Measuring Inconsistency in a Network Intrusion Detection Rule Set Based on Snort

McAreavey, Kevin; Liu, Weiru; Miller, Paul; Mu, Kedian

doi:10.1142/s1793351x11001274

Cited by 20 publications

(16 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, IDS rules in [MLMM11] and requirements specications in [MJLL05] are always dened in terms of arbitrary formulae. Applying these practical algorithms for computing MUSes to such real-world applications is a useful path for research, but since they require knowledge bases in clausal form, the algorithms cannot be directly applied.…”

Section: Associating Muses and Misesmentioning

confidence: 99%

“…Inconsistency has been studied extensively in a range of applications. For example, in network security, a logic-based analysis of inconsistency in an Intrusion Detection System (IDS) was carried out in [MLMM11]. In this case the industry standard IDS [Roe99], which was the focus of this work, had a false alarm rate of between 69% [TPFC08b] and 96% [TPFC08a] and it was suggested that this was, at least in part, the result of inconsistency in the rule set.…”

Section: Introductionmentioning

confidence: 99%

“…Therefore we can say that some formulae have a greater share in the inconsistency of the knowledge base than others. Incorporating additional information, such as stratication of formulae, has also proved benecial when measuring formulalevel inconsistency [MLJ12,MLMM11].…”

Section: Introductionmentioning

confidence: 99%

“…This syntax-sensitivity is also necessary for a wide range of applications including the previously mentioned work on network security systems [MLMM11] and requirements specications [MJLL05]. Also, it has been said that minimal inconsistent subsets represent the purest form of formula-centric inconsistency [Rei87,HK10,MLJ12], so it is intuitive to dene formula-level measures using this approach.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Computational approaches to finding and measuring inconsistency in arbitrary knowledge bases

McAreavey

Liu

Miller

2014

International Journal of Approximate Reasoning

Self Cite

View full text Add to dashboard Cite

General rightsThis document is made available in accordance with publisher policies. Please cite only the published version using the reference above. There is extensive theoretical work on measures of inconsistency for arbitrary formulae in knowledge bases. Many of these are dened in terms of the set of minimal inconsistent subsets (MISes) of the base. However, few have been implemented or experimentally evaluated to support their viability, since computing all MISes is intractable in the worst case. Fortunately, recent work on a related problem of minimal unsatisable sets of clauses (MUSes) oers a viable solution in many cases. In this paper, we begin by drawing connections between MISes and MUSes through algorithms based on a MUS generalization approach and a new optimized MUS transformation approach to nding MISes. We implement these algorithms, along with a selection of existing measures for at and stratied knowledge bases, in a tool called mimus. We then carry out an extensive experimental evaluation of mimus using randomly generated arbitrary knowledge bases. We conclude that these measures are viable for many large and complex random instances. Moreover, they represent a practical and intuitive tool for inconsistency handling.

show abstract

Section: Associating Muses and Misesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Computational approaches to finding and measuring inconsistency in arbitrary knowledge bases

McAreavey

Liu

Miller

2014

International Journal of Approximate Reasoning

Self Cite

View full text Add to dashboard Cite

show abstract

“…For accuracy reason, the packet payload must be examined. Snort [4], an open source intrusion detection system, analyses payload signature. 70% of the whole processing time dedicates to the signature pat- tern matching.…”

Section: Introductionmentioning

confidence: 99%

HTTP Traffic Classification Based on Hierarchical Signature Structure

Yoon¹,

Park

Choi³

et al. 2015

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYConsidering diversified HTTP types, the performance bottleneck of signature-based classification must be resolved. We define a signature model classifying the traffic in multiple dimensions and suggest a hierarchical signature structure to remove signature redundancy and minimize search space. Our experiments on campus traffic demonstrated 1.8 times faster processing speed than the Aho-Corasick matching algorithm in Snort.

show abstract