Problem solve Get help with specific problems with your technologies, process and projects.

How to train intrusion detection systems (IDS)

Learn how to train your intrusion detection systems (IDS) from network security expert Michael Gregg.

My company is going to implement a software IDS using AI (like Snort but for Windows). Could you explain to me how I could train my IDS (my neural network or genetic algorithm)?

Intrusion detection systems (IDSs) can be used to inspect network/host activity. An IDS can identify suspicious traffic and anomalies. IDSs act like security guards. Just as security guards monitor the activities of humans, IDSs monitor the activity of the network. Unlike a security guard, an IDS doesn't fall asleep or call in sick. However, this does not mean that they are infallible. Any technical system has its limitations, and IDSs are no different.

An IDS can be work by means of signature or by anomaly. Snort, which you mentioned above, is a signature-based IDS. Snort matches the packets that are captured with a set of rules that the administrator provides. Snort rules can be used to match specific signatures or misuse. Snort rules are made up of two basic parts including a rule header and a rule option. Here is a sample rule to examine:

Alert tcp any any -> any 80 (content: "malware"; msg: "Malware Site Accessed";)

Therefore, to train Snort you need to load a set of rules. These rules will typically be used to detect various types of attacks such as the following:

  • Events that disrupt system or network functioning
  • Individuals probing for vulnerabilities
  • Anyone attempting to obtain root or admin privileges through non-standard means
  • Anything installing or executing back doors or Trojan horses

You can create your own simple rules or download pre-compiled rules from sites such as Snort.org. If you choose to pay a subscription fee, you can get up-to-date rules from Sourcefire as soon as new rules are verified and released. If you are on a tighter budget, you can get the rules for free, but you must wait five days after they are released to paid subscribers. If you are looking for more information on configuring a signature-based IDS, then check out my forthcoming book: Build your Own Network Security Lab. If you're interested in anomaly-based IDS training, ISS and other vendors offer hands-on training with their products.

This was last published in February 2008

Dig Deeper on Network Security Best Practices and Products