Cyber Security Lab

SnIPS: Snort Intrusion Analysis using Proof Strengthening

Snort is a widely used network-based intrustion detection system (IDS). It works by comparing a network packet with a set of pre-defined signatures (Snort rules) which specify certain patterns often associated with malicious activities. However, there is a semantic gap between what Snort captures (packet patterns) and what a user really wants to know (malicious activities), and the connection between the two is not always certain. As a result, the user is often confounded by the many alerts emanated from Snort, many of which are false positives for malicious activities. As a Snort user, you need direct answers to questions like "what machines are highly likely to be compromised" and "how such conclusions can be drawn from the alerts". SnIPS is an automated reasoning tool designed to answer these questions.

SnIPS works by mapping a Snort alert into a logic predicate describing the condition a user really cares about (e.g. machine compromised), along with a tag indicating the strength of the belief. The tagged conditions are reasoned about together and beliefs with strong corroborative evidential support are distinguished from those with only mediocre evidence, yielding high-confidence correlation graphs. It can handle Snort alerts coming from multiple sources to detect multi-stage attacks in a network. It is also extensible: both the mapping and the reasoning model can be changed by the user to enhance its reasoning capability.

SnIPS is still research in progress. We released this version here with the hope that the security community can find it useful and also help us improve the technology. Thus please do not hesitate to contact us at snips-feedback at projects.cis.ksu.edu if you want to share with us your experience of using SnIPS and report any problems, comments, and suggestions. If you are interested in more technical aspects of the tool, you may want to read these papers:

• An empirical approach to modeling uncertainty in intrusion analysis. Xinming Ou, S. Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan. Annual Computer Security Applications Conference (ACSAC), Honolulu, Hawaii, USA, Dec 2009.
• Practical IDS alert correlation in the face of dynamic threats. Sathya Chandran Sundaramurthy, Loai Zomlot, and Xinming Ou. In The 2011 International Conference on Security and Management (SAM'11), Las Vegas, USA, July 2011.
• Prioritizing intrusion analysis using dempster-shafer theory. Loai Zomlot, Sathya Chandran Sundaramurthy, Kui Luo, Xinming Ou, and S. Raj Rajagopalan. In 4TH ACM Workshop on Artificial Intelligence and Security (AISec), Chicago, USA, Oct. 2011.

• SnIPS v1.0 was released on Jan 30, 2012.

• Dr. Ximing (Simon) Ou
• Dr. Loai Zomlot
• Sathya Chandran Sundaramurthy
• Sakthiyuvaraja Sakthivelmurugan
• Tsung-Hsi Wu

The materials presented in this web page are based upon work partially supported by the National Science Foundation under Grant No. 0716665, 0954138, and 1018703, by Air Force Office of Scientific Research under award No. FA9550-09-1-0138, and by HP Labs Innovation Research Program. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.