Adaptive Alert Throttling for Intrusion Detection Systems
This addresses a critical security vulnerability for operators of intrusion detection systems, though it appears incremental as it builds on existing throttling concepts.
The paper tackles the problem of denial of service attacks on intrusion detection systems by overwhelming their alert communication channels, and it presents techniques that improve alert throughput and capacity to make such attacks prohibitively resource-intensive.
Each time that an intrusion detection system raises an alert it must make some attempt to communicate the information to an operator. This communication channel can easily become the target of a denial of service attack because, like all communication channels, it has a fixed capacity. If this channel can become overwhelmed with bogus data, an attacker can quickly achieve complete neutralisation of intrusion detection capability. Although these types of attack are very hard to stop completely, our aim is to present techniques that improve alert throughput and capacity to such an extent that the resources required to successfully mount the attack become prohibitive.