IDS alerts classification using knowledge-based evaluation

Most organizations deploy Signature based Intrusion Detection Systems (IDS) to monitor network activities for signs of security violations and these systems generate alerts whenever a known intrusion signature is detected in the network traffic. However, IDSs are known for generating many alerts, most of them being false. This makes the job of security analyst tougher as he/she has to sift through security events to filter out relevant alerts. In this process, the high priority alerts are not addressed quickly and there is a great risk of a legitimate attack going unnoticed. Many researchers have suggested various means of classifying the IDS alerts. A potentially useful candidate is to use network contextual information to segregate relevant and non-relevant alerts. In this paper we describe PIKE, Post-processor for IDS alerts using Knowledge-based Evaluation, a system that uses background information about the hosts present on the network and the vulnerability exploited to generate a score for each alert. The score is measure of the importance of the alert. A simple binary classifier then classifies the alert as relevant or irrelevant based on value of score threshold. PIKE makes the life of security analyst simpler by presenting the classified alerts which allows him/her to focus solely on the important alerts. We evaluate PIKE for a custom dataset and demonstrate the effectiveness of using contextual sensitivity as a basis of classification.

[1]  Andrew P. Bradley,et al.  The use of the area under the ROC curve in the evaluation of machine learning algorithms , 1997, Pattern Recognit..

[2]  Tadeusz Pietraszek,et al.  Data mining and machine learning - Towards reducing false positives in intrusion detection , 2005, Inf. Secur. Tech. Rep..

[3]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[4]  Thierry Denoeux A k -Nearest Neighbor Classification Rule Based on Dempster-Shafer Theory , 2008, Classic Works of the Dempster-Shafer Theory of Belief Functions.

[5]  Y. V. Ramana Reddy,et al.  TRINETR: an intrusion detection alert management systems , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[6]  Éric Gaussier,et al.  A Probabilistic Interpretation of Precision, Recall and F-Score, with Implication for Evaluation , 2005, ECIR.

[7]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[8]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[9]  Pierre Baldi,et al.  Assessing the accuracy of prediction algorithms for classification: an overview , 2000, Bioinform..

[10]  Christopher Olutunde Imoru,et al.  The power mean and the logarithmic mean , 1982 .

[11]  Tadeusz Pietraszek,et al.  Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection , 2004, RAID.

[12]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[13]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[14]  François Gagnon,et al.  Using Contextual Information for IDS Alarm Classification (Extended Abstract) , 2009, DIMVA.

[15]  Francois Gagnon,et al.  Using Contextual Information for IDS Alarm Classification , 2009 .

[16]  Sokratis K. Katsikas,et al.  Reducing false positives in intrusion detection systems , 2010, Comput. Secur..

[17]  Aiko M. Hormann,et al.  Programs for Machine Learning. Part I , 1962, Inf. Control..

[18]  Teresa F. Lunt,et al.  Knowledge-based intrusion detection , 1989, [1989] Proceedings. The Annual AI Systems in Government Conference.

[19]  Prem Kumar Kalra,et al.  On Efficient Learning Machine With Root-Power Mean Neuron in Complex Domain , 2011, IEEE Transactions on Neural Networks.

[20]  Ron Kohavi,et al.  Scaling Up the Accuracy of Naive-Bayes Classifiers: A Decision-Tree Hybrid , 1996, KDD.

[21]  Matthew A. Jaro,et al.  Advances in Record-Linkage Methodology as Applied to Matching the 1985 Census of Tampa, Florida , 1989 .