A Method for Deriving and Testing Malicious Behavior Detection Rules

The internet is riddled with numerous malware and other threats. This puts the limited resources of network security devices, such as firewalls and intrusion detection systems, under growing stress. They have to cope with increasing network traffic and manage numerous detection rules for threatening traffic. Creating covering set of detection rules manually is a slow and tedious process. In this paper, we present a method to automatically create detection rules for an intrusion detection system from interaction signatures of known malware. Our method maintains information integrity and reports potential issues during the derivation process. The method was tested with HTTP traffic generated from known malware signatures using Snort as the IDS rule-engine.