Adaptive non-critical alarm reduction using hash-based contextual signatures in intrusion detection

Abstract

Signature-based intrusion detection systems (IDSs) have been widely deployed in network environments aiming to defend against different kinds of attacks. However, a large number of alarms, especially noncritical alarms could be generated during the detection, which can greatly lower the effectiveness of detection and increase the difficulty in analyzing the generated IDS alarms. The main reason is that the detection capability of a signature-based IDS heavily depends on its signatures, whereas current IDS signatures are short of information related to actual deployment (i.e., lacking of contextual information). In addition, the traditional signature matching is a key limiting factor for IDSs in which the processing burden is at least linear to the size of an input string. To mitigate these issues, in this paper, we propose a novel scheme of hash-based contextual signatures that combines the original intrusion detection signatures with contextual information and hash functions. By using hash functions, our scheme can be used to construct an adaptive hash-based non-critical alarm filter which can further improve the performance of existing contextual signatures in filtering out non-critical alarms. Some examples of contextual information matching are also provided. In the evaluation, we discuss how to choose appropriate hash functions and investigate the performance upon implementation of the scheme with a real dataset and in a real network environment. The experimental results are positive and indicate that our scheme is encouraging and effective in filtering out non-critical alarms.