A Three-Stage Process to Detect Outliers and False Positives Generated by Intrusion Detection Systems

To protect computer networks from attacks and hackers, an intrusion detection system (IDS) should be integrated in the security architecture. Although the detection of intrusions and attacks is the ultimate goal, IDSs generate a huge amount of false alerts which cannot be properly managed by the administrator, along with many noisy alerts or outliers. Many research works were conducted to improve IDS´s accuracy by reducing the rate of false alerts and eliminating outliers. In this paper, we propose a three-stage process to detect false alerts and outliers. In the first stage, we cluster the set of elementary alerts to create a set of meta-alerts. Then, we remove outliers from the set of meta-alerts using a binary optimization problem. In the last stage, a binary classification algorithm is proposed to classify meta-alerts either as false alerts or real attacks. Experimental results show that our proposed process outperforms concurrent methods by significantly reducing the rate of false alerts and outliers.