Litcius/Paper detail

Syrius: Synthesis of Rules for Intrusion Detectors

Lucas Alcantara, Guilherme Afonso Galindo Padilha, Rui Abreu, Marcelo d’Amorim

2021IEEE Transactions on Reliability17 citationsDOI

Abstract

Network intrusion detection systems (NIDS) are popular tools to defend local networks against attacks. These systems monitor the network traffic and flag suspicious behavior. Rule-based NIDS do that by checking the network traffic against a set of rules, which become obsolete as attackers learn new strategies to circumvent existing defenses. This article proposes <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">sy</b> nthesis of su <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">ri</b> cata r <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">u</b> le <bold xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">s</b> ( <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Syrius</small> ), a novel approach to synthesize rules for rule-based NIDS. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Syrius</small> leverages malicious (positive) and benign (negative) traffic to create rules for new attacks. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Syrius</small> is organized as a pipeline of three components to 1) create an overspecified seed rule, 2) derive plausible rules from the seed, and 3) rank plausible rules. We evaluated <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Syrius</small> against a set of 21 network attacks with various characteristics. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Syrius</small> was capable of generating the correct rule among the top-3 and top-1 rules of the ranking, respectively, in 80.1% and 47.6% of the cases.

Topics & Concepts

Computer scienceIntrusionIntrusion detection systemIntelligent designRank (graph theory)Artificial intelligenceAlgorithmMathematicsCombinatoricsPhilosophyGeochemistryEpistemologyGeologyNetwork Security and Intrusion DetectionNetwork Packet Processing and OptimizationInternet Traffic Analysis and Secure E-voting
Syrius: Synthesis of Rules for Intrusion Detectors | Litcius