A method of operating an intrusion detection system. The system determines occurrence of a signature event indicative of a denial of service intrusion on a protected device. A value of a signature event counter is increased. The value of the signature event counter is adjusted to not include a count of signature events past a sliding window. The value of the signature event counter is determined to exceed a signature threshold quantity, followed by generation of an alert at a time subsequently recorded in a log. The log is cleared of entries past a permissible age. A present alert generation rate is determined as a ratio of the total number of timestamps in the log to the permissible age. The present alert generation rate is ascertained to exceed an alert generation rate threshold. A selected element of the signature set is altered to decrease the alert generation rate.