TRINETR: An Intrusion Detection Alert Management System

TRINETR: An Intrusion Detection Alert Management and Analysis System by Jinqiao Yu Intrusion detection system (IDS) is a software system or hardware device deployed to monitor network and host activities including data flows and information accesses etc. to capture suspicious activities. In recent years, IDS has began to gain wide acceptance as a necessary and worthwhile investment on security. But current IDS products present many flaws including alert flooding, too many false alerts, lack of context awareness and security decision support etc. Many of these problems are severely hindering them from being used more efficiently in practice. To make the use of IDS products more efficient and generated alerts more accurate, this dissertation work an intrusion detection alert management and analysis project, dubbed as TRINETR, has been developed at Concurrent Engineering Research Center of West Virginia University. A novel alert management and analysis architecture is presented in the project. The architecture is composed of three key parts: (1) Alert Aggregation, (2) Knowledge-based Alert Evaluation and Security Decision Support, and (3) Alert Correlation. The project is aimed at reducing alert overload by aggregating alerts from multiple sensors to generate condensed views, reducing false positive alerts by integrating network and host system information into alert evaluation process, providing appropriate security solution suggestion regarding the evaluated alerts to facilitate decision making, and correlating intrusion events based on logical relations among them to generate global and synthesized alert report. Implementation and testing of a prototype system are also reported in this dissertation as well as a study of application of time series analysis approach into alert correlation.