Automated Technique for Debugging Network Intrusion Detection Systems

Signature-based Intrusion Detection Systems have numerous redundant rules that do not match network attacks during intrusion detections. Instead, the toolkits have low efficacies in matching each packet with all the detection rules to avoid false positives. Unfortunately, there are no automatic functionalities to debug expert systems so that all noisy signatures and rules set that trigger false alerts are isolated. Hence, heuristic methods are wrongly applied in realistic networks. Consequently, there are alarming cases of network attacks despite the inclusion of network detectors on the networks. Therefore, this paper presents an automated approach that enable system administrators to debug network detectors. We matched alerts that a network detector generated together to identify equivalent, duplicate and unique rules. Furthermore, we merged equivalent rules together to reduce them to unique rules and this method has efficiently debugged expert systems when we benchmarked it with different kinds of realistic and synthetic datasets.