Dealing with Security Alert Flooding: Using Machine Learning for Domain-independent Alert Aggregation
نویسندگان
چکیده
Intrusion Detection Systems (IDS) secure all kinds of IT infrastructures through automatic detection malicious activities. Unfortunately, they are known to produce large numbers alerts that often become overwhelming for manual analysis. Therefore, aggregation methods have been developed filtering, grouping, and correlating alerts. However, existing techniques either rely on manually defined attack scenarios or require specific alert formats, such as IDMEF include IP addresses. This makes the application infeasible from host-based anomaly-based IDSs frequently lack network-related data. In this paper, we therefore present a domain-independent technique. We introduce similarity measures merging strategies arbitrary semi-structured groups. Based these metrics propose an incremental procedure generation abstract patterns enable continuous classification incoming Evaluations show our approach is capable reducing number groups human review by around \( 80\% \) assigning classifiers with true positive rates false lower than 5\% .
منابع مشابه
Using Unsupervised Learning for Network Alert Correlation
Alert correlation systems are post-processing modules that enable intrusion analysts to find important alerts and filter false positives efficiently from the output of Intrusion Detection Systems. Typically, however, these modules require high levels of human involvement in creating the system and/or maintaining it, as patterns of attacks change as often as from month to month. We present an al...
متن کاملIntrusion Alert Aggregation System in Distributed Networks
A novel technique is proposed to aggregate the alerts produced when an intruder comes into an existence in distributed network. This becomes an essential task to cluster different types of alerts. Meta-alerts are generated from the clusters formed with all the relevant details of the attack in detail. This Alert aggregation technique is developed as a dynamic, probabilistic model of the existin...
متن کاملAlert correlation and prediction using data mining and HMM
Intrusion Detection Systems (IDSs) are security tools widely used in computer networks. While they seem to be promising technologies, they pose some serious drawbacks: When utilized in large and high traffic networks, IDSs generate high volumes of low-level alerts which are hardly manageable. Accordingly, there emerged a recent track of security research, focused on alert correlation, which ext...
متن کاملAlert Flooding Attack on Snort and Its Mitigation Introduction
Network Intrusion Systems employ a number of sensors for efficient reporting of attacks on the hosts in a network. But a serious problem with these sensors is that the information they produce is in a low level format and the system administrator gains no useful information from the report. In this report I am going to discuss about the usage of a method to correlate the alerts produced, the at...
متن کاملProtecting grids from cross-domain attacks using security alert sharing mechanisms
In single administrative domain networks there is only one security policy which can be evaluated by the IT security manager, thanks to monitoring and reporting tools. Grid networks are often composed of different administrative domains owned by different organizations dispersed globally. Such networks are referred to asmulti-administrative domain networks. Each domainmight have its own securit...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
ژورنال
عنوان ژورنال: ACM transactions on privacy and security
سال: 2022
ISSN: ['2471-2574', '2471-2566']
DOI: https://doi.org/10.1145/3510581