Automatic creation of models for network intrusion detection

This paper proposes a tool which can create models for network intrusion detection. The created models are stored in Extensible Mark-up Language (XML) notation that describe packet level details, such as protocol header information, and in Message Sequence Chart (MSC) notation which is used for describing scenario information of network activities, for example describing a port scan with vulnerability exploitation attempt. The proposed tool will utilize Snort rules in the model creation process where a Snort rule is transformed into XML and MSC models. Besides Snort rules, the proposed tool is able to utilize network traffic traces stored in a packet capture format (Pcap). These traces may contain diverse set of different network activities that are relevant in gaining unauthorized access to computer systems or networks. Using these traces the proposed tool can create XML and MSC models that depict the malicious activities. The experimental utilization of the proposed tool will indicate that the XML and MSC models can be created fast and automatically using two separate sources and this will reduce the amount manual work required in the modelling process.