Using Alert Cluster to reduce IDS alerts

Intrusion Detection Systems (IDSs) are known to produce huge volumes of alerts. The interesting alerts are always mixed with irrelevant, duplicate and non interesting alerts. Huge volumes of poorly sorted and unclustered alerts frustrate the efforts of analysts when identifying the interesting alerts. Therefore, the unmanageable amount of poorly sorted alerts is a critical issue affecting the performance of IDSs. This paper proposes a better mechanism to compute the similarities of the verified alerts using the distance among the new alert features. Our approach uses the both clustering technique and Supporting Evidence (Vulnerability data) to build a robust Alert Cluster. Our goal was to reduce the unnecessary alert load and improve the quality of alerts sent to the analysts. We can confidently state that our approach significantly reduced the unnecessary alert loads and improved the quality of alerts.

[1]  Risto Vaarandi Real-time classification of IDS alerts with data mining techniques , 2009, MILCOM 2009 - 2009 IEEE Military Communications Conference.

[2]  Hongli Zhang,et al.  IDS alarms reduction using data mining , 2008, 2008 IEEE International Joint Conference on Neural Networks (IEEE World Congress on Computational Intelligence).

[3]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[4]  Christopher Krügel,et al.  Using Alert Verification to Identify Successful Intrusion Attempts , 2004, Prax. Inf.verarb. Kommun..

[5]  Bahari Belaton,et al.  Towards implementing intrusion alert quality framework , 2005, First International Conference on Distributed Frameworks for Multimedia Applications.

[6]  Siti Zaiton Mohd Hashim,et al.  Intelligent Alert Clustering Model for Network Intrusion Analysis , 2009, SOCO 2009.

[7]  Xuejiao Liu,et al.  Towards a Collaborative and Systematic Approach to Alert Verification , 2008, J. Softw..

[8]  Peng Ning,et al.  Analyzing Intensive Intrusion Alerts via Correlation , 2002, RAID.

[9]  Marc Dacier,et al.  Mining intrusion detection alarms for actionable knowledge , 2002, KDD.