MEASURING INCONSISTENCY IN A NETWORK INTRUSION DETECTION RULE SET BASED ON SNORT ¤ KEVIN MCAREAVEY Centre for Secure Information Technologies Institute of Electronics, Communications and Information Technology (ECIT) Queen’s University Belfast Northern Ireland Science Park, Belfast, BT3 9DT Northern Ireland kmcareavey01@qub.ac.uk WEIRU LIU School of Electronics, Electrical Engineering and Computer Science Queen’s University Belfast, BT7 1NN Northern Ireland w.liu@qub.ac.uk PAUL MILLER Centre for Secure Information Technologies Institute of Electronics, Communications and Information Technology (ECIT) Queen’s University Belfast Northern Ireland Science Park, Belfast, BT3 9DT Northern Ireland p.miller@ecit.qub.ac.uk KEDIAN MU School of Mathematical Sciences Peking University, Beijing 100871, P. R. China mukedian@math.pku.edu.cn In this preliminary study, we investigate how inconsistency in a network intrusion detection rule set can be measured. To achieve this, we first examine the structure of these rules which are based on Snort and incorporate regular expression (Regex) pattern matching. We then identify primitive elements in these rules in order to translate the rules into their (equivalent) logical forms and to establish connections between them. Additional rules from background knowledge are also introduced to make the correlations among rules more explicit. We measure the degree of inconsistency in formulae of such a rule set (using the Scoring function, Shapley inconsistency values and Blame measure for prioritized knowledge) and compare the *This is a revised and significantly extended version of [1]. International Journal of Semantic Computing Vol. 5, No. 3 (2011) 281322 ° c World Scientific Publishing Company DOI: 10.1142/S1793351X11001274 281