Ruling the Unruly: Designing Effective, Low-Noise Network Intrusion Detection Rules for Security Operations Centers

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

41 Downloads (Pure)

Abstract

Many Security Operations Centers (SOCs) today still heavily rely on signature-based Network Intrusion Detection Systems (NIDS) such as Suricata. The specificity of intrusion detection rules and the coverage provided by rulesets are common concerns within the professional community surrounding SOCs, which impact the effectiveness of automated alert post-processing approaches. We postulate a better understanding of factors influencing the quality of rules can help address current SOC issues. In this paper, we characterize the rules in use at a collaborating commercial (managed) SOC serving customers in sectors including education and IT management. During this process, we discover six relevant design principles, which we consolidate through interviews with experienced rule designers at the SOC.We then validate our design principles by quantitatively assessing their effect on rule specificity. We find that several of these design considerations significantly impact unnecessary workload caused by rules. For instance, rules that leverage proxies for detection, and rules that do not employ alert throttling or do not distinguish (un)successful malicious actions, cause significantly more workload for SOC analysts. Moreover, rules that match a generalized characteristic to detect malicious behavior, which is believed to increase coverage, also significantly increase workload, suggesting a tradeoff must be struck between rule specificity and coverage. We show that these design principles can be applied successfully at a SOC to reduce workload whilst maintaining coverage despite the prevalence of violations of the principles.
Original languageEnglish
Title of host publicationACM Asia Conference on Computer and Communications Security (ASIA CCS ’25)
PublisherAssociation for Computing Machinery, Inc
Number of pages14
DOIs
Publication statusAccepted/In press - 2024
Event20th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2025 - Hanoi, Viet Nam
Duration: 25 Aug 202529 Aug 2025

Conference

Conference20th ACM ASIA Conference on Computer and Communications Security, ACM ASIACCS 2025
Abbreviated titleACM ASIACCS 2025
Country/TerritoryViet Nam
CityHanoi
Period25/08/2529/08/25

Funding

This publication is part of the CATRIN and INTERSECT projects (with numbers NWA.1215.18.003 and NWA.1160.18.301), which is (partly) financed by the Dutch Research Council (NWO). For the purpose of Open Access, a CC-BY 4.0 public copyright license is applied to any Author Accepted Manuscript version arising from this submission.

FundersFunder number
Nederlandse Organisatie voor Wetenschappelijk OnderzoekNWA.1215.18.003
Nederlandse Organisatie voor Wetenschappelijk OnderzoekNWA.1160.18.301

    Keywords

    • Security Operations Center (SOC)
    • Network Intrusion Detection System (NIDS)
    • Network Intrusion Detection Rules

    Fingerprint

    Dive into the research topics of 'Ruling the Unruly: Designing Effective, Low-Noise Network Intrusion Detection Rules for Security Operations Centers'. Together they form a unique fingerprint.

    Cite this