An efficient method and device for generating network intrusion detection rules

摘要

The present invention relates to a method of calculating, when a set of existing intrusion detection rules, normal network traffic, suspicious network traffic, and a maximum length of an intrusion detection rule are given as an input, similarity between character strings included in the suspicious network traffic, not included in the normal network traffic, and existing intrusion detection rules after filtering the character strings, selecting an intrusion detection rule most similar to a new attack, and providing candidates of an intrusion detection rule against the new attack using the selected intrusion detection rule, in order to automatically generate an intrusion detection rule used in a network intrusion detection system, and the method of generating an intrusion detection rule according to the present invention includes the steps of: selecting a character string suspected as an attack through a character string selection unit using a set of intrusion detection rules, normal network traffic, suspicious network traffic, and a maximum length of a new intrusion detection rule; comparing an existing intrusion detection rule with the character string suspected as an attack through a rule comparison unit; and generating a possible intrusion detection rule from the candidate rules sorted in accordance with similarity through a rule generation unit. The automatically generated intrusion detection rule according to the present invention has an effect of enhancing security performance of an intrusion detection system by rapidly generating an intrusion detection rule against a new attack without wasting time and effort of an expert.