Abstract:
Snort is a lightweight, open source, rule-based intrusion detection system. In
principle, malicious traffic is recognized thanks to a manually elaborated set of
rules by an expert. In this thesis, we develop a different approach, which consists
of automatic generation of snort rules. The basic idea is to use frequent pattern
algorithms to extract a set of characterization rules of attack packets using traffic
data analysis. We design a framework which includes a preprocessing phase and
frequent pattern mining phase. We use the LBLN dataset and two class of mining
algorithms: all frequent patterns (Apriori, FPGrowth, FIN), and maximal frequent
patterns (FPMax) as implemented in the SPMF library. The set of experiments in
both linux and windows shows that the quality of the system is sensitive to the
minimum support value. We reach the best result using the FIN algorithm with an
accuracy of 0.75 when the minimum support is equal to 0.4. ...
