Improving the Performance of the Snort Intrusion Detection Using Clonal Selection

Elshafie, Hussein M.; Mahmoud, Tarek M.; Ali, Abdelmgeid A.

doi:10.1109/itce.2019.8646601

Cited by 10 publications

(3 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Under IDPaaS, different well-known Intrusion Detection and Prevention Systems (IDPSs) are operated and offered to the consumer with their strengths and weaknesses, so that the user is capable of selecting the best service suited for their requirement. Currently, we are experimenting with the IDPSs of Suricata and Snort [21], [22]. In the AaaS directive, MEC edge level SECaaS MES is handling the authentication of any application or service desired by the subscriber as a Trusted Third Party (TTP).…”

Section: ) Secaas Servicesmentioning

confidence: 99%

Security as a Service Platform Leveraging Multi-Access Edge Computing Infrastructure Provisions

Ranaweera

Imrith

Liyanag

et al. 2020

ICC 2020 - 2020 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

The mobile service platform envisaged by emerging IoT and 5G is guaranteeing gigabit-level bandwidth, ultra-low latency and ultra-high storage capacity for their subscribers. In spite of the variety of applications plausible with the envisaged technologies, security is a demanding objective that should be applied beyond the design stages. Thus, Security as a Service (SECaaS) is an initiative for a service model that enable mobile and IoT consumers with diverse security functions such as Intrusion Detection and Prevention (IDPaaS), Authentication (AaaS), and Secure Transmission Channel (STCaaS) as a Service. A well-equipped edge computing infrastructure is intrinsic to achieve this goal. The emerging Multi-Access Edge Computing (MEC) paradigm standardized by the ETSI is excelling among other edge computing flavours due to its well-defined structure and protocols. Thus, in our directive, we intend to utilize MEC as the edge computing platform to launch the SECaaS functions. Though, the actual development of a MEC infrastructure is highly dependent on the integration of virtualization technologies to enable dynamic creation, the deployment, and the detachment of virtualized entities that should feature interoperability to cater the heterogeneous IoT devices and services. To that extent, this work is proposing a security service architecture that offers these SECaaS services. Further, we validate our proposed architecture through the development of a virtualized infrastructure that integrates lightweight and hypervisor-based virtualization technologies. Our experiments prove the plausibility of launching multiple security instances on the developed prototype edge platform.

show abstract

Section: ) Secaas Servicesmentioning

confidence: 99%

Security as a Service Platform Leveraging Multi-Access Edge Computing Infrastructure Provisions

Ranaweera

Imrith

Liyanag

et al. 2020

ICC 2020 - 2020 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

show abstract

“…Therefore, the use of anomaly-based detection methods is encouraged in the security field, as these models can be trained using benign data only. The main drawback of the anomaly-based method is that it often triggers false positives since it flags all unusual patterns as potential attacks even when they are not [9]. Understanding the reasons for instance prediction can reduce these false alarms and be the first step for domain experts to make decisions to prevent future attacks.…”

Section: Introductionmentioning

confidence: 99%

Explainable AI and Deep Autoencoders Based Security Framework for IoT Network Attack Certainty (Extended Abstract)

Kalutharage

Liu

Chrysoulas

2022

Attacks and Defenses for the Internet-of-Things

View full text Add to dashboard Cite

Over the past few decades, Machine Learning (ML)-based intrusion detection systems (IDS) have become increasingly popular and continue to show remarkable performance in detecting attacks. However, the lack of transparency in their decision-making process and the scarcity of attack data for training purposes pose a major challenge for the development of ML-based IDS systems for Internet of Things (IoT). Therefore, employing anomaly detection methods and interpreting predicted results in terms of feature contribution or performing featurebased impact analysis can increase stakeholders confidence. To this end, this paper presents a novel framework for IoT security monitoring, combining deep autoencoder models with Explainable Artificial Intelligence (XAI), to verify the credibility and certainty of attack detection by MLbased IDSs. Our proposed approach reduces the number of black boxes in the ML decision-making process in IoT security monitoring by explaining why a prediction is made, providing quantifiable data on which features influence the prediction and to what extent, which are generated from SHaply Adaptive values exPlanations (SHAP) linking optimal credit allocation to local explanations. This was tested using the USB-IDS benchmark dataset and a detection accuracy of 84% (benign) and 100% (attack) was achieved. Our experimental results show that integrating XAI with the autoencoder model obviates the need of malicious data for training purposes, but can provide attack certainty for detected anomalies, proving the validity of the proposed methodology.

