Detecting and Resolving Inconsistencies in Snort

Intrusion Detection Systems (IDSs) are part of the network security systems that can take active measures when they detect suspicious intrusions through monitoring network transmissions. By matching the incoming packets with the patterns established through access control rules, an IDS system can identify and detect network attacks, and take proactive responses. However, one of the major challenges for an IDS is that its effectiveness is only as good as the rules that collectively define the profiles of all the attacks it is capable of capturing. The detection knowledge as embodied in the rules can be incomplete, inconsistent, deficient, or not well-defined, making the network defense less effective, still vulnerable, or suffering from realtime performance degradation. In this paper, we use Snort as a backdrop to formally define eighteen types of knowledge deficiencies that can be found in an IDS, describe approaches to automatically detect those knowledge deficiencies, and propose resolution algorithms to eliminate the deficiencies in an attempt to incrementally improve the quality of its network defense knowledge. Our ultimate goal is to rely on perpetual learning to automatically, consistently, and continuously improve an IDS's network defense performance over time.