Title :
Clustering of Snort alerts to identify patterns and reduce analyst workload
Author :
Harang, Richard ; Guarino, P.
Author_Institution :
U.S. Army Res. Lab., ICF Int., Adelphi, MD, USA
fDate :
Oct. 29 2012-Nov. 1 2012
Abstract :
Pattern-matching intrusion detection system (IDS) tools such as Snort are known to generate an extremely large number of alerts. To address this problem, we present a greedy aggregation algorithm that efficiently reduces multiple alerts by grouping the raw output of IDS tools into `meta-alerts´ that contain common information. In contrast to the current thrust of alert aggregation efforts, our approach does not require developing elaborate semantic structures for capturing information, nor creating and maintaining an external database containing information on attack vectors, network topologies, and cause-and-effect relationships. We apply our method to 30 days of Snort alerts, grouped by hour, and observe that we can reduce the number of analyst-visible Snort alerts by up to 99.5%, with an average reduction of approximately 83.2%.
Keywords :
greedy algorithms; pattern clustering; pattern matching; security of data; Snort alerts clustering; alert aggregation efforts; analyst workload reduction; attack vectors; cause-and-effect relationships; greedy aggregation algorithm; network topologies; pattern identification; pattern-matching intrusion detection system; Approximation algorithms; IP networks; Indexes; Intrusion detection; Semantics; Sensors; Vectors; Computer security; Information security; Intrusion detection;
Conference_Titel :
MILITARY COMMUNICATIONS CONFERENCE, 2012 - MILCOM 2012
Conference_Location :
Orlando, FL
Print_ISBN :
978-1-4673-1729-0
DOI :
10.1109/MILCOM.2012.6415777
