TY - JOUR
T1 - EFM: Enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism
AU - Meng, Weizhi
AU - Li, Wenjuan
AU - Kwok, Lam For
N1 - Funding Information:
This project was fully funded by the Innovation to Realization Funding Scheme of the City University of Hong Kong (under the project number 6351018 ). We would like to thank HoneybirdHK for providing the Honeypot data set and all anonymous reviewers for their valuable comments in improving this paper.
PY - 2014/6
Y1 - 2014/6
N2 - Signature-based network intrusion detection systems (NIDSs) have been widely deployed in current network security infrastructure. However, these detection systems suffer from some limitations such as network packet overload, expensive signature matching and massive false alarms in a large-scale network environment. In this paper, we aim to develop an enhanced filter mechanism (named EFM) to comprehensively mitigate these issues, which consists of three major components: a context-aware blacklist-based packet filter, an exclusive signature matching component and a KNN-based false alarm filter. The experiments, which were conducted with two data sets and in a network environment, demonstrate that our proposed EFM can overall enhance the performance of a signature-based NIDS such as Snort in the aspects of packet filtration, signature matching improvement and false alarm reduction without affecting network security.
AB - Signature-based network intrusion detection systems (NIDSs) have been widely deployed in current network security infrastructure. However, these detection systems suffer from some limitations such as network packet overload, expensive signature matching and massive false alarms in a large-scale network environment. In this paper, we aim to develop an enhanced filter mechanism (named EFM) to comprehensively mitigate these issues, which consists of three major components: a context-aware blacklist-based packet filter, an exclusive signature matching component and a KNN-based false alarm filter. The experiments, which were conducted with two data sets and in a network environment, demonstrate that our proposed EFM can overall enhance the performance of a signature-based NIDS such as Snort in the aspects of packet filtration, signature matching improvement and false alarm reduction without affecting network security.
KW - Blacklist generation
KW - Enhanced filter mechanism
KW - Exclusive signature matching
KW - False alarm reduction
KW - Intrusion detection
KW - Network security
KW - Packet filter
UR - http://www.scopus.com/inward/record.url?scp=84901240193&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2014.02.006
DO - 10.1016/j.cose.2014.02.006
M3 - Journal article
AN - SCOPUS:84901240193
SN - 0167-4048
VL - 43
SP - 189
EP - 204
JO - Computers and Security
JF - Computers and Security
ER -