Mining intrusion detection rules with longest increasing subsequences of q-grams

Abstract

Intrusion detection has been a major issue in network security. Signature-based intrusion systems use intrusion detection rules for detecting intrusion. However, writing intrusion detection rules is difficult and requires a considerable knowledge on various fields. Also attackers can modify previous attacks to escape intrusion detection rules. In this paper we deal with the problem of detecting "modified" attacks using original intrusion detection rules. We show a simple method of reporting substrings in the network stream which have approximate matches with at least one of the network intrusion detection rules, based on the notion of q-grams and the longest increasing subsequences. Experimental results showed that our approach can detect modified attacks, which are modeled as strings which can match the intrusion detection rules after edit operations.