Investigating the problem of IDS false alarms: An experimental study using Snort |
Signature-based detection is one of the most commonly used mechanisms in Intrusion Detection Systems (IDS), relying upon attack signatures to detect known malicious threats. However, a significant problem facing current IDS technology is the level of false alarms. Fine tuning techniques can help by suppressing signatures that generate high false alarm rates. However, this increases the likelihood of the system missing real attacks, especially if the tuning is not done carefully. The main purpose of this paper is to investigate the extent of the false alarm problem in Snort, as a popular open-source, signature-based IDS. A series of experiments were conducted in order to assess the problem, using a private dataset, before and after fine tuning Snort's signature set. The experiments revealed the severity of the false alarm problem. Even after the fine tuning was performed, the false alarm rates were only reduced to 87%.
Tjhai GC, Papadaki M, Furnell SM, Clarke NL