Title :
IDS alerts classification using knowledge-based evaluation
Author :
Gupta, Dheeraj ; Joshi, P.S. ; Bhattacharjee, A.K. ; Mundada, R.S.
Author_Institution :
Homi Bhabha Nat. Inst., Mumbai, India
Abstract :
Most organizations deploy Signature based Intrusion Detection Systems (IDS) to monitor network activities for signs of security violations and these systems generate alerts whenever a known intrusion signature is detected in the network traffic. However, IDSs are known for generating many alerts, most of them being false. This makes the job of security analyst tougher as he/she has to sift through security events to filter out relevant alerts. In this process, the high priority alerts are not addressed quickly and there is a great risk of a legitimate attack going unnoticed. Many researchers have suggested various means of classifying the IDS alerts. A potentially useful candidate is to use network contextual information to segregate relevant and non-relevant alerts. In this paper we describe PIKE, Post-processor for IDS alerts using Knowledge-based Evaluation, a system that uses background information about the hosts present on the network and the vulnerability exploited to generate a score for each alert. The score is measure of the importance of the alert. A simple binary classifier then classifies the alert as relevant or irrelevant based on value of score threshold. PIKE makes the life of security analyst simpler by presenting the classified alerts which allows him/her to focus solely on the important alerts. We evaluate PIKE for a custom dataset and demonstrate the effectiveness of using contextual sensitivity as a basis of classification.
Keywords :
computer network security; digital signatures; knowledge based systems; pattern classification; telecommunication traffic; IDS alert classification; PIKE; Signature based Intrusion Detection Systems; binary classifier; contextual sensitivity; knowledge based evaluation; knowledge-based evaluation; legitimate attack; network activities; network contextual information; network traffic; score threshold value; security violations; Accuracy; Context; Databases; Knowledge based systems; Monitoring; Organizations; Security; Alert classification; Context sensitivity; False positives; Network security; Signature based intrusion detection;
Conference_Titel :
Communication Systems and Networks (COMSNETS), 2012 Fourth International Conference on
Conference_Location :
Bangalore
Print_ISBN :
978-1-4673-0296-8
Electronic_ISBN :
978-1-4673-0297-5
DOI :
10.1109/COMSNETS.2012.6151339