Syrius: Synthesis of Rules for Intrusion Detectors

Network intrusion detection systems (NIDS) are popular tools to defend local networks against attacks. These systems monitor the network traffic and flag suspicious behavior. Rule-based NIDS do that by checking the network traffic against a set of rules, which become obsolete as attackers learn new strategies to circumvent existing defenses. This article proposes synthesis of suricata rules (Syrius), a novel approach to synthesize rules for rule-based NIDS. Syrius leverages malicious (positive) and benign (negative) traffic to create rules for new attacks. Syrius is organized as a pipeline of three components to 1) create an overspecified seed rule, 2) derive plausible rules from the seed, and 3) rank plausible rules. We evaluated Syrius against a set of 21 network attacks with various characteristics. Syrius was capable of generating the correct rule among the top-3 and top-1 rules of the ranking, respectively, in 80.1% and 47.6% of the cases.