Building intrusion pattern miner for snort network intrusion detection system

Abstract

We propose a framework for Snort network-based intrusion detection system to make it have the ability of not only catching new attack patterns automatically, but also detecting sequential attack behaviors. To do that, we first build an intrusion pattern discovery module to find single intrusion patterns and sequential intrusion patterns from a collection of attack packets in offline training phase. The module applies data mining technique to extract descriptive attack signatures from large stores of packets, and then it converts the signatures to Snort detection rules for online detection. In order to detect sequential intrusion behavior, the Snort detection engine is accompanied with our intrusion behavior detection engine. When a series of incoming packets match the signatures representing sequential intrusion scenarios, intrusion behavior detection engine make an alert.