Mining intrusion detection alerts for predicting severity of detected attacks

The log files produced by Network Intrusion Detection Systems (NIDS) provide a list of alerts information about network malicious activities that have been performed. Various parameters of each alert in the log file can be revealed by a detailed analysis of such a log. Examples of those parameters include, but are not limited to time stamp information, attack type, source and destination IP addresses, direction of alert and network application type. In this paper we propose a novel framework for mining alerts of NIDS output report log for automatically predicting the severity of attack revealed by those alerts using data mining classification techniques. Our framework automatically detects the attack severity using the type of the suspicious traffic detected by NIDS as a feature. Hence it can save the time spent to manually analyze the log file of NIDS in order to categorize various types of captured suspicious traffic in view of the detected severity of attack. Moreover, it can help the network security administrator to create policy rules that take immediate action against the detected network attack based on its predicted severity. The experimental results show that our approach can correctly predict the severity of attack for more than 99.2% of alerts samples included in log output report of the deployed NIDS.