EFM: Enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism

Weizhi Meng, Wenjuan Li, Lam For Kwok

Research output: Journal article publicationJournal articleAcademic researchpeer-review

75 Citations (Scopus)


Signature-based network intrusion detection systems (NIDSs) have been widely deployed in current network security infrastructure. However, these detection systems suffer from some limitations such as network packet overload, expensive signature matching and massive false alarms in a large-scale network environment. In this paper, we aim to develop an enhanced filter mechanism (named EFM) to comprehensively mitigate these issues, which consists of three major components: a context-aware blacklist-based packet filter, an exclusive signature matching component and a KNN-based false alarm filter. The experiments, which were conducted with two data sets and in a network environment, demonstrate that our proposed EFM can overall enhance the performance of a signature-based NIDS such as Snort in the aspects of packet filtration, signature matching improvement and false alarm reduction without affecting network security.

Original languageEnglish
Pages (from-to)189-204
Number of pages16
JournalComputers and Security
Publication statusPublished - Jun 2014
Externally publishedYes


  • Blacklist generation
  • Enhanced filter mechanism
  • Exclusive signature matching
  • False alarm reduction
  • Intrusion detection
  • Network security
  • Packet filter

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Cite this