METHOD FOR ANALYZING DATA FROM IDS/IPS SYSTEMS BASED ON A COMBINATION OF SIGNATURES AND POLICIES

Abstract

Prevention Systems (IDS/IPS). We review widely used solutions such as Snort, Suricata, McAfee Network Security Platform, and Zeek, highlighting their strengths and weaknesses in network security applications. Our proposed approach aims to improve threat detection by combining signature-based and policy-based techniques. Specifically, Suricata is leveraged for real-time traffic monitoring, while a Python-based software tool streamlines rule configuration, event logging, and the generation of actionable recommendations. We present an improved method for analyzing IDS/IPS data that processes known threat signatures and user-defined policies concurrently. In doing so, it enables more accurate detection of malicious activity, unauthorized access attempts, and suspicious behavior beyond documented vulnerabilities. A central aspect of this study is the development of algorithms for policy customization (e.g., defining trusted hosts, blocked IP addresses, and specific port/protocol restrictions) and automated assessment of security events. Experimental validation was conducted on an Ubuntu 18.04 platform, demonstrating a notable decrease in false positives, better adaptability to evolving network conditions, and streamlined management of security incidents. The system promptly identifies potential anomalies and provides relevant recommendations by correlating JSON-formatted Suricata outputs with user-configured policies. These include creating or adjusting firewalls and IDS/IPS rules to restrict traffic or block suspicious hosts. The findings confirm that integrating signature-based and policy-based detection offers a scalable, effective defense mechanism for organizations of various sizes. Such an approach accelerates threat mitigation processes, reduces the overhead of manual rule management, and enhances overall cybersecurity posture. This research contributes to the ongoing evolution of IDS/IPS solutions, addressing common limitations related to system complexity, performance bottlenecks, and the persistent challenge of detecting previously unknown attacks.