Skip to main content
SpringerLink
Log in

Intrusion Prevention System Decision Diagram in Security-as-a-Service Solutions

  • Conference paper
  • First Online:
Book cover Multimedia Communications, Services and Security (MCSS 2017)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 785))

  • 452 Accesses

Abstract

Intrusion prevention systems are widely used as one of the core security services deployed by the majority of contemporary organizations. Although simple in operation, they tend to be difficult to configure due to the wide range of vendors using different algorithms to implement intrusion prevention system security policies. The most popular, rule-based representation of intrusion prevention system security policies frequently suffers from redundant, conflicting and deficient security rules which may lead to confusion and misconfigurations. This article introduces and presents the intrusion prevention system decision diagram as a new and formal representation of signature-based intrusion prevention system security policies. It is shown that in this diagram the issue of redundant, conflicting and deficient security rules is fully eliminated. Thanks to a tree-based structure the intrusion prevention system decision diagram is also well suited for use in privacy-preserving solutions for cloud-based security services. Finally, with fewer computationally-expensive pattern-matching operations, the intrusion prevention system decision diagram is a better performing packet examination engine than the rule-based engine. This finding was confirmed by experimental results.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bahrololum, M., Khaleghi, M.: Anomaly intrusion detection system using Gaussian mixture model. In 3rd International Conference on Convergence and Hybrid Information Technology, pp. 1162–1167 (2008)

    Google Scholar 

  2. Asia-Pacific Security Appliance Market to Reach $2.6bn: IDC. Computer Business Review. http://www.cbronline.com/news/security/asia-pacific-security-appliance-market-to-reach-26bn-idc-231112. Accessed 15 March 2017

  3. Brox, A.: Signature-based and anomaly-based intrusion detection: the practice and pitfalls. SC Media. http://www.scmagazine.com/signature-based-or-anomaly-based-intrusion-detection-the-practice-and-pitfalls/article/30471/. Accessed 15 Mar 2017

  4. Stoianov, N., Uruena, M., Niemiec, M., Machnik, P., Maestro, G.: Security infrastructures: towards the INDECT system security. Multimedia Communi. Serv. Secur. 287, 304–315 (2012)

    Article  Google Scholar 

  5. Tzur-David, S.: Network intrusion prevention systems: signature-based and anomaly detection. Ph.D. thesis, The Hebrew University of Jerusalem (2011)

    Google Scholar 

  6. Wool, A.: Trends in firewall configuration errors: measuring the holes in Swiss cheese. IEEE Internet Comput. 14, 58–65 (2010)

    Article  Google Scholar 

  7. Wool, A.: A quantitive study of firewall configuration errors. Computer 37, 62–67 (2004)

    Article  Google Scholar 

  8. The Snort Project. https://www.snort.org/. Accessed 15 Mar 2016

  9. Varadharajan, V., Tupakula, U.: Security as a service Model for Cloud Environment. IEEE Trans. Netw. Serv. Manag. 11, 60–75 (2014)

    Article  Google Scholar 

  10. Kurek, T., Niemiec, M., Lason, A.: Taking back control of privacy: a novel framework for preserving cloud-based firewall policy confidentiality. Int. J. Inf. Secur. 15(3), 235–250 (2016)

    Article  Google Scholar 

  11. Alsubhi, K., Bouabdallah, N., Boutaba, R.: Performance analysis in intrusion detection and prevention systems. In: IFIP/IEEE International Symposium on Integrated Network Management, pp. 369–376 (2011)

    Google Scholar 

  12. Alsubhi, K., Alhazmi, Y., Bouabdallah, N., Boutaba, R.: Rule mode selection intrusion detection and prevention systems. In: IEEE Global Telecommunications Conference, pp. 1–6 (2011)

    Google Scholar 

  13. Chen, Y., Yang, Y.: Policy management for network-based intrusion detection and prevention. In: Network Operations and Management Symposium, pp. 219–232 (2004)

    Google Scholar 

  14. Gouda, M.G., Liu, A.X.: Structured firewall design. Comput. Netw. Int. J. Comput. Telecommun. Netw. 51, 1106–1120 (2007)

    MATH  Google Scholar 

  15. Akers, S.B.: Binary decision diagrams. IEEE Trans. Comput. 27, 509–516 (1978)

    Article  MATH  Google Scholar 

  16. Fulp, E.W., Tarsa, S.J.: Trie-based policy representations for network firewalls. In: IEEE Symposium on Computers and Communications, pp. 434–441 (2005)

    Google Scholar 

  17. Bryant, R.E.: Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. 100, 677–691 (1986)

    Article  MATH  Google Scholar 

  18. Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1, 81–106 (1986)

    Google Scholar 

  19. Li, L.: Write-only oblivious RAM-based privacy-preserved access of outsourced data. Int. J. Inf. Secur. 16, 23–42 (2017)

    Article  Google Scholar 

  20. Markey, J.: Using decision tree analysis for intrusion detection: a how-to guide. https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis-intrusion-detection-how-to-guide-33678. Accessed 07 Sept 2017

  21. Kurek, T., Lason, A., Niemiec, M.: First step towards preserving the privacy of cloud-based IDS security policies. Secur. Commun. Netw. 8(18), 3481–3491 (2015)

    Article  Google Scholar 

  22. Greensmith, J., Aickelin, U.: Firewalls, Intrusion Detection Systems and Anti-Virus Scanners. University of Nottingham, Nottingham (2004)

    Google Scholar 

  23. Paquet, C.: Network Security Using Cisco IOS IPS, pp. 437–488. Cisco Press, Indianapolis (2009)

    Google Scholar 

  24. Kruegel, C., Valeur, F., Vigna, G.: Computer security and intrusion detection. In: Kruegel, C., Valeur, F., Vigna, G. (eds.) Intrusion Detection and Correlation, pp. 10–28. Springer, Boston (2005). doi:10.1007/0-387-23399-7_2

    Google Scholar 

  25. Goyvaerts, J.: Words, lines, and special characters. In: Goyvaerts, J., Levithan, S. (eds.) Regular Expressions Cookbook, p. 291. O’Reilly, Sebastopol (2009)

    Google Scholar 

  26. Yang, Y.E., Prasanna, V.K.: Space-time tradeoff in regular expression matching with semi-deterministic finite automa. In: Proceedings IEEE INFOCOM, pp. 1853–1861 (2011)

    Google Scholar 

  27. Jalali, A., Ghamarian, A., Rensink, A.: Incremental pattern matching for regular expressions. In: Proceedings of the 11th International Workshop on Graph Transformation and Visual Modeling Techniques (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. AGH University of Science and Technology, Mickiewicza 30, 30-059, Krakow, Poland

    Tytus Kurek, Marcin Niemiec, Artur Lason & Andrzej R. Pach

Authors
  1. Tytus Kurek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marcin Niemiec
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Artur Lason
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Andrzej R. Pach
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tytus Kurek .

Editor information

Editors and Affiliations

  1. AGH University of Science and Technology, Krakow, Poland

    Andrzej Dziech

  2. Gdańsk University of Technology, Gdansk, Poland

    Andrzej Czyżewski

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Kurek, T., Niemiec, M., Lason, A., Pach, A.R. (2017). Intrusion Prevention System Decision Diagram in Security-as-a-Service Solutions. In: Dziech, A., Czyżewski, A. (eds) Multimedia Communications, Services and Security. MCSS 2017. Communications in Computer and Information Science, vol 785. Springer, Cham. https://doi.org/10.1007/978-3-319-69911-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-69911-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-69910-3

  • Online ISBN: 978-3-319-69911-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation