Abstract
IDSs are core elements in network security. The effectiveness of security protection provided by an IDS mainly depends on the quality of its configuration. Unfortunately, configuring an IDS is work-intensive and error prone if performed manually. As a result, there is a high demand for analyzing and discovering automatically anomalies that can arise between rules. In this paper, we present (1) a new classification of anomalies between IDS rules, (2) three inference systems allowing automatic anomaly detection for discovering rule conflicts or redundancies and potential problems in IDS configuration, (3) optimization of IDS rules by removing automatically redundant rules and (4) formal specification and validation of these techniques and demonstration of the advantages of proposed approach on the sets of rules provided by open source Snort IDS. These techniques have been implemented and we proved the correctness of our method and demonstrated its applicability and scalability. The first results we obtained are very promising.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Information security breaches survey. Available from http://www.pwc.co.uk/assets/pdf/cyber-security-2013-technical-report.pdf (2013)
Snort Users Manual 2.9.3. Available from https://www.snort.org/documents (2014)
Emerging Threats.net Open rulesets. Available from http://rules.emergingthreats.net (2015)
Al-Shaer, E.S., Hamed, H.H.: Modeling and management of firewall policies. IEEE Trans. Netw. Serv. Manage. 1(1), 2–10 (2004)
Blanc, M., Briffaut, J., Clemente, P., El Rab, M.G., Toinard, C.: A collaborative approach for access control, intrusion detection and security testing, pp. 270–277 (2006)
Chomsiri, T., Pornavalai, C.: Firewall rules analysis, pp. 213–219 (2006)
Colville, R.J., Spafford, G.: Gartner ras core resarch note g00208328 (2010)
Cuppens, F., Cuppens-Boulahia, N., Garcia-Alfaro, J.: Detection and removal of firewall misconfiguration (2005)
Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N.: Analysis of policy anomalies on distributed network security setups, pp. 496–511 (2006)
Hu, H., Ahn, G.-J., Ketan, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secure Comput. 9(3), 318–331 (2012)
Mukkapati, N., Bhargavi, Ch.V.: Detecting policy anomalies in firewalls by relational algebra and raining 2d-box model. IJCSNS Int. J. Comput. Sci. Network Secur. 13(5), 94–99 (2013)
Stakhanova, N., Li, Y., Ghorbani, A.A.: Classification and discovery of rule misconfigurations in intrusion detection and response devices, pp. 29–37 (2009)
Uribe, T.E., Cheung, S.: Automatic analysis of firewall and network intrusion detection system configurations. In: Technical report, SRI international 9 (2004)
Zhang, D.: Inconsistencies in information security and digital forensics, pp. 141–146 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Saâdaoui, A., Benmoussa, H., Bouhoula, A., Kalam, A.A.E. (2015). Automatic Classification and Detection of Snort Configuration Anomalies - a Formal Approach. In: Herrero, Á., Baruque, B., Sedano, J., Quintián, H., Corchado, E. (eds) International Joint Conference. CISIS 2015. Advances in Intelligent Systems and Computing, vol 369. Springer, Cham. https://doi.org/10.1007/978-3-319-19713-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-19713-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-19712-8
Online ISBN: 978-3-319-19713-5
eBook Packages: EngineeringEngineering (R0)