Rule Generalisation in Intrusion Detection Systems using Snort

Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS’s responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and SNORT is one popular and actively developing open-source IDS that uses such a set of signatures known as SNORT rules. Our aim is to identify a way in which SNORT could be developed further by generalising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current SNORT rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the effectiveness of our approach through experiments with standard datasets and show that we are able to detect previously undetected variants of various attacks. Keyword: anomaly detection, intrusion detection, Snort, Snort rules Reference to this paper should be made as follows: Uwe Aickelin, Jamie Twycross and Thomas Hesketh-Roberts (xxxx) ‘Rule Generalisation in Intrusion Detection Systems using SNORT’, International Journal of Electronic Security and Digital Forensics (IJESDF), Vol. x, No. x, pp.xxx–xxx. Biographical notes: Uwe Aickelin is a Reader and Advanced EPSRC Research Fellow in the School of Computer Science & IT at the University of Nottingham. His research interests are mathematical modelling, heuristic optimisation and artificial immune systems applied to computer security problems. Jamie Twycross is a Research Associate and is currently working on a large interdisciplinary project investigating the application of immune-inspired approaches to computer security. His research interests include biologically-inspired approaches to computing, computer security and networking, and robotics. Thomas Hesketh-Roberts is a student in Computer Science.