Automated Flow-based Rule Generation for Network Intrusion Detection Systems

Snort is a popular open-source Intrusion Detection System (IDS). Since rules are updated offline and network environment changes dynamically, Snort has a low detection rate especially for new types of attacks. Since attack signatures are not stored in the system, attackers could intrude without being detected. The aim of this research is to automate rule generation for system by use of logs of performed attacks. This approach has been implemented using two data mining algorithms called Ripper and C5.0. Automatic rule generation improves security of Snort and attacks are detected better. Five types of attacks, like Denial of service and Brute Force, have been investigated in this work and tested on newly released ISCX 2012 dataset which has 84.42 Gigabytes. By processing the dump, it can be used to generate general rules and eight new features from known features of streams. Detection rate of more than 99 percent was obtained for some attacks, which represent sensible impact of this approach on Snort software.