A novel hybrid-based approach of snort automatic rule generator and security event correlation (SARG-SEC)

Ebrima Jaw; Xueming Wang

doi:10.7717/peerj-cs.900

A novel hybrid-based approach of snort automatic rule generator and security event correlation (SARG-SEC)

PeerJ Comput Sci. 2022 Mar 2:8:e900. doi: 10.7717/peerj-cs.900. eCollection 2022.

Authors

Ebrima Jaw^{1

2}, Xueming Wang¹

Affiliations

¹ College of Computer Science and Technology, Guizhou University, Guiyang, Guizhou, China.
² School of Information Technology and Communication, University of The Gambia (UTG), Banjul, Peace Building, Kanifing, The Gambia.

Abstract

The rapid advanced technological development alongside the Internet with its cutting-edge applications has positively impacted human society in many aspects. Nevertheless, it equally comes with the escalating privacy and critical cybersecurity concerns that can lead to catastrophic consequences, such as overwhelming the current network security frameworks. Consequently, both the industry and academia have been tirelessly harnessing various approaches to design, implement and deploy intrusion detection systems (IDSs) with event correlation frameworks to help mitigate some of these contemporary challenges. There are two common types of IDS: signature and anomaly-based IDS. Signature-based IDS, specifically, Snort works on the concepts of rules. However, the conventional way of creating Snort rules can be very costly and error-prone. Also, the massively generated alerts from heterogeneous anomaly-based IDSs is a significant research challenge yet to be addressed. Therefore, this paper proposed a novel Snort Automatic Rule Generator (SARG) that exploits the network packet contents to automatically generate efficient and reliable Snort rules with less human intervention. Furthermore, we evaluated the effectiveness and reliability of the generated Snort rules, which produced promising results. In addition, this paper proposed a novel Security Event Correlator (SEC) that effectively accepts raw events (alerts) without prior knowledge and produces a much more manageable set of alerts for easy analysis and interpretation. As a result, alleviating the massive false alarm rate (FAR) challenges of existing IDSs. Lastly, we have performed a series of experiments to test the proposed systems. It is evident from the experimental results that SARG-SEC has demonstrated impressive performance and could significantly mitigate the existing challenges of dealing with the vast generated alerts and the labor-intensive creation of Snort rules.

Keywords: Alert Correlation; Alert Prioritization; Alerts; Auto-generated rules; COTIME; Intrusion Detection System; SARG; SEC; Snort.

Grants and funding

The authors received no funding for this work.