Adaptive Alert Throttling for Intrusion Detection Systems

TL;DR

This paper proposes adaptive alert throttling techniques to enhance intrusion detection systems' communication capacity, making denial of service attacks more difficult and preserving alert delivery under attack conditions.

Contribution

It introduces novel adaptive throttling methods that dynamically manage alert communication, improving system resilience against denial of service attacks.

Findings

Enhanced alert throughput under attack conditions

Increased resource requirements for attackers

Improved system robustness and reliability

Abstract

Each time that an intrusion detection system raises an alert it must make some attempt to communicate the information to an operator. This communication channel can easily become the target of a denial of service attack because, like all communication channels, it has a fixed capacity. If this channel can become overwhelmed with bogus data, an attacker can quickly achieve complete neutralisation of intrusion detection capability. Although these types of attack are very hard to stop completely, our aim is to present techniques that improve alert throughput and capacity to such an extent that the resources required to successfully mount the attack become prohibitive.