1. Syrius: Synthesis of Rules for Intrusion Detectors
- Author
-
Guilherme Rodolfo Neves Almeida De Barros Padilha, Lucas Ravellys Pyrrho de Alcantara, Marcelo d'Amorim, and Rui Abreu
- Subjects
Set (abstract data type) ,Intrusion ,Ranking ,Computer science ,Detector ,Data mining ,Network intrusion detection ,Electrical and Electronic Engineering ,Safety, Risk, Reliability and Quality ,computer.software_genre ,Pipeline (software) ,computer ,Flag (geometry) - Abstract
Network intrusion detection systems (NIDS) are popular tools to defend local networks against attacks. These systems monitor the network traffic and flag suspicious behavior. Rule-based NIDS do that by checking the network traffic against a set of rules, which become obsolete as attackers learn new strategies to circumvent existing defenses. This article proposes synthesis of suricata rules (Syrius), a novel approach to synthesize rules for rule-based NIDS. Syrius leverages malicious (positive) and benign (negative) traffic to create rules for new attacks. Syrius is organized as a pipeline of three components to 1) create an overspecified seed rule, 2) derive plausible rules from the seed, and 3) rank plausible rules. We evaluated Syrius against a set of 21 network attacks with various characteristics. Syrius was capable of generating the correct rule among the top-3 and top-1 rules of the ranking, respectively, in 80.1% and 47.6% of the cases.
- Published
- 2022