Mohamad Mehdi Moghimi - Research Staff Sepehr S. T. Co. Ltd.Tehran, Iran
Mohamad Saraee - Assistant Professor, ECE Department Isfahan University of Technology(IUT)Isfahan, Iran

Generally, multiple IDSs generates huge volume of alerts every minute and to manage these alerts, rule-based alert management systems are very important. It is critical to keep the rules inside these systems updated, based on the ever changing network environment. Rule Threshold Adjustment is the solution to this problem and it is able to keep the rules updated. Rule Threshold Adjustment tunes the internal thresholds and keeps the structure unchanged. In this paper, we propose a hybrid threshold Adjustment framework by combining both the online and offline adjustment module together. This hybrid adjustment will be more robust and efficient in adjustment the threshold in real time and to keep the threshold fine-adjusted. The online module should work in real time to adjust the thresholds, whereas the offline module will be using some parts of the recent alerts to adjust the thresholds. We have implemented this method and evaluated it using real-world datasets. Our approach was successfully able to adjust the rules in all the cases with marginal error.

Hybrid Rule Threshold Adjustment, Intrusion Detection, Rule-based System