Abstract
Intrusion prevention systems are widely used as one of the core security services deployed by the majority of contemporary organizations. Although simple in operation, they tend to be difficult to configure due to the wide range of vendors using different algorithms to implement intrusion prevention system security policies. The most popular, rule-based representation of intrusion prevention system security policies frequently suffers from redundant, conflicting and deficient security rules which may lead to confusion and misconfigurations. This article introduces and presents the intrusion prevention system decision diagram as a new and formal representation of signature-based intrusion prevention system security policies. It is shown that in this diagram the issue of redundant, conflicting and deficient security rules is fully eliminated. Thanks to a tree-based structure the intrusion prevention system decision diagram is also well suited for use in privacy-preserving solutions for cloud-based security services. Finally, with fewer computationally-expensive pattern-matching operations, the intrusion prevention system decision diagram is a better performing packet examination engine than the rule-based engine. This finding was confirmed by experimental results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bahrololum, M., Khaleghi, M.: Anomaly intrusion detection system using Gaussian mixture model. In 3rd International Conference on Convergence and Hybrid Information Technology, pp. 1162–1167 (2008)
Asia-Pacific Security Appliance Market to Reach $2.6bn: IDC. Computer Business Review. http://www.cbronline.com/news/security/asia-pacific-security-appliance-market-to-reach-26bn-idc-231112. Accessed 15 March 2017
Brox, A.: Signature-based and anomaly-based intrusion detection: the practice and pitfalls. SC Media. http://www.scmagazine.com/signature-based-or-anomaly-based-intrusion-detection-the-practice-and-pitfalls/article/30471/. Accessed 15 Mar 2017
Stoianov, N., Uruena, M., Niemiec, M., Machnik, P., Maestro, G.: Security infrastructures: towards the INDECT system security. Multimedia Communi. Serv. Secur. 287, 304–315 (2012)
Tzur-David, S.: Network intrusion prevention systems: signature-based and anomaly detection. Ph.D. thesis, The Hebrew University of Jerusalem (2011)
Wool, A.: Trends in firewall configuration errors: measuring the holes in Swiss cheese. IEEE Internet Comput. 14, 58–65 (2010)
Wool, A.: A quantitive study of firewall configuration errors. Computer 37, 62–67 (2004)
The Snort Project. https://www.snort.org/. Accessed 15 Mar 2016
Varadharajan, V., Tupakula, U.: Security as a service Model for Cloud Environment. IEEE Trans. Netw. Serv. Manag. 11, 60–75 (2014)
Kurek, T., Niemiec, M., Lason, A.: Taking back control of privacy: a novel framework for preserving cloud-based firewall policy confidentiality. Int. J. Inf. Secur. 15(3), 235–250 (2016)
Alsubhi, K., Bouabdallah, N., Boutaba, R.: Performance analysis in intrusion detection and prevention systems. In: IFIP/IEEE International Symposium on Integrated Network Management, pp. 369–376 (2011)
Alsubhi, K., Alhazmi, Y., Bouabdallah, N., Boutaba, R.: Rule mode selection intrusion detection and prevention systems. In: IEEE Global Telecommunications Conference, pp. 1–6 (2011)
Chen, Y., Yang, Y.: Policy management for network-based intrusion detection and prevention. In: Network Operations and Management Symposium, pp. 219–232 (2004)
Gouda, M.G., Liu, A.X.: Structured firewall design. Comput. Netw. Int. J. Comput. Telecommun. Netw. 51, 1106–1120 (2007)
Akers, S.B.: Binary decision diagrams. IEEE Trans. Comput. 27, 509–516 (1978)
Fulp, E.W., Tarsa, S.J.: Trie-based policy representations for network firewalls. In: IEEE Symposium on Computers and Communications, pp. 434–441 (2005)
Bryant, R.E.: Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. 100, 677–691 (1986)
Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1, 81–106 (1986)
Li, L.: Write-only oblivious RAM-based privacy-preserved access of outsourced data. Int. J. Inf. Secur. 16, 23–42 (2017)
Markey, J.: Using decision tree analysis for intrusion detection: a how-to guide. https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis-intrusion-detection-how-to-guide-33678. Accessed 07 Sept 2017
Kurek, T., Lason, A., Niemiec, M.: First step towards preserving the privacy of cloud-based IDS security policies. Secur. Commun. Netw. 8(18), 3481–3491 (2015)
Greensmith, J., Aickelin, U.: Firewalls, Intrusion Detection Systems and Anti-Virus Scanners. University of Nottingham, Nottingham (2004)
Paquet, C.: Network Security Using Cisco IOS IPS, pp. 437–488. Cisco Press, Indianapolis (2009)
Kruegel, C., Valeur, F., Vigna, G.: Computer security and intrusion detection. In: Kruegel, C., Valeur, F., Vigna, G. (eds.) Intrusion Detection and Correlation, pp. 10–28. Springer, Boston (2005). doi:10.1007/0-387-23399-7_2
Goyvaerts, J.: Words, lines, and special characters. In: Goyvaerts, J., Levithan, S. (eds.) Regular Expressions Cookbook, p. 291. O’Reilly, Sebastopol (2009)
Yang, Y.E., Prasanna, V.K.: Space-time tradeoff in regular expression matching with semi-deterministic finite automa. In: Proceedings IEEE INFOCOM, pp. 1853–1861 (2011)
Jalali, A., Ghamarian, A., Rensink, A.: Incremental pattern matching for regular expressions. In: Proceedings of the 11th International Workshop on Graph Transformation and Visual Modeling Techniques (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Kurek, T., Niemiec, M., Lason, A., Pach, A.R. (2017). Intrusion Prevention System Decision Diagram in Security-as-a-Service Solutions. In: Dziech, A., Czyżewski, A. (eds) Multimedia Communications, Services and Security. MCSS 2017. Communications in Computer and Information Science, vol 785. Springer, Cham. https://doi.org/10.1007/978-3-319-69911-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-69911-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69910-3
Online ISBN: 978-3-319-69911-0
eBook Packages: Computer ScienceComputer Science (R0)