| Title | An IDS Rule Redundancy Verification |
| Publication Type | Conference Paper |
| Year of Publication | 2020 |
| Authors | Noiprasong, P., Khurat, A. |
| Conference Name | 2020 17th International Joint Conference on Computer Science and Software Engineering (JCSSE) |
| Keywords | anomaly network traffics, commented rules, composability, computer network security, IDS, IDS rule redundancy verification, IDS rule verification, intrusion detection system, IP networks, network security software, open-source IDS system, Payloads, Protocols, pubcrawl, public rulesets, Redundancy, resilience, Resiliency, Semantics, Snort, Snort community, Snort rule combinations, Syntactics, telecommunication traffic, Tools |
| Abstract | Intrusion Detection System (IDS) is a network security software and hardware widely used to detect anomaly network traffics by comparing the traffics against rules specified beforehand. Snort is one of the most famous open-source IDS system. To write a rule, Snort specifies structure and values in Snort manual. This specification is expressive enough to write in different way with the same meaning. If there are rule redundancy, it could distract performance. We, thus, propose a proof of semantical issues for Snort rule and found four pairs of Snort rule combinations that can cause redundancy. In addition, we create a tool to verify such redundancy between two rules on the public rulesets from Snort community and Emerging threat. As a result of our test, we found several redundancy issues in public rulesets if the user enables commented rules. |
| DOI | 10.1109/JCSSE49651.2020.9268269 |
| Citation Key | noiprasong_ids_2020 |
An IDS Rule Redundancy Verification