EFM : Enhancing the performance of signature-based network intrusion detection systems using enhanced filter mechanism

Research output: Journal Publications and ReviewsRGC 21 - Publication in refereed journalpeer-review

93 Scopus Citations
View graph of relations


Related Research Unit(s)


Original languageEnglish
Pages (from-to)189-204
Journal / PublicationComputers and Security
Online published27 Feb 2014
Publication statusPublished - Jun 2014


Signature-based network intrusion detection systems (NIDSs) have been widely deployed in current network security infrastructure. However, these detection systems suffer from some limitations such as network packet overload, expensive signature matching and massive false alarms in a large-scale network environment. In this paper, we aim to develop an enhanced filter mechanism (named EFM) to comprehensively mitigate these issues, which consists of three major components: a context-aware blacklist-based packet filter, an exclusive signature matching component and a KNN-based false alarm filter. The experiments, which were conducted with two data sets and in a network environment, demonstrate that our proposed EFM can overall enhance the performance of a signature-based NIDS such as Snort in the aspects of packet filtration, signature matching improvement and false alarm reduction without affecting network security. © 2014 Elsevier Ltd. All rights reserved.

Research Area(s)

  • Blacklist generation, Enhanced filter mechanism, Exclusive signature matching, False alarm reduction, Intrusion detection, Network security, Packet filter