Research Report: Synthesizing Intrusion Detection System Test Data from Open-Source Attack Signatures

2023 IEEE Security and Privacy Workshops (SPW) Pub Date : 2023-05-01 DOI:10.1109/SPW59333.2023.00023

Jared Chandler, Adam Wick

{"title":"Research Report: Synthesizing Intrusion Detection System Test Data from Open-Source Attack Signatures","authors":"Jared Chandler, Adam Wick","doi":"10.1109/SPW59333.2023.00023","DOIUrl":null,"url":null,"abstract":"Intrusion Detection Systems (IDS) act as a first line of defense for network infrastructure by identifying malicious traffic and reporting it to administrators. Signature-based IDS identify this traffic by attempting to parse packets according to user-supplied rules based on well-known examples of bad traffic. However, test data can be difficult to come by (due to its sensitive nature) which makes evaluating new rules difficult. In this work we discuss the limitations of an existing SMT-based synthesis approach to automatically generating malicious network traffic. We then present a survey of how IDS rules are written in practice using an open-source corpus of over 30,000 rules and discuss a road-map towards extending the existing approach with the goal of generating security test data characterizing a broad range of threats, as well as ancillary uses assisting users in writing IDS rules and identifying IDS implementation bugs. Finally, we share early results from an evaluation of one such extension which successfully generated IDS test data for over 90% of the rules evaluated.","PeriodicalId":308378,"journal":{"name":"2023 IEEE Security and Privacy Workshops (SPW)","volume":"23 4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE Security and Privacy Workshops (SPW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SPW59333.2023.00023","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Intrusion Detection Systems (IDS) act as a first line of defense for network infrastructure by identifying malicious traffic and reporting it to administrators. Signature-based IDS identify this traffic by attempting to parse packets according to user-supplied rules based on well-known examples of bad traffic. However, test data can be difficult to come by (due to its sensitive nature) which makes evaluating new rules difficult. In this work we discuss the limitations of an existing SMT-based synthesis approach to automatically generating malicious network traffic. We then present a survey of how IDS rules are written in practice using an open-source corpus of over 30,000 rules and discuss a road-map towards extending the existing approach with the goal of generating security test data characterizing a broad range of threats, as well as ancillary uses assisting users in writing IDS rules and identifying IDS implementation bugs. Finally, we share early results from an evaluation of one such extension which successfully generated IDS test data for over 90% of the rules evaluated.

查看原文本刊更多论文

研究报告:基于开源攻击特征的入侵检测系统测试数据合成

入侵检测系统(IDS)通过识别恶意流量并将其报告给管理员，充当网络基础设施的第一道防线。基于签名的IDS通过尝试根据用户提供的基于众所周知的错误流量示例的规则解析数据包来识别这种流量。然而，测试数据可能很难获得(由于其敏感性)，这使得评估新规则变得困难。在这项工作中，我们讨论了现有的基于smt的合成方法在自动生成恶意网络流量方面的局限性。然后，我们调查了在实践中如何使用超过30,000条规则的开源语料编写IDS规则，并讨论了扩展现有方法的路线图，目标是生成具有广泛威胁特征的安全测试数据，以及辅助用途，帮助用户编写IDS规则和识别IDS实现错误。最后，我们分享了对这样一个扩展进行评估的早期结果，该扩展成功地为超过90%的被评估规则生成了IDS测试数据。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE Security and Privacy Workshops (SPW)

自引率

0.00%

发文量