A cloud-based architecture for network attack signature learning

Intrusion Detection System (IDS) is an essential component of the network security infrastructure. It detects malicious activities by monitoring network traffic. There are two main classes of IDS: the anomaly-based IDS and signature-based IDS. An important challenge, for signature-based IDS, is automating attack signature writing from traffic logs, which can be very hard to be established for human administrator. In this paper, we propose a solution addressing this challenge. We propose cloud-based signature learning service using Inductive Logic Programming (ILP). Learning service generates rule describing properties shared by packets labelled as malicious and that do not cover normal packets. The system uses a background knowledge composed of predicates used to describe network attack signature. The cloud architecture of our IDS enables it to have specialized nodes. Preliminary experimentations show that the proposed system is able to reproduce automatically SNORT signature.