Signature-based intrusion detection systems are known to generate many noncritical alarms (alarms not related to a successful attack). Adding contextual information to IDSes is a promising avenue to identify noncritical alarms. Several approaches using contextual information have been suggested. However, it is not clear what are the benefits of using a specific approach. This paper establishes the effectiveness of using target configuration (i.e. operating system and applications) as contextual information for identifying noncritical alarms. Moreover, it demonstrates that current tools for OS discovery are not adequate for IDS context gathering.

doi.org/10.1007/978-3-642-02918-9_9
Carleton University

Gagnon, F, Massicotte, F. (Frédéric), & Esfandiari, B. (2009). Using contextual information for ids alarm classification (extended abstract). doi:10.1007/978-3-642-02918-9_9