EFM: Enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism

Weizhi Meng, Wenjuan Li, Lam For Kwok

Research output: Journal article publicationJournal articleAcademic researchpeer-review

94 Citations (Scopus)

Abstract

Signature-based network intrusion detection systems (NIDSs) have been widely deployed in current network security infrastructure. However, these detection systems suffer from some limitations such as network packet overload, expensive signature matching and massive false alarms in a large-scale network environment. In this paper, we aim to develop an enhanced filter mechanism (named EFM) to comprehensively mitigate these issues, which consists of three major components: a context-aware blacklist-based packet filter, an exclusive signature matching component and a KNN-based false alarm filter. The experiments, which were conducted with two data sets and in a network environment, demonstrate that our proposed EFM can overall enhance the performance of a signature-based NIDS such as Snort in the aspects of packet filtration, signature matching improvement and false alarm reduction without affecting network security.

Original languageEnglish
Pages (from-to)189-204
Number of pages16
JournalComputers and Security
Volume43
DOIs
Publication statusPublished - Jun 2014
Externally publishedYes

Keywords

  • Blacklist generation
  • Enhanced filter mechanism
  • Exclusive signature matching
  • False alarm reduction
  • Intrusion detection
  • Network security
  • Packet filter

ASJC Scopus subject areas

  • General Computer Science
  • Law

Fingerprint

Dive into the research topics of 'EFM: Enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism'. Together they form a unique fingerprint.

Cite this