PRIvacy LEakage Methodology (PRILE) for IDS Rules

  • Nils Ulltveit-Moe
  • Vladimir Oleshchuk
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 320)


This paper introduces a methodology for evaluating PRIvacy LEakage in signature-based Network Intrusion Detection System (IDS) rules. IDS rules that expose more data than a given percentage of all data sessions are defined as privacy leaking. Furthermore, it analyses the IDS rule attack specific pattern size required in order to keep the privacy leakage below a given threshold, presuming that occurrence frequencies of the attack pattern in normal text are known. We have applied the methodology on the network intrusion detection system Snort’s rule set. The evaluation confirms that Snort in its default configuration aims at not being excessively privacy invasive. However we have identified some types of rules rules with poor or missing ability to distinguish attack traffic from normal traffic.


IDS rules privacy impact methodology privacy violation 


  1. 1.
    Maier, G., Sommer, R., Dreger, H., Feldmann, A., Paxson, V., Shneider, F.: Enriching network security analysis with time travel. SIGCOMM Comput. Commun. Rev. 38(4), 183–194 (2008)CrossRefGoogle Scholar
  2. 2.
    Mell, P., Scarfone, K., Romanosky, S.: CVSS a complete guide to the common vulnerability scoring system version 2.0 (2007),
  3. 3.
    Klewitz-Hommelsen, S.: Indicators for privacy violation of internet sites. Electronic Government, 219–223 (2002)Google Scholar
  4. 4.
    Sebastian Clauß, S.S.: Structuring anonymity metrics. In: Proceedings of the second ACM workshop on Digital identity management, pp. 55–62 (2006)Google Scholar
  5. 5.
    Ti, P.S.: Protecting respondents’ identities in microdata release. IEEE Transactions on Knowledge and Data Engineering 13, 1010–1027 (2001)CrossRefGoogle Scholar
  6. 6.
    Sweeney, L.: k-anonymity: a model for protecting privacy. International Journal on Uncertainty. Fuzziness and Knowledge-based Systems 10, 557–570 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Ciriani, V., di Vimercati, S.C., Foresti, S., Samarati, P.: k-Anonymity. In: Secure Data Management in Decentralized Systems, pp. 323–353. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Machanavajjhala, A., Kifer, D., Gehrke, J., Venkitasubramaniam, M.: l-diversity: Privacy beyond k-anonymity, March 2007, p. 52. Cornell University (2007)Google Scholar
  9. 9.
    Pang, R., Paxson, V.: A high-level programming environment for packet trace anonymization and transformation. In: Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, Karlsruhe, Germany, pp. 339–351. ACM, New York (2003)CrossRefGoogle Scholar
  10. 10.
    Sobirey, M., Fischer-Hübner, S., Rannenberg, K.: Pseudonymous audit for privacy enhanced intrusion detection. In: Proceedings of the IFIP TC11 13th International Conference on Information Security (SEC 1997), May 1997, pp. 151–163 (1997)Google Scholar
  11. 11.
    Fischer-Hübner, S.: IDA - An Intrusion Detection and Avoidance System, Aachen, Shaker (2007) (in German)Google Scholar
  12. 12.
    Sobirey, M., Richter, B., König, H.: The intrusion detection system aid - architecture and experiences in automated autid trail analysis. In: Proceedings of the IFIP TC6/TC11 International Conference on Communications and Multimedia Security, pp. 278–290 (1996)Google Scholar
  13. 13.
    Büschkes, R., Kesdogan, D.: Privacy enhanced intrusion detection. In: Müller, G., Rannenberg, K. (eds.) Multilateral Security in Communications, Information Security, pp. 187–204. Addison Wesley, Reading (1999)Google Scholar
  14. 14.
    Flegel, U.: Privacy-Respecting Intrusion Detection, 1st edn. Springer, Heidelberg (October 2007)Google Scholar
  15. 15.
    Holz, T.: An efficient distributed intrusion detection scheme. In: COMPSAC Workshops, pp. 39–40 (2004)Google Scholar

Copyright information

© IFIP 2010

Authors and Affiliations

  • Nils Ulltveit-Moe
    • 1
  • Vladimir Oleshchuk
    • 1
  1. 1.University of AgderGrimstadNorway

Personalised recommendations