Attacks on computer network are increasing everyday and most institution use Intrusion Detection System (IDS) to cope with that and most used IDS is the signature-based IDS, which need a database of rules when looking for an malicious packet. Yet there are two problems with this kind of IDS, first, not all people are able to create a signature or rule, therefore they need to wait for updates if they want to renew their database. Secondly, zero-day attack, attack that has never been happened before, is the main weakness of this IDS due to absence of its signature. We proposed Coro, an IDS signature generator that create an IDS rules based on honeypot log data. Coro uses graph clustering that make it be able to cluster data without the need to recompute the centroid. Coro focuses on HTTP, as it will be used to harden our e-voting system, but it is possible to be extended to other protocols. Our experiment showed that Coro was able to cluster around 5000 request in a short time and our graph clustering was a big help to that. Moreover, two threshold value used and data preprocessing in that experiment affected amount and quality of the generated rules.

Original languageEnglish
Pages (from-to)535-546
Number of pages12
JournalJournal of Theoretical and Applied Information Technology
Issue number3
Publication statusPublished - 30 Nov 2015


  • E-voting
  • Graph clustering
  • Graph mining
  • IDS
  • Rules generation


Dive into the research topics of 'Coro: Graph-based automatic intrusion detection system signature generator for evoting protection'. Together they form a unique fingerprint.

Cite this