Diversity with intrusion detection systems: An empirical study

Algaith, Areej; Elia, Ivano Alessandro; Gashi, Ilir; Vieira, Marco

doi:10.1109/nca.2017.8171327

Cited by 4 publications

(3 citation statements)

References 13 publications

(24 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the future, it will likely be beneficial to deploy PULSAR on smart IDSs [134]. Second, while existing work uses outdated [120], [135], short-term [136], or limited variety of attack type datasets [137], [138], our source training data are longitudinal (representing 10-year) and have been collected in real production traffic with up-to-date attack activities (until 2018). Third, while deep-learning models, e.g., [90], are promising, they offer analysts few explanations on how the models work.…”

Section: Resultsmentioning

confidence: 99%

On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models

Cao¹

2019

Preprint

View full text Add to dashboard Cite

This paper presents PULSAR, a framework for preempting Advanced Persistent Threats (APTs). PULSAR employs a probabilistic graphical model (specifically a Factor Graph) to infer the time evolution of an attack based on observed security events at runtime. The framework (i) learns the statistical significance of patterns of events from past attacks; (ii) composes these patterns into FGs to capture the progression of the attack; and (iii) decides on preemptive actions. The accuracy of our approach and its performance are evaluated in three experiments at SystemX: (i) a study with a dataset containing 120 successful APTs over the past 10 years (PULSAR accurately identifies 91.7%); (ii) replaying of a set of ten unseen APTs (PULSAR stops 8 out of 10 replayed attacks before system integrity violation, and all ten before data exfiltration); and (iii) a production deployment of the framework (during a month-long deployment, PULSAR took an average of one second to make a decision).

show abstract

Section: Resultsmentioning

confidence: 99%

On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models

Cao¹

2019

Preprint

View full text Add to dashboard Cite

show abstract

“…The benefits of diversity between IDSs is empirically studied in [25], and they also provide numerical evidence demonstrating the advantages of using functionally similar IDSs. Our work differs from this as we evaluate the dynamic evolution of this diversity over four years.…”

Section: Related Workmentioning

confidence: 99%

A Perspective-Retrospective Analysis of Diversity in Signature-Based Open-Source Network Intrusion Detection Systems

Asad

Adhikari

Gashi

2023

Preprint

View full text Add to dashboard Cite

The signature-based network Intrusion Detection Systems (IDSs) entails relying on a pre-established signatures and IP addresses that are frequently updated to keep up with the rapidly evolving threat landscape. To effectively evaluate the efficacy of these updates, a comprehensive, long-term assessment of the IDSs' performance is required. This article presents a perspective-retrospective analysis of the Snort and Suricata IDSs using rules that were collected over a four-year period. The study examines how these IDSs perform when monitoring malicious traffic using rules from the past, as well as how they behave when monitoring the same traffic using updated rules in the future. To accomplish this, a set of Snort Subscribed and Suricata Emerging Threats rules were collected from 2017 to 2020, and a labelled PCAP data from 2017-2018 was analysed using past and future rules relative to the PCAP date. In addition to exploring the evolution of Snort and Suricata IDSs, the study also analyses the functional diversity that exists between these IDSs. By examining the evolutionary behaviour of signature-based IDSs and their diverse configurations, the research provides valuable insights into how their performance can be impacted. These insights can aid security architects in combining and layering IDSs in a defence-in-depth deployment.

show abstract

“…The authors also discuss the metrics, evaluation criteria and the data sets that have been used in recent research works on IDSs. In Algaith and et al (2017), the authors show the benefits of using a diverse set of IDSs in an empirical study. The authors have shown the efficacy of diversity by deploying the IDSs in different configurations such that to minimize false negatives/positives.…”

Section: Related Workmentioning

confidence: 99%

Dynamical analysis of diversity in rule-based open source network intrusion detection systems

Asad

Gashi

2021

Empir Software Eng

Self Cite

View full text Add to dashboard Cite

Diverse layers of defence play an important role in the design of defence-in-depth architectures. The use of Intrusion Detection Systems (IDSs) are ubiquitous in this design. But the selection of the “right” IDSs in various configurations is an important decision that the security architects need to make. Additionally, the ability of these IDSs to adapt to the evolving threat-landscape also needs to be investigated. To help with these decisions, we need rigorous quantitative analysis. In this paper, we present a diversity analysis of open-source IDSs, Snort and Suricata, to help security architects tune/deploy these IDSs. We analyse two types of diversities in these IDSs; configurational diversity and functional diversity. In the configurational diversity analysis, we investigate the diversity in the sets of rules and the Blacklisted IP Addresses (BIPAs) these IDSs use in their configurations. The functional diversity analysis investigates the differences in alerting behaviours of these IDSs when they analyse real network traffic, and how these differences evolve. The configurational diversity experiment utilises snapshots of the rules and BIPAs collected over a period of 5 months, from May to October 2017. The snapshots have been collected for three different off-the-shelf default configurations of the Snort IDS and the Emerging Threats (ET) configuration of the Suricata IDS. The functional diversity investigates the alerting behaviour of these two IDSs for a sample of the real network traffic collected in the same time window. Analysing the differences in these systems allows us to get insights into where the diversity in the behaviour of these systems comes from, how does it evolve and whether this has any effect on the alerting behaviour of these IDSs. This analysis gives insight to security architects on how they can combine and layer these systems in a defence-in-depth deployment.

show abstract

Diversity with intrusion detection systems: An empirical study

Cited by 4 publications

References 13 publications

On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models

On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models

A Perspective-Retrospective Analysis of Diversity in Signature-Based Open-Source Network Intrusion Detection Systems

Dynamical analysis of diversity in rule-based open source network intrusion detection systems

Contact Info

Product

Resources

About