Methods for post-processing of alerts in intrusion detection: A survey

Intrusion detection is an important protection tool for computer systems and networks. In recent years it has become an essential piece in the IT security infrastructure of large organizations. Even though intrusion detection systems are installed in an increasing rate, they are often misused as the quality of alerts they produce is not satisfactory. High alert volume, high false positives rate and low level of information are the main reasons that security analysts cannot take full advantage of intrusion detection alert-sets. The aim of this survey is to summarize intrusion detection alerts’ post-processing research, which is categorized in false positives reduction, alerts’ correlation and visualisation. The most important efforts in the field are analyzed, while all recent methods are presented. Finally the present and the future of alerts post-processing research field is discussed. Keywords—Intrusion detection, alerts, post-processing, false positives reduction, correlation, visualization.