Measuring inconsistency in network intrusion rules

Kevin McAreavey; Weiru Liu; Paul Miller

doi:10.1109/DEXA.2011.51

Measuring inconsistency in network intrusion rules

Kevin McAreavey, Weiru Liu, Paul Miller

Research output: Contribution to conference › Paper › peer-review

1 Citation (Scopus)

Abstract

In this preliminary case study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. Finally, we measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the informativeness of these measures. We conclude that such measures are useful for the network intrusion domain assuming that incorporating domain knowledge for correlation of rules is feasible.

Original language	English
Pages	339-344
Number of pages	6
DOIs	https://doi.org/10.1109/DEXA.2011.51
Publication status	Published - Aug 2011
Event	Proceedings of the First International Workshop on Data, Logic and Inconsistency (DALI'11) at DEXA - Toulouse, France Duration: 01 Aug 2011 → 01 Aug 2011

Conference

Conference	Proceedings of the First International Workshop on Data, Logic and Inconsistency (DALI'11) at DEXA
Country/Territory	France
City	Toulouse
Period	01/08/2011 → 01/08/2011

Keywords

inconsistency measures
Network intrusion detection

Access to Document

10.1109/DEXA.2011.51

R1118ECI: Centre for Secure Information Technologies (CSIT)
McCanny, J. V., Cowan, C., Crookes, D., Fusco, V., Linton, D., Liu, W., Miller, P., O'Neill, M., Scanlon, W. & Sezer, S.
01/08/2009 → 30/06/2014
Project: Research

Cite this

@conference{83d3ec31608847a5a92fe31e31fc59a9,

title = "Measuring inconsistency in network intrusion rules",

abstract = "In this preliminary case study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. Finally, we measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the informativeness of these measures. We conclude that such measures are useful for the network intrusion domain assuming that incorporating domain knowledge for correlation of rules is feasible.",

keywords = "inconsistency measures, Network intrusion detection",

author = "Kevin McAreavey and Weiru Liu and Paul Miller",

year = "2011",

month = aug,

doi = "10.1109/DEXA.2011.51",

language = "English",

pages = "339--344",

note = "Proceedings of the First International Workshop on Data, Logic and Inconsistency (DALI'11) at DEXA ; Conference date: 01-08-2011 Through 01-08-2011",

}

TY - CONF

T1 - Measuring inconsistency in network intrusion rules

AU - McAreavey, Kevin

AU - Liu, Weiru

AU - Miller, Paul

PY - 2011/8

Y1 - 2011/8

N2 - In this preliminary case study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. Finally, we measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the informativeness of these measures. We conclude that such measures are useful for the network intrusion domain assuming that incorporating domain knowledge for correlation of rules is feasible.

AB - In this preliminary case study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. Finally, we measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the informativeness of these measures. We conclude that such measures are useful for the network intrusion domain assuming that incorporating domain knowledge for correlation of rules is feasible.

KW - inconsistency measures

KW - Network intrusion detection

U2 - 10.1109/DEXA.2011.51

DO - 10.1109/DEXA.2011.51

M3 - Paper

SP - 339

EP - 344

T2 - Proceedings of the First International Workshop on Data, Logic and Inconsistency (DALI'11) at DEXA

Y2 - 1 August 2011 through 1 August 2011

ER -

Measuring inconsistency in network intrusion rules

Abstract

Conference

Keywords

Access to Document

Fingerprint

Projects

R1118ECI: Centre for Secure Information Technologies (CSIT)

Cite this