Enhancing the performance of signature-based network intrusion detection systems : An engineering approach

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)22_Publication in policy or professional journal

2 Scopus Citations
View graph of relations


Related Research Unit(s)


Original languageEnglish
Pages (from-to)209-222
Journal / PublicationHKIE Transactions Hong Kong Institution of Engineers
Issue number4
Publication statusPublished - 2 Oct 2014


Signature-based network intrusion detection systems (NIDSs) have been popularly implemented in different organisations, with the purpose of defending against various attacks. However, it is identified that these systems suffer from three major issues in practical applications such as overload packets, expensive signature matching and massive false alarms, which would significantly decrease the effectiveness of these systems. In this paper, an adaptive framework is proposed to improve the overall performance of a signature-based NIDS such as Snort regarding the aforementioned issues. This framework is further implemented in an engineering way, in which a trust-based packet filter with an exclusive signature matching scheme, and an intelligent machine learning-based false alarm filter aiming to reduce target packets, improve the process of signature matching and decrease the number of false alarms are constructed, respectively. In the evaluation, the experimental results on a well-known benchmark and a real network environment demonstrate that this approach and implementation can provide overall improvements for a signature-based NIDS such as Snort in the aspects of packet filtration, signature matching improvement and false alarm reduction.

Research Area(s)

  • false alarm reduction, network intrusion detection, network security, packet filtration, signature matching, signature-based approach, Snort