Improving the management of IDS alerts

Intrusion Detection Systems (IDSs) play very crucial role in minimizing the damage caused by different computer attacks. In fact, most IDSs are capable of detecting many attacks, but often appear problematic because of triggering huge number of non-interesting alerts which diminish the value and urgency of interesting alerts. The analysts who review the alerts rarely look at the voluminous alerts until a sign is reported by other security means because it is laborious and challenging task to identify the interesting alerts. This has led to the emergence of many approaches to manage the overwhelming number of alerts. The existing approaches suffer from several limitations. This paper conducts a comprehensive study and evaluation of the key approaches that aim to manage the huge number of alerts in order to identify some research gaps that will objectively motivate researchers to come up with better approaches. At the end of the review, this paper suggests a strategy that can be exploited in order to improve the quality of final alerts.

[1]  Sandro Etalle,et al.  ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems , 2007, LISA.

[2]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[3]  Shian-Shyong Tseng,et al.  A decision support system for constructing an alert classification model , 2009, Expert Syst. Appl..

[4]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[5]  Dai Hong Network Intrusion Detection Algorithm Using Modified Support Vector Machine , 2012 .

[6]  Alfonso Valdes,et al.  Probabilistic Alert Correlation , 2001, Recent Advances in Intrusion Detection.

[7]  Santosh Biswas,et al.  Network specific false alarm reduction in intrusion detection system , 2011, Secur. Commun. Networks.

[8]  Sokratis K. Katsikas,et al.  Reducing false positives in intrusion detection systems , 2010, Comput. Secur..

[9]  N. Balakrishnan,et al.  Improvement in Intrusion Detection With Advances in Sensor Fusion , 2009, IEEE Transactions on Information Forensics and Security.

[10]  Michael Semling,et al.  Alarm Reduction and Correlation in Intrusion Detection Systems , 2004, DIMVA.

[11]  Humphrey Waita Njogu,et al.  An Efficient Approach to Manage IDS Alerts , 2011 .

[12]  Christopher Krügel,et al.  Alert Verification Determining the Success of Intrusion Attempts , 2004, DIMVA.

[13]  Hongli Zhang,et al.  Reduction of false positives in intrusion detection via adaptive alert classifier , 2008, 2008 International Conference on Information and Automation.

[14]  Yvan Labiche,et al.  Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases , 2005, PST.

[15]  Peng Ning,et al.  Correlating Alerts Using Prerequisites of Intrusions , 2001 .

[16]  Barry E. Mullins,et al.  Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion , 2006, IEEE Security & Privacy.

[17]  Hervé Debar,et al.  A logic-based model to support alert correlation in intrusion detection , 2009, Inf. Fusion.

[18]  S. Rao,et al.  A Threat-Aware Signature Based Intrusion-Detection Approach for Obtaining Network-Specific Useful Alarms , 2008, 2008 The Third International Conference on Internet Monitoring and Protection.

[19]  Risto Vaarandi Real-time classification of IDS alerts with data mining techniques , 2009, MILCOM 2009 - 2009 IEEE Military Communications Conference.

[20]  Y. V. Ramana Reddy,et al.  TRINETR: An architecture for collaborative intrusion detection and knowledge-based alert evaluation , 2005, Adv. Eng. Informatics.

[21]  Hervé Debar,et al.  Processing intrusion detection alert aggregates with time series modeling , 2009, Inf. Fusion.

[22]  Xuejiao Liu,et al.  Towards a Collaborative and Systematic Approach to Alert Verification , 2008, J. Softw..

[23]  Yafeng Han,et al.  Improved Semi-supervised Fuzzy Clustering Algorithm and Application in Effective Intrusion Detection System , 2013 .

[24]  Luo Jiawei,et al.  Using Alert Cluster to reduce IDS alerts , 2010, 2010 3rd International Conference on Computer Science and Information Technology.