Open AccessMultilevel Intrusion Alert Post-processing for the Elimination of False Positives
Author(s) -
Riyad Am
Publication year - 2021
Publication title -
international journal for research in applied science and engineering technology
Language(s) - English
Resource type - Journals
ISSN - 2321-9653
DOI - 10.22214/ijraset.2021.37789
Subject(s) - false positive paradox , intrusion detection system , computer science , prioritization , data mining , correlation , network security , computer security , artificial intelligence , mathematics , engineering , geometry , management science
Intrusion detection systems are the last line of defence in the network security domain. Improving the performance of intrusion detection systems always increase false positives. This is a serious problem in the field of intrusion detection. In order to overcome this issue to a great extend, we propose a multi level post processing of intrusion alerts