show abstract

“…Системні технології» 3 (152) 2024 «System technologies» ISSN 1562-9945 (Print) ISSN 2707-7977 (Online)32Алгоритмічні оптимізації, схожі на ті що описані у цій статті, пропонуються у декількох роботах. Так деякі автори змогли інтегрувати Snort з нейронними мережами[7] або евристичними алгоритмами для зменшення кількості правил що перевіряються[8].Мета дослідження -розглянути три основні алгоритми оптимізації обробки правил що використовуються у системі Snort 3, а саме Fast Pattern, групування що базується на портах та групування що базується на протоколах. Для них буде описана базова реалізація, модифікації вихідного коду, що необхідні для вимкнення алгоритму а також вплив алгоритму на загальну швидкодію системи.Результати дослідження можуть бути використані для оптимізації роботи системи при її локальному розгортуванні, при розробці нових алгоритмів оптимізації обробки правил, а також для інтегрування описаних алгоритмів у інші системи.Викладення основного матеріалу дослідження.Обробка пакетів у системі Snort 3 є гнучкою за допомогою підходу, керованого подіями[9], діаграма якого показана на рис.…”

unclassified

Дослідження Впливу Існуючих Алгоритмів Оптимізації Обробки Правил На Швидкодію Системи Виявлення Мережевих Вторгнень Snort 3

V.S.,

A.O.

2024

View full text Add to dashboard Cite

Network intrusion detection systems (NIDS) are a key component of cybersecurity, working to warn, detect, and respond to potential network threats. They analyze network traffic to detect anomalous or malicious activity such as breach attempts, viruses, use of software exploits, and more. Intrusion detection systems should perform packet inspec-tion at or near cable speed to be highly effective. The speed of intrusion detection systems is critical because it allows timely mitigation of potential cyber threats, ensuring uninter-rupted operation of business processes. One of the most common and recognized tools in the field of NIDS is the intrusion detection system Snort, which has already proven itself as a powerful means of protecting networks. Snort 3 is an updated version of this system, and has multithreading, increased speed compared to Snort, greater modularity and other advantages[2], so we will concen-trate on it in the context of this article. The task of optimizing the operation of NIDS is very acute. Due to the variability and multifunctionality of existing systems, there is a wide field for analyzing and improv-ing the efficiency of NIDS both for specific tasks and for tasks of a broad profile. So many works look at the performance of Snort 3 compared to other intrusion detection sys-tems[3] in different types of infrastructures, which will help the user to find the best op-tion for himself. The purpose of the study is to consider the three main rule processing optimization algorithms used in the Snort 3 system, namely Fast Pattern, port-based and protocol-based clustering. For them, the basic implementation, modifications of the source code, which are necessary to disable the algorithm, as well as the impact of the algorithm on the overall speed of the system, will be described. Some results have shown a slight performance improvement when the optimization algorithms are disabled, this is on configurations with a small number of rules. In most cases, a clear drop in performance of 10% or more is noticeable. The biggest deteriora-tion in performance occurs when Fast Pattern operations are disabled, without this algo-rithm the deterioration can reach 20 times.

show abstract

Improving the Performance of the Snort Intrusion Detection Using Clonal Selection

Cited by 10 publications

References 16 publications

Security as a Service Platform Leveraging Multi-Access Edge Computing Infrastructure Provisions

Security as a Service Platform Leveraging Multi-Access Edge Computing Infrastructure Provisions

Explainable AI and Deep Autoencoders Based Security Framework for IoT Network Attack Certainty (Extended Abstract)

Дослідження Впливу Існуючих Алгоритмів Оптимізації Обробки Правил На Швидкодію Системи Виявлення Мережевих Вторгнень Snort 3

Contact Info

Product

Resources

About