Intrusion Prevention System Decision Diagram in Security-as-a-Service Solutions

  • Tytus KurekEmail author
  • Marcin Niemiec
  • Artur Lason
  • Andrzej R. Pach
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 785)


Intrusion prevention systems are widely used as one of the core security services deployed by the majority of contemporary organizations. Although simple in operation, they tend to be difficult to configure due to the wide range of vendors using different algorithms to implement intrusion prevention system security policies. The most popular, rule-based representation of intrusion prevention system security policies frequently suffers from redundant, conflicting and deficient security rules which may lead to confusion and misconfigurations. This article introduces and presents the intrusion prevention system decision diagram as a new and formal representation of signature-based intrusion prevention system security policies. It is shown that in this diagram the issue of redundant, conflicting and deficient security rules is fully eliminated. Thanks to a tree-based structure the intrusion prevention system decision diagram is also well suited for use in privacy-preserving solutions for cloud-based security services. Finally, with fewer computationally-expensive pattern-matching operations, the intrusion prevention system decision diagram is a better performing packet examination engine than the rule-based engine. This finding was confirmed by experimental results.


IPS Decision tree SecaaS Cloud computing Privacy 


  1. 1.
    Bahrololum, M., Khaleghi, M.: Anomaly intrusion detection system using Gaussian mixture model. In 3rd International Conference on Convergence and Hybrid Information Technology, pp. 1162–1167 (2008)Google Scholar
  2. 2.
    Asia-Pacific Security Appliance Market to Reach $2.6bn: IDC. Computer Business Review. Accessed 15 March 2017
  3. 3.
    Brox, A.: Signature-based and anomaly-based intrusion detection: the practice and pitfalls. SC Media. Accessed 15 Mar 2017
  4. 4.
    Stoianov, N., Uruena, M., Niemiec, M., Machnik, P., Maestro, G.: Security infrastructures: towards the INDECT system security. Multimedia Communi. Serv. Secur. 287, 304–315 (2012)CrossRefGoogle Scholar
  5. 5.
    Tzur-David, S.: Network intrusion prevention systems: signature-based and anomaly detection. Ph.D. thesis, The Hebrew University of Jerusalem (2011)Google Scholar
  6. 6.
    Wool, A.: Trends in firewall configuration errors: measuring the holes in Swiss cheese. IEEE Internet Comput. 14, 58–65 (2010)CrossRefGoogle Scholar
  7. 7.
    Wool, A.: A quantitive study of firewall configuration errors. Computer 37, 62–67 (2004)CrossRefGoogle Scholar
  8. 8.
    The Snort Project. Accessed 15 Mar 2016
  9. 9.
    Varadharajan, V., Tupakula, U.: Security as a service Model for Cloud Environment. IEEE Trans. Netw. Serv. Manag. 11, 60–75 (2014)CrossRefGoogle Scholar
  10. 10.
    Kurek, T., Niemiec, M., Lason, A.: Taking back control of privacy: a novel framework for preserving cloud-based firewall policy confidentiality. Int. J. Inf. Secur. 15(3), 235–250 (2016)CrossRefGoogle Scholar
  11. 11.
    Alsubhi, K., Bouabdallah, N., Boutaba, R.: Performance analysis in intrusion detection and prevention systems. In: IFIP/IEEE International Symposium on Integrated Network Management, pp. 369–376 (2011)Google Scholar
  12. 12.
    Alsubhi, K., Alhazmi, Y., Bouabdallah, N., Boutaba, R.: Rule mode selection intrusion detection and prevention systems. In: IEEE Global Telecommunications Conference, pp. 1–6 (2011)Google Scholar
  13. 13.
    Chen, Y., Yang, Y.: Policy management for network-based intrusion detection and prevention. In: Network Operations and Management Symposium, pp. 219–232 (2004)Google Scholar
  14. 14.
    Gouda, M.G., Liu, A.X.: Structured firewall design. Comput. Netw. Int. J. Comput. Telecommun. Netw. 51, 1106–1120 (2007)zbMATHGoogle Scholar
  15. 15.
    Akers, S.B.: Binary decision diagrams. IEEE Trans. Comput. 27, 509–516 (1978)CrossRefzbMATHGoogle Scholar
  16. 16.
    Fulp, E.W., Tarsa, S.J.: Trie-based policy representations for network firewalls. In: IEEE Symposium on Computers and Communications, pp. 434–441 (2005)Google Scholar
  17. 17.
    Bryant, R.E.: Graph-based algorithms for boolean function manipulation. IEEE Trans. Comput. 100, 677–691 (1986)CrossRefzbMATHGoogle Scholar
  18. 18.
    Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1, 81–106 (1986)Google Scholar
  19. 19.
    Li, L.: Write-only oblivious RAM-based privacy-preserved access of outsourced data. Int. J. Inf. Secur. 16, 23–42 (2017)CrossRefGoogle Scholar
  20. 20.
    Markey, J.: Using decision tree analysis for intrusion detection: a how-to guide. Accessed 07 Sept 2017
  21. 21.
    Kurek, T., Lason, A., Niemiec, M.: First step towards preserving the privacy of cloud-based IDS security policies. Secur. Commun. Netw. 8(18), 3481–3491 (2015)CrossRefGoogle Scholar
  22. 22.
    Greensmith, J., Aickelin, U.: Firewalls, Intrusion Detection Systems and Anti-Virus Scanners. University of Nottingham, Nottingham (2004)Google Scholar
  23. 23.
    Paquet, C.: Network Security Using Cisco IOS IPS, pp. 437–488. Cisco Press, Indianapolis (2009)Google Scholar
  24. 24.
    Kruegel, C., Valeur, F., Vigna, G.: Computer security and intrusion detection. In: Kruegel, C., Valeur, F., Vigna, G. (eds.) Intrusion Detection and Correlation, pp. 10–28. Springer, Boston (2005). doi: 10.1007/0-387-23399-7_2 Google Scholar
  25. 25.
    Goyvaerts, J.: Words, lines, and special characters. In: Goyvaerts, J., Levithan, S. (eds.) Regular Expressions Cookbook, p. 291. O’Reilly, Sebastopol (2009)Google Scholar
  26. 26.
    Yang, Y.E., Prasanna, V.K.: Space-time tradeoff in regular expression matching with semi-deterministic finite automa. In: Proceedings IEEE INFOCOM, pp. 1853–1861 (2011)Google Scholar
  27. 27.
    Jalali, A., Ghamarian, A., Rensink, A.: Incremental pattern matching for regular expressions. In: Proceedings of the 11th International Workshop on Graph Transformation and Visual Modeling Techniques (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Tytus Kurek
    • 1
    Email author
  • Marcin Niemiec
    • 1
  • Artur Lason
    • 1
  • Andrzej R. Pach
    • 1
  1. 1.AGH University of Science and TechnologyKrakowPoland

Personalised recommendations