Show simple item record

dc.contributor.authorDíaz Verdejo, Jesús Esteban
dc.identifier.citationDíaz-Verdejo, J... [et al.]. On the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context ofWeb Attacks. Appl. Sci. 2022, 12, 852. []es_ES
dc.descriptionThis work has been partly funded by the research grant PID2020-115199RB-I00 provided by the Spanish ministry of Industry under the contract MICIN/AEI/10.13039/501100011033, and also by FEDER/Junta de Andalucia-Consejeria de Transformacion Economica, Industria, Conocimiento y Universidades under project PYC20-RE-087-USE.es_ES
dc.description.abstractSignature-based Intrusion Detection Systems (SIDS) play a crucial role within the arsenal of security components of most organizations. They can find traces of known attacks in the network traffic or host events for which patterns or signatures have been pre-established. SIDS include standard packages of detection rulesets, but only those rules suited to the operational environment should be activated for optimal performance. However, some organizations might skip this tuning process and instead activate default off-the-shelf rulesets without understanding its implications and trade-offs. In this work, we help gain insight into the consequences of using predefined rulesets in the performance of SIDS. We experimentally explore the performance of three SIDS in the context of web attacks. In particular, we gauge the detection rate obtained with predefined subsets of rules for Snort, ModSecurity and Nemesida using seven attack datasets. We also determine the precision and rate of alert generated by each detector in a real-life case using a large trace from a public webserver. Results show that the maximum detection rate achieved by the SIDS under test is insufficient to protect systems effectively and is lower than expected for known attacks. Our results also indicate that the choice of predefined settings activated on each detector strongly influences its detection capability and false alarm rate. Snort and ModSecurity scored either a very poor detection rate (activating the less-sensitive predefined ruleset) or a very poor precision (activating the full ruleset). We also found that using various SIDS for a cooperative decision can improve the precision or the detection rate, but not both. Consequently, it is necessary to reflect upon the role of these open-source SIDS with default configurations as core elements for protection in the context of web attacks. Finally, we provide an efficient method for systematically determining which rules deactivate from a ruleset to significantly reduce the false alarm rate for a target operational environment. We tested our approach using Snort’s ruleset in our real-life trace, increasing the precision from 0.015 to 1 in less than 16 h of work.es_ES
dc.description.sponsorshipSpanish Government PID2020-115199RB-I00 MICIN/AEI/10.13039/501100011033es_ES
dc.description.sponsorshipFEDER/Junta de Andalucia-Consejeria de Transformacion Economica, Industria, Conocimiento y Universidades PYC20-RE-087-USEes_ES
dc.rightsAtribución 3.0 España*
dc.subjectIntrusion detectiones_ES
dc.subjectSignature-based IDSes_ES
dc.subjectSIDS rules filteringes_ES
dc.subjectWeb SIDSes_ES
dc.titleOn the Detection Capabilities of Signature-Based Intrusion Detection Systems in the Context of Web Attackses_ES

Files in this item


This item appears in the following Collection(s)

Show simple item record

Atribución 3.0 España
Except where otherwise noted, this item's license is described as Atribución 3.0 España