Enhancing the performance of signature-based network intrusion detection systems: an engineering approach

Abstract

Signature-based network intrusion detection systems (NIDSs) have been popularly implemented in different organisations, with the purpose of defending against various attacks. However, it is identified that these systems suffer from three major issues in practical applications such as overload packets, expensive signature matching and massive false alarms, which would significantly decrease the effectiveness of these systems. In this paper, an adaptive framework is proposed to improve the overall performance of a signature-based NIDS such as Snort regarding the aforementioned issues. This framework is further implemented in an engineering way, in which a trust-based packet filter with an exclusive signature matching scheme, and an intelligent machine learning-based false alarm filter aiming to reduce target packets, improve the process of signature matching and decrease the number of false alarms are constructed, respectively. In the evaluation, the experimental results on a well-known benchmark and a real...