Signature-based Intrusion Detection Systems (SIDSs) are traditionally used to detect malicious activity in networks. A notable example of such a system is Snort, which compares network traffic against a series of rules that match known exploits. Current SIDS rules are designed to minimize the amount of legitimate traffic flagged incorrectly, reducing the burden on network administrators. However, different use cases than the traditional one--such as researchers studying trends or analyzing modified versions of known exploits--may require SIDSs to be less constrained in their operation. In this paper, we demonstrate that applying modifications to real-world SIDS rules allow for relaxing some constraints and characterizing the performance space of modified rules. We develop an iterative approach for exploring the space of modifications to SIDS rules. By taking the modifications that expand the ROC curve of performance and altering them further, we show how to modify rules in a directed manner. Using traffic collected and identified as benign or malicious from a cloud telescope, we find that the removal of a single component from SIDS rules has the largest impact on the performance space. Effectively modifying SIDS rules to reduce constraints can enable a broader range of detection for various objectives, from increased security to research purposes.

翻译：基于签名的入侵检测系统（SIDS）传统上用于检测网络中的恶意活动。此类系统的一个典型例子是Snort，它将网络流量与一系列匹配已知漏洞利用的规则进行比对。当前的SIDS规则旨在最小化误标记的合法流量，从而减轻网络管理员的负担。然而，不同于传统场景的其他用例——例如研究人员分析趋势或研究已知漏洞的变种——可能要求SIDS在操作上减少约束。本文证明，对真实世界的SIDS规则进行修改可以放宽某些约束，并表征修改后规则的性能空间。我们开发了一种迭代方法来探索SIDS规则的修改空间。通过选取能扩展性能ROC曲线的修改并进一步调整，我们展示了如何以有向的方式修改规则。利用从云望远镜收集并标记为良性或恶意的流量，我们发现移除SIDS规则中的单一组件对性能空间影响最大。有效修改SIDS规则以减少约束，能够为实现从增强安全性到研究目的等各类目标提供更广泛的检测范围。