IDS alerts classification using knowledge-based evaluation

Most organizations deploy Signature based Intrusion Detection Systems (IDS) to monitor network activities for signs of security violations and these systems generate alerts whenever a known intrusion signature is detected in the network traffic. However, IDSs are known for generating many alerts, most of them being false. This makes the job of security analyst tougher as he/she has to sift through security events to filter out relevant alerts. In this process, the high priority alerts are not addressed quickly and there is a great risk of a legitimate attack going unnoticed. Many researchers have suggested various means of classifying the IDS alerts. A potentially useful candidate is to use network contextual information to segregate relevant and non-relevant alerts. In this paper we describe PIKE, Post-processor for IDS alerts using Knowledge-based Evaluation, a system that uses background information about the hosts present on the network and the vulnerability exploited to generate a score for each alert. The score is measure of the importance of the alert. A simple binary classifier then classifies the alert as relevant or irrelevant based on value of score threshold. PIKE makes the life of security analyst simpler by presenting the classified alerts which allows him/her to focus solely on the important alerts. We evaluate PIKE for a custom dataset and demonstrate the effectiveness of using contextual sensitivity as a basis of classification.