Title :
A new framework for online rule threshold adjustment in intrusion detection
Author :
Moghimi, Mohamad Mehdi ; Saraee, Mohamad Hossein
Author_Institution :
Sepehr S. T. Co. Ltd., Tehran, Iran
Abstract :
Generally, rule-based systems work to make sense of a large volume of alerts generated by the intrusion detection systems (IDSs) every minute. Hence, it is very significant to verify that these systems are error-free and that the rules are suitable for the current network. This topic is addressed by Rule Adjustment, which automatically adjusts the rules based on the current network environment. The problem with the rule adjustment is to adjust the internal thresholds and to keep the structure unchanged. In this paper, we propose a method for adjusting the rules, online. This method does the threshold adjustment without changing the structure of the rules. Here, our approach for online threshold adjustment is to monitor the alerts and detect constant changes in them. And then, we adjust the appropriate thresholds. We have implemented this method and evaluated it using real-world datasets. Our approach was successfully able to adjust the rules in all the cases with marginal error.
Keywords :
knowledge based systems; security of data; internal thresholds; intrusion detection systems; marginal error; online rule threshold adjustment; rule-based system; Correlation; Firing; IP networks; Intrusion detection; Monitoring; Training; intrusion detection; rule-based system; threshold adjustment; time-series;
Conference_Titel :
Computer Science and Software Engineering (CSSE), 2011 CSI International Symposium on
Conference_Location :
Tehran
Print_ISBN :
978-1-61284-206-6
DOI :
10.1109/CSICSSE.2011.5963992
