Classifying IDS alerts automatically for use in correlation systems

The large increase in computer network usage, and the huge amount of sensitive data being stored and transferred through them, has escalated the attacks and invasions on these networks. Intrusion detection systems help in detecting these attacks, but the large amount of false positives has decreased their usability. Different methods have been proposed to reduce the amount of these false positives, which consist of different classification methods. Aggregation of similar alerts is a method proposed to reduce false positives and the large number of alerts, but the problem is assigning similar alerts the same classification parameters. Rules have been created which correlate alerts based on three parameters, but the alerts should be labeled with these parameters. Labeling these alerts, is a time consuming task, because deep knowledge on each alert is required to correctly identify the parameters. This time consuming job has been done on 13000 Emerging Threats Snort signatures, and has been used as a knowledge base to label other alerts. In this paper a method has been proposed to label similar signatures automatically. This method uses word extraction from signatures to identify the words which can specify these labels automatically. To test the method around 1000 signatures, which have been classified manually, were classified by this method and the precision and recall has been computed. The results show that a large number of signatures can be classified using this method.