POSTER: SuriCap - A Measurement Platform to Study and Evaluate Intrusion Detection Rule Engineering

Koen Teuwen, Emmanuele Zambon, Luca Allodi
August, 2025
PDF Cite Project DOI

Abstract

Organizations deploy Intrusion Detection Systems (IDSs) like Suricata to defend against threats. Although rulesets, rules, and the resulting alerts have been studied previously, little is known about the process by which rules are engineered thus far. We aim to address the previously mentioned gaps by studying how network intrusion detection rules are derived from incidents. To this end, we propose the SuriCap measurement platform and organize Jeopardy-style workshops in which participants compete to engineer Suricata rules. We collect a rich dataset consisting of over 364 rules from 28 participants. Preliminary results suggest our experimental design is viable and, together with the SuriCap measurement platform, can enable us to answer several research questions surrounding the engineering process of network intrusion detection rules.

Type
Conference paper
Publication
In Proceedings of the 20th ACM ASIA Conference on Computer and Communications Security
Emmanuele Zambon
Emmanuele Zambon
Assistant Professor

My research interests include Industrial Control System security and network intrusion detection.