Measuring inconsistency in network intrusion rules

Kevin McAreavey, Weiru Liu, Paul Miller

Research output: Contribution to conferencePaperpeer-review

1 Citation (Scopus)


In this preliminary case study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. Finally, we measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the informativeness of these measures. We conclude that such measures are useful for the network intrusion domain assuming that incorporating domain knowledge for correlation of rules is feasible.
Original languageEnglish
Number of pages6
Publication statusPublished - Aug 2011
EventProceedings of the First International Workshop on Data, Logic and Inconsistency (DALI'11) at DEXA - Toulouse, France
Duration: 01 Aug 201101 Aug 2011


ConferenceProceedings of the First International Workshop on Data, Logic and Inconsistency (DALI'11) at DEXA


  • inconsistency measures
  • Network intrusion detection


Dive into the research topics of 'Measuring inconsistency in network intrusion rules'. Together they form a unique fingerprint.

Cite this