Rule Design Principles for Specificity and Coverage
- Regardless of traffic routing, sensor positioning, and augmentations after detection, rule design can affect specificity and coverage of NSM
- Through a combination of characterizing noisy rules and interviewing rule engineers, we identified six design principles to improve rule quality:
- Limited Proxy: Rules should detect a characteristic that is closely tied to the malicious behavior
- Successful Malicious Action: Rules should focus on detecting successful actions opposed to unsuccesful attempts
- Alert Throttling: Rules should be throttled to limit the number of generated alerts
- Exceptions: Rules should include exceptions for known benign behavior that may cause false positives
- Generalized Characteristics: Rules should match a characteristic that can generalize to related malicious behavior
- Generalized Position: Rules should match characteristics at a variable location
- Effects of design principles on specificity and coverage were validated through regression analysis
- Rules that do not leverage proxies, detect successful attacks or throttle alerts reduce the number of generated alerts significantly
- On the other hand, rules using a generic characteristic increase the number of generated alerts suggesting a tradeoff exists between specificity and coverage
- These design principles lay the groundwork for the development of new detection opportunities enabled by CATRIN