A new framework for online rule threshold adjustment in intrusion detection

Generally, rule-based systems work to make sense of a large volume of alerts generated by the intrusion detection systems (IDSs) every minute. Hence, it is very significant to verify that these systems are error-free and that the rules are suitable for the current network. This topic is addressed by Rule Adjustment, which automatically adjusts the rules based on the current network environment. The problem with the rule adjustment is to adjust the internal thresholds and to keep the structure unchanged. In this paper, we propose a method for adjusting the rules, online. This method does the threshold adjustment without changing the structure of the rules. Here, our approach for online threshold adjustment is to monitor the alerts and detect constant changes in them. And then, we adjust the appropriate thresholds. We have implemented this method and evaluated it using real-world datasets. Our approach was successfully able to adjust the rules in all the cases with marginal error.