of generalisation in Snort based IDS rule processing. Keywords: anomaly detection, intrusion detection, Snort, Snort rules

Rule Generalisation in Intrusion Detection Systems using Snort

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks, and are becoming more and more necessary as reliance on Internet services increases and systems with sensitive data are more commonly open to Internet access. An IDS’s responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and Snort is one popular and actively developing open-source IDS that uses such a set of signatures known as Snort rules. Our aim is to identify a way in which Snort could be developed further by generalising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current Snort rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the effectiveness of our approach through experiments with standard datasets and show that we are able to detect previously undetected variants of various attacks. We conclude by discussing the general effectiveness and appropriateness of generalisation in Snort based IDS rule processing. Keywords: anomaly detection, intrusion detection, Snort, Snort rules

Primeira intervenção da GNR no local do crime

Este trabalho aborda a questão dos atos preparatórios no local do crime, isto é, as medidas cautelares e de polícia que o primeiro interveniente policial que chega ao local deve aplicar. As diligências efetuadas pelo primeiro militar que assume uma ocorrência e que, normalmente, não é especialista na área da Investigação Criminal ou forense, revelam-se de elevada importância para o sucesso da investigação pois repercutem-se ao longo de toda a investigação. Essa abordagem caracteriza-se por não visar uma intervenção investigatória e inspetiva, mas sim de prevenção e proteção do local. O objetivo geral do trabalho consiste numa contribuição para uma exploração mais determinada do local onde foi cometido um crime, através do melhor desempenho possível do primeiro interveniente policial. Os objetivos específicos passam por definir os procedimentos a tomar pelo primeiro interveniente (tendo em conta a sua especialidade, materiais e particularidades da fase da investigação) e definir o que é, para ele, um crime de cenário, identificando as possíveis repercussões de uma má gestão do local do crime para o sucesso da investigação. Utilizamos o método comparativo, estudando os diferentes Manuais de procedimentos (nacionais e internacionais). O quadro de referência é o materialismo histórico pois enfatizamos a dimensão histórica dos processos sociais, a legislação vigente e os problemas atuais para interpretar o nosso estudo. Este trabalho assume contornos exploratório-explicativos. Seguimos um método dedutivo, pois pretende-se chegar a um caso particular da lei geral, ou seja, aos procedimentos específicos do primeiro interveniente policial entre toda a gestão do local do crime. Os resultados mais significativos são a justificação da importância do local do crime para a Investigação Criminal e da complexidade que pode advir para o trabalho do primeiro interveniente. É possível concluir um conjunto padrão de ações que devem ser tomadas (guia prático) e como se pode melhorar a intervenção através de formação e cooperação entre os elementos.

Using multiple GPUs to accelerate string searching for digital forensic analysis

String searching within a large corpus of data is an important component of digital forensic (DF) analysis techniques such as file carving. The continuing increase in capacity of consumer storage devices requires corresponding im-provements to the performance of string searching techniques. As string search-ing is a trivially-parallelisable problem, GPGPU approaches are a natural fit – but previous studies have found that local storage presents an insurmountable performance bottleneck. We show that this need not be the case with modern hardware, and demonstrate substantial performance improvements from the use of single and multiple GPUs when searching for strings within a typical forensic disk image.

Is There a New Bibliography?

Describes the position claiming that the contemporary technologi- cal, sociopolitical, and socioeconomic environment gives us pause to consider the core theory and practices of bibliography, combin- ing bibliography of the work (in library and information science), bibliography of the text (in textual studies and scholarly editing), and bibliography of the artifact (in book history and now digital forensics), and calls for collaborative multidisciplinary research at the intersection of these fields to ask, is there a new bibliography?