A Generic Scheme for the Construction of Contextual Signatures with Hash Function in Intrusion Detection

The detection accuracy of signature-based intrusion detection systems depends heavily on the capability of their signatures and is more accurate than anomaly-based approach. But the suffering problem of these systems is that a large amount of non-critical alarms will be generated during the detection process which increase the analysis burden and lower the effectiveness of intrusion detection systems in real deployment. We argue that this bottleneck stems primarily from the lack of information related to the actual settings. To mitigate this limitation, we advocate that the way of combining intrusion detection signatures with contextual information is a promising and effective solution. In this paper, we propose a novel scheme for the construction of contextual signatures in intrusion detection systems by means of hash function to identify and filter out non-critical alarms. Moreover, we indicate that our scheme is compatible to different representations of intrusion detection signatures. In the evaluation, we realize our generic scheme to a specific implementation and explore its performance in experimental settings.