Strategic Alert Throttling for Intrusion Detection Systems
Gianni Tedesco, Uwe Aickelin
TL;DR
This paper introduces a novel alert throttling technique for intrusion detection systems that combines token bucket filtering with real-time correlation to improve alert handling and resist flood attacks.
Contribution
It presents a new method integrating token bucket filters with attack graph-based correlation to enhance IDS alert throughput and prevent critical alert loss during flood attacks.
Findings
Improved alert throughput under attack conditions
Effective suppression of false alert floods
Preservation of critical alert information
Abstract
Network intrusion detection systems are themselves becoming targets of attackers. Alert flood attacks may be used to conceal malicious activity by hiding it among a deluge of false alerts sent by the attacker. Although these types of attacks are very hard to stop completely, our aim is to present techniques that improve alert throughput and capacity to such an extent that the resources required to successfully mount the attack become prohibitive. The key idea presented is to combine a token bucket filter with a realtime correlation algorithm. The proposed algorithm throttles alert output from the IDS when an attack is detected. The attack graph used in the correlation algorithm is used to make sure that alerts crucial to forming strategies are not discarded by throttling.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.