An efficient method for evaluating alerts of Intrusion Detection Systems

With thousands of alerts identified by IDSs every day, the process of distinguishing which alerts are important (i.e., true positives) and which are is irrelevant (i.e., false positives) is become more complicated. The security administrator must analyze each single alert either a true of false alert. This paper proposes an alert prioritization model, which is based on risk assessment. The model uses indicators, such as priority, reliability, asset value, as decision factors to calculate alert's risk. The objective is to determine the impact of certain alerts generated by IDS on the security status of an information system, also improve the detection of intrusions using snort by classifying the most critical alerts by their levels of risk, thus, only the alerts that presents a real threat will be displayed to the security administrator, so, we reduce the number of false positives, also we minimize the analysis time of the alerts. The model was evaluated using KDD Cup 99 Dataset as test environment and a pattern matching algorithm.

[1]  Johnny S. Wong,et al.  Intrusion response cost assessment methodology , 2009, ASIACCS '09.

[2]  Nora Cuppens-Boulahia,et al.  A Service Dependency Model for Cost-Sensitive Intrusion Response , 2010, ESORICS.

[3]  Ehab Al-Shaer,et al.  Alert prioritization in Intrusion Detection Systems , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[4]  Rubo Zhang,et al.  Automatic intrusion response system based on aggregation and cost , 2008, 2008 International Conference on Information and Automation.

[5]  Keith Phalp,et al.  Exploring discrepancies in findings obtained with the KDD Cup '99 data set , 2011, Intell. Data Anal..

[6]  Pin-Han Ho,et al.  Measuring IDS-estimated attack impacts for rational incident response: A decision theoretic approach , 2009, Comput. Secur..

[7]  N. B. Anuar,et al.  Identifying False Alarm for Network Intrusion Detection System Using Hybrid Data Mining and Decision Tree , 2008 .

[8]  Stefan Fenz,et al.  AURUM: A Framework for Information Security Risk Management , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[9]  Nathaniel L. Hausrath Methods for Hospital Network and Computer Security , 2011 .

[10]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[11]  Xuejiao Liu,et al.  Alert Fusion Based on Cluster and Correlation Analysis , 2008, 2008 International Conference on Convergence and Hybrid Information Technology.

[12]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[13]  Hyunsoo Yoon,et al.  Real-time analysis of intrusion detection alerts via correlation , 2006, Comput. Secur..

[14]  Nor Badrul Anuar,et al.  A risk index model for security incident prioritisation , 2011 .

[15]  Pin-Han Ho,et al.  Measuring Intrusion Impacts for Rational Response: A State-based Approach , 2007, 2007 Second International Conference on Communications and Networking in China.

[16]  Sushil Jajodia,et al.  Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs , 2008, Journal of Network and Systems Management.

[17]  Kjetil Haslum,et al.  Multisensor Real-time Risk Assessment using Continuous-time Hidden Markov Models , 2006, 2006 International Conference on Computational Intelligence and Security.

[18]  Maxwell G. Dondo,et al.  A Vulnerability Prioritization System Using A Fuzzy Risk Analysis Approach , 2008, SEC.

[19]  H. K. Huang,et al.  Online Risk Assessment of Intrusion Scenarios Using D-S Evidence Theory , 2008, ESORICS.

[20]  Mohamed Cheriet,et al.  Taxonomy of intrusion risk assessment and response system , 2014, Comput. Secur..

[21]  Stefan Fenz,et al.  How to determine threat probabilities using ontologies and Bayesian networks , 2009, CSIIRW '09.

[22]  Siv Hilde Houmb,et al.  Quantifying security risk level from CVSS estimates of frequency and impact , 2010, J. Syst. Softw..

[23]  Shi Jin,et al.  A Novel Data Mining-Based Method for Alert Reduction and Analysis , 2010, J. Networks.

[24]  Youness Idrissi Khamlichi,et al.  Handling alerts for intrusion detection system using stateful pattern matching , 2016, 2016 4th IEEE International Colloquium on Information Science and Technology (CiSt).

[25]  Alfonso Valdes,et al.  A Mission-Impact-Based Approach to INFOSEC Alarm Correlation , 2002, RAID.

[26]  Youki Kadobayashi,et al.  Exploring attack graph for cost-benefit security hardening: A probabilistic approach , 2013, Comput. Secur..