Litcius/Paper detail

Variables influencing the effectiveness of signature-based network intrusion detection systems

Teodor Sommestad, Hannes Holm, Daniel Steinvall

2021Information Security Journal A Global Perspective34 citationsDOIOpen Access PDF

Abstract

Contemporary organizations often employ signature-based network intrusion detection systems to increase the security of their computer networks. The effectiveness of a signature-based system primarily depends on the quality of the rules used to associate system events to known malicious behavior. However, the variables that determine the quality of rulesets is relatively unknown. This paper empirically analyzes the detection probability in a test involving Snort for 1143 exploitation attempts and 12 Snort rulesets created by the Emerging Threats Labs and the Sourcefire Vulnerability Research Team. The default rulesets from Emerging Threats raised priority-1-alerts for 39% of the exploit attempts compared to 31% for rulesets from the Vulnerability Research Team. The following features predict detection probability: if the exploit is publicly known, if the ruleset references the exploited vulnerability, the payload, the type of software targeted, and the operating system of the targeted software. The importance of these variables depends on the ruleset used and whether default rules are used. A logistic regression model with these variables classifies 69-92% of the cases correctly for the different rulesets.

Topics & Concepts

ExploitVulnerability (computing)Intrusion detection systemComputer scienceSignature (topology)SoftwareQuality (philosophy)Computer securityNetwork securityLogistic regressionData miningMachine learningMathematicsOperating systemGeometryPhilosophyEpistemologyNetwork Security and Intrusion DetectionInternet Traffic Analysis and Secure E-votingAdvanced Malware Detection Techniques