REAL TIME CLASSIFICATION AND CLUSTERING OF IDS ALERTS USING MACHINE LEARNING ALGORITHMS

Intrusion Detection Systems (IDS) monitor a secured network for the evidence of maliciousactivities originating either inside or outside. Upon identifying a suspicious traffic, IDSgenerates and logs an alert. Unfortunately, most of the alerts generated are either false positive, i.e. benign traffic that has been classified as intrusions, or irrelevant, i.e. attacks that are notsuccessful. The abundance of false positive alerts makes it difficult for the security analyst tofind successful attacks and take remedial action. This paper describes a two phase automaticalert classification system to assist the human analyst in identifying the false positives. In thefirst phase, the alerts collected from one or more sensors are normalized and similar alerts aregrouped to form a meta-alert. These meta-alerts are passively verified with an asset database tofind out irrelevant alerts. In addition, an optional alert generalization is also performed for rootcause analysis and thereby reduces false positives with human interaction. In the second phase, the reduced alerts are labeled and passed to an alert classifier which uses machine learningtechniques for building the classification rules. This helps the analyst in automatic classificationof the alerts. The system is tested in real environments and found to be effective in reducing thenumber of alerts as well as false positives dramatically, and thereby reducing the workload ofhuman analyst