CPC H04L 63/205 (2013.01) | 18 Claims |
1. A computer-implemented method, comprising:
accessing new intrusion detection system (IDS) rules to be deployed on an IDS that generates a plurality of alerts based on an applied ruleset;
starting a trial window comprising incorporating the new IDS rules into a candidate list to enable summarization and filtering of the plurality of alerts;
supplementing the applied ruleset that comprises existing IDS rules with the candidate list that comprises the new IDS rules;
upon the supplementation, transmitting the applied ruleset to a network sensor associated with the IDS;
receiving, from the IDS, the plurality of alerts generated based on network events implicated by both the existing IDS rules and the new IDS rules in the applied ruleset;
designating a set of alerts of the plurality of alerts generated only by the new IDS rules in the applied ruleset as suppressed alerts;
upon completion of the trial window, eliminating a set of new IDS rules of the new IDS rules from the applied ruleset upon determining that the set of new IDS rules generate a subset of alerts of the set of alerts that exceed an alert threshold; and
transmitting the applied ruleset to the network sensor associated with the IDS.
|