Identification of Flaws in the Design of Signatures for Intrusion Detection Systems

Abstract: Signature-based Intrusion Detection System (SIDS) provides a promising solution to the problem of web application security. However, the performance of the system highly relies on the quality of the signatures designed to detect attacks. A weak signature set may considerably cause an increase in false alarm rate, making impractical to deploy the system. The objective of the paper is to identify the flaws in the signature structure which are responsible to reduce the efficiency of the detection system. The paper targets SQL injection signatures particularly. Initially, some essential concepts of the domain of the attack that should be focused by the developer in prior to designing the signatures have been discussed. Afterwards, we conducted a case study on the well known PHPIDS tool for analyzing the quality of its SQL signatures. Based on the analysis, we identify various flaws in the designing practice that yield inefficient signatures. We divide the weak signatures into six categories, namely incomplete, irrelevant, semi-relevant, susceptible, redundant and inconsistent signatures. Moreover, we quantify these weaknesses and define them mathematically in terms of set theory. To the best of our knowledge, we have identified some novel signature design issues. The paper will basically assist the signature developer to know what level of expertise is required for devising a quality signature set and how a little ignorance may lead to deterioration in the performance of the SIDS. Furthermore, a security expert may evaluate the detector against the identified flaws by conducting structural analysis on its signature set.