Improving Intrusion Detection System based on Snort rules for network probe attack detection

Data and network system security is the most important roles. An organization should find the methods to protect their data and network system to reduce the risk from attacks. Snort Intrusion Detection System (Snort-IDS) is a security tool of network security. It has been widely used for protecting the network of the organizations. The Snort-IDS utilize the rules to matching data packets traffic. If some packet matches the rules, Snort-IDS will generate the alert messages. However, Snort-IDS contain many rules and it also generates a lot of false alerts. In this paper, we present the procedure to improve the Snort-IDS rules for the network probe attack detection. In order to test the performance evaluation, we utilized the data set from the MIT-DAPRA 1999, which includes the normal and abnormal traffics. Firstly, we analyzed and explored the existing the Snort-IDS rules to improve the proposed Snort-IDS rules. Secondly, we applied the WireShark software to analyze data packets form of attack in data set. Finally, the Snort-IDS was improved, and it can detect the network probe attack. This paper, we had classified the attacks into several groups based on the nature of network probe attack. In addition, we also compared the efficacy of detection attacks between Snort-IDS rules to be updated with the Detection Scoring Truth. As the experimental results, the proposed Snort-IDS efficiently detected the network probe attacks compared to the Detection Scoring Truth. It can achieve higher accuracy. However, there were some detecting alert that occur over the attack in Detection Scoring Truth, because some attack occur in several time but the Detection Scoring Truth indentify as one time.