A Threat-Aware Signature Based Intrusion-Detection Approach for Obtaining Network-Specific Useful Alarms

We present a model and architecture that enhances the traditional signature based intrusion detection engine with threat-awareness capability. Signature based network intrusion detection systems use a set of signatures S to evaluate captured network traffic for detecting intrusions. However, due to dynamic changes in the threat level of a network, only a subset of signatures s of S is relevant to the network at any given instance. Hence, we introduce a component called a dynamic threat profiler that periodically learns the changing nature of threats in a network. We model and prove the efficacy of the threat-aware signature based intrusion detection approach for obtaining network-specific useful alarms. We also present our architecture and discuss its internal functions. Finally, we present our experiments based on various threat scenarios and the results obtained, which show that network-specific useful alarms formed 95 percent of the alarms that were generated using our model, when compared with the traditional signature-based detection engine where useful alarms form only 30 percent of the generated alarms.