An Approach to Verify, Identify and Prioritize IDS Alerts

Lack of effective alert management technique to verify, identify and prioritize alerts is a well-known problem that severely degrades the worthiness of Intrusion Detection Systems (IDSs). IDSs often appear problematic because of triggering huge number of non-interesting alerts which diminish the value and urgency of interesting alerts. An average commercial IDS reports tens of thousands alerts per day. Analysts rarely look at the voluminous alerts until a sign is reported by other security means because it is laborious and challenging task to identify interesting alerts. Alerts evaluated in this manner are often unverified, misprioritized, misinterpreted, ignored, misclassified, delayed and are given undue attention. So far none of the current alert management techniques appear to be effective. In this paper, we present our approach to verify, identify and prioritize alerts based on post processing of alerts. Central to our approach is the computation of new alert metrics in order to further describe and understand interestingness of alerts. We synergized Alert Verification and Alert Prioritization techniques to build an effective alert management technique. Our approach gives superior results when compared to other alert management techniques.

[1]  Klaus Julisch,et al.  Clustering intrusion detection alarms to support root cause analysis , 2003, TSEC.

[2]  Xuejiao Liu,et al.  Towards a Collaborative and Systematic Approach to Alert Verification , 2008, J. Softw..

[3]  Hyunsoo Yoon,et al.  Real-time analysis of intrusion detection alerts via correlation , 2006, Comput. Secur..

[4]  Michele Colajanni,et al.  Selective alerts for run-time protection of distributed systems , 2008 .

[5]  Bahari Belaton,et al.  Towards implementing intrusion alert quality framework , 2005, First International Conference on Distributed Frameworks for Multimedia Applications.

[6]  Tadeusz Pietraszek,et al.  Data mining and machine learning - Towards reducing false positives in intrusion detection , 2005, Inf. Secur. Tech. Rep..

[7]  Christopher Krügel,et al.  Using Alert Verification to Identify Successful Intrusion Attempts , 2004, Prax. Inf.verarb. Kommun..

[8]  Humphrey Waita Njogu,et al.  Improving the management of IDS alerts , 2014 .

[9]  Kathleen Goeschel,et al.  Reducing false positives in intrusion detection systems using data-mining techniques utilizing support vector machines, decision trees, and naive Bayes for off-line analysis , 2016, SoutheastCon 2016.

[10]  Fabio Roli,et al.  Alarm clustering for intrusion detection systems in computer networks , 2005, Eng. Appl. Artif. Intell..

[11]  Michael Semling,et al.  Alarm Reduction and Correlation in Intrusion Detection Systems , 2004, DIMVA.

[12]  Ulrich Flegel,et al.  Detection of Intrusions and Malware & Vulnerability Assessment, GI SIG SIDAR Workshop, DIMVA 2004, Dortmund, Germany, July 6.7, 2004, Proceedings , 2004, DIMVA.

[13]  Risto Vaarandi Real-time classification of IDS alerts with data mining techniques , 2009, MILCOM 2009 - 2009 IEEE Military Communications Conference.