SnIPS: Snort Intrusion Analysis using Proof Strengthening
Snort is a widely used
network-based intrustion detection system (IDS). It works by
comparing a network packet with a set of pre-defined signatures (Snort
rules) which specify certain patterns often associated with malicious
activities. However, there is a semantic gap between what Snort
captures (packet patterns) and what a user really wants to know
(malicious activities), and the connection between the two is not
always certain. As a result, the user is often confounded by the many
alerts emanated from Snort, many of which are false positives for
malicious activities. As a Snort user, you need direct answers to
questions like "what machines are highly likely to be compromised" and
"how such conclusions can be drawn from the alerts". SnIPS is an
automated reasoning tool designed to answer these questions.
SnIPS works by mapping a Snort alert into a logic predicate
describing the condition a user really cares about (e.g. machine
compromised), along with a tag indicating the strength of the belief.
The tagged conditions are reasoned about together and beliefs with
strong corroborative evidential support are distinguished from those with only
mediocre evidence, yielding
high-confidence correlation graphs. It can handle
Snort alerts coming from multiple sources to detect multi-stage
attacks in a network. It is also extensible: both the mapping and the
reasoning model can be changed by the user to enhance its reasoning
capability.
SnIPS is still research in progress. We released this version here
with the hope that the security community can find it useful and also
help us improve the technology. Thus please do not hesitate to contact
us at snips-feedback [AT] projects.cis.ksu.edu if you want to share
with us your experience of using SnIPS and report any problems,
comments, and suggestions. If you are interested in more technical
aspects of the tool, you may want to
read these papers:
-
An empirical approach to modeling uncertainty in intrusion analysis.
Xinming Ou, S. Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan.
Annual Computer Security Applications Conference (ACSAC),
Honolulu, Hawaii, USA, Dec 2009.
-
Practical IDS alert correlation in the face of dynamic threats.
Sathya Chandran Sundaramurthy, Loai Zomlot, and Xinming Ou.
In The 2011 International Conference on Security and Management (SAM'11),
Las Vegas, USA, July 2011.
-
Prioritizing intrusion analysis using dempster-shafer theory.
Loai Zomlot, Sathya Chandran Sundaramurthy, Kui Luo, Xinming Ou, and S. Raj Rajagopalan.
In 4TH ACM Workshop on Artificial Intelligence and Security (AISec),
Chicago, USA, Oct. 2011.
Release Notes
-
SnIPS 1.0 was released on Jan 30, 2012.
|