A game theoretic model for dynamic configuration of large-scale intrusion detection signatures

In this paper, we note that the signature-based intrusion detection system (S-IDS) can cause the low accuracy against mutants of intrusion packets. This is because the S-IDS commonly detects network intrusion in data flows by identifying the existence of the predefined intrusion signatures, which is called static intrusion signature configuration (SISC). To increase the accuracy, all intrusion signatures corresponding to all possible mutants of a pertinent attack may be activated. However, the static intrusion signature configuration with all possible intrusion signatures can largely increase the size of storage and the signature search time in the process of signature analysis. To solve the problems that occur when activating all possible intrusion signatures, we propose a two-player non-cooperative zero-sum game with incomplete information for dynamic intrusion signature configuration (DISC), where the various lengths of an intrusion signature have been activated in a time-shared manner. After formulating the problem into the game theoretic approach, we found the optimal strategy for DISC in the S-IDS. To the best of our knowledge, this work is the first approach that analyzes the optimal DISC strategy against the various mutants of intrusion packets. From evaluation results, we show that the DISC by the defender is more effective than the SISC against various mutants of intrusion packets by the intruder.