[1] Yin Yi, Wang Yun, Takahashi Naohisa, et al. An analysis method of topological relations between Snort rules [J]. Journal of Southeast University (English Edition), 2016, 32 (1): 21-28. [doi:10.3969/j.issn.1003-7985.2016.01.005]

Copy

An analysis method of topological relations between Snort rules()

Share：

Journal of Southeast University (English Edition)[ISSN:1003-7985/CN:32-1325/N]

Volumn:

32

Issue:

2016 1

Page:

21-28

Research Field:

Computer Science and Engineering

Publishing date:

2016-03-20

Info

Title:

An analysis method of topological relations between Snort rules

Author(s):

Yin Yi¹;  2;  Wang Yun¹;  Takahashi Naohisa³

¹School of Computer Science and Engineering, Southeast University, Nanjing 211189, China
²School of Computer Science and Technology, Nanjing Normal University, Nanjing 210023, China
³Department of Computer Science and Engineering, Graduate School of Engineering, Nagoya Institute of Technology, Nagoya 466-8555, Japan

Keywords:

intrusion detection system(IDS);  Snort rule;  functional programming language

PACS:

TP393.08

DOI:

10.3969/j.issn.1003-7985.2016.01.005

Abstract:

It is difficult to know all the relations between Snort rules. To deal with this problem, the topological relations between Snort rules are classified based on the set theory, and a method for calculating the topological relations between Snort rules is proposed. In the existing methods for analyzing the relations of Snort rules, the relations are usually determined only according to the header information of the Snort rules. Without considering the actions of Snort rules, the proposed method improves upon the existing methods and it can classify and calculate the topological relations between Snort rules according to both headers and options information of Snort rules. In addition, the proposed method is implemented by the functional language Haskell. The experimental results show that the topological relations between Snort rules can be calculated rapidly and effectively. The proposed method also provides an important basis for conflict detection in the succeeding Snort rules.

References:

[1] Snort Team. Snort users manual 2.9.7 [EB/OL].(2014)[2015-06-17]. http://manual.snort.org/.
[2] Al-Shaer E, Hamed H, Boutaba R, et al. Conflict classification and analysis of distributed firewall policies [J]. IEEE Journal on Selected Areas in Communication, 2005, 23(10): 2069-2084.
[3] Gouda M G, Liu X Y A. Firewall design: Consistency, completeness, and compactness [C]//Proceedings of the 24th International Conference on Distributed Computing Systems. Washington, DC, USA, 2004: 320-327.
[4] Yuan L, Mai J, Su Z, et al. Fireman: A toolkit for firewall modeling and analysis [C]//Proceedings of the 2006 IEEE Symposium on Security and Privacy. Washington, DC, USA, 2006: 199-213.
[5] Yin Y, Xu J D, Takahashi N. Verifying consistency between security policy and firewall policy by using a constraint satisfaction problem server [C]//2011 International Conference on Future Wireless Networks and Information Systems. Macao, China, 2011: 135-145.
[6] Yin Y, Katayama Y, Takahashi N. Detection of conflicts caused by a combination of filters based on spatial relationships [J]. IPSJ Journal, 2008, 16(9): 142-156.
[7] Thanasegaran S, Yin Y, Tateiwa Y, et al. A topology-based conflict detection system for firewall policies using bit-vector-based spatial calculus [J]. International Journal of Communications, Network and System Science, 2011, 4(11): 683-695.
[8] Al-Mamory S O, Hamid A, Abdul-Razak A, et al. String matching enhancement for Snort IDS [C]//2010 5th International Conference on Computer Sciences and Convergence Information Technology. Seoul, Korea, 2010: 1020-1023.
[9] Zhao K, Chu J F, Che X L, et al. Improvement on rules matching algorithm of Snort based on dynamic adjustment [C]//2nd International Conference on Anti-counterfeiting, Security and Identification. Guiyang, China, 2008: 285-287.
[10] Meng Q D, Zhang X L, Lü D W. Research on detection speed improvement of Snort [C]//International Conference on Internet Technology and Applications. Wuhan, China, 2010: 1-5.
[11] Kuang J, Mei L K, Bian J L. An innovative implement in organizing complicated and massive intrusion detection rules of IDS [C]//IEEE 2nd International Conference on Cloud Computing and Intelligent Systems. Hangzhou, China, 2012: 1328-1332.
[12] Kang B J, Kim H S, Yang J S, et al. Rule indexing for efficient intrusion detection systems [C]//Lecture Notes in Computer Science, 2011, 7115: 136-141.
[13] Stakhanova N, Ghorbani A A. Managing intrusion detection rule sets [C]//Proceedings of the Third European Workshop on System Security. Paris, France, 2010: 29-35.
[14] Cho Y H, Mangione-Smith W H. Programmable hardware for deep packet filtering on a large signature set [C]//Workshop on Architectural Support for Security and Anti-Virus. Boston, USA, 2004: 1-9.
[15] Hutchings B L, Franklin R, Carver D.Assisting network intrusion detection with reconfigurable hardware[C]//Proceedings of the 10th Annual IEEE Symposium on Field-Programmable Custon Computing Machines. Washington, DC, USA, 2002: 111-120.
[16] Chen H, Summerville D H, Chen Y. Two-stage decomposition of Snort rules towards efficient hardware implementation [C]//7th International Workshop on Design of Reliable Communication Networks. Washington, DC, USA, 2009: 359-366.

Memo

Memo:

Biography: Yin Yi(1978—), female, doctor, lecturer, yi837@hotmail.com.
Foundation item: The National Natural Science Foundation of China(No. 60973122, 61572256).
Citation: Yin Yi, Wang Yun, Takahashi Naohisa.An analysis method of topological relations between Snort rules[J].Journal of Southeast University(English Edition), 2016, 32(1):21-28.DOI:10.3969/j.issn.1003-7985.2016.01.005.

Common functions