A New Two-Stage Search Procedure for Misuse Detection

A new two-stage indexless search procedure is presented that makes use of the constrained edit distance in IDS misuse detection attack database search. The procedure consists of a preselection phase, in which the original dataset is reduced and the exhaustive search phase for the database records selected in the first phase. The maximum number of consecutive deletions represents the constraint. Besides eliminating the need for finer exhaustive search in the attack database records in which the detected subsequence is too distorted, the new search procedure also enables better control over the search process in the case of deliberate distortion of the attack strings. Experimental results obtained on the SNORT signature files show that the proposed method offers average search data set reduction in the typical cases of more than 70% compared to the method that uses the unconstrained edit distance.