An Intrusion Detection System (IDS) protects computer networks against attacks and intrusions, in combination with firewalls and anti-virus systems. One class of IDS is called signature-based network IDSs, as they monitor network traffic, looking for evidence of malicious behaviour as specified in attack descriptions (referred to as signatures). Many studies report that IDSs, including signature-based network IDSs, have problems to accurately identify attacks. One possible reason that we observed in our past work, and that is worth investigating further, is that several signatures (i.e., several alarms) can be triggered on the same group of packets, a situation we coined overlapping signatures. This paper presents a technique to precisely and systematically quantify the signature overlapping problem of an IDS signature database. The solution we describe is based on set theory and finite state automaton theory, and we experiment with our technique on one widely-used and maintained IDS. Results show that our approach is effective at systematically quantifying the overlap problem in one IDS signature database, and can be potentially used on other IDSs.

Additional Metadata
Keywords Automaton Theory, Intrusion Detection Signature, Set Theory
Persistent URL dx.doi.org/10.1109/DSN.2011.5958211
Conference 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks, DSN 2011
Citation
Massicotte, F. (Frédéric), & Labiche, Y. (2011). An analysis of signature overlaps in Intrusion Detection Systems. Presented at the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks, DSN 2011. doi:10.1109/DSN.2011.5958211