Intrusion Prevention System Decision Diagram in Security-as-a-Service Solutions

Intrusion prevention systems are widely used as one of the core security services deployed by the majority of contemporary organizations. Although simple in operation, they tend to be difficult to configure due to the wide range of vendors using different algorithms to implement intrusion prevention system security policies. The most popular, rule-based representation of intrusion prevention system security policies frequently suffers from redundant, conflicting and deficient security rules which may lead to confusion and misconfigurations. This article introduces and presents the intrusion prevention system decision diagram as a new and formal representation of signature-based intrusion prevention system security policies. It is shown that in this diagram the issue of redundant, conflicting and deficient security rules is fully eliminated. Thanks to a tree-based structure the intrusion prevention system decision diagram is also well suited for use in privacy-preserving solutions for cloud-based security services. Finally, with fewer computationally-expensive pattern-matching operations, the intrusion prevention system decision diagram is a better performing packet examination engine than the rule-based engine. This finding was confirmed by experimental results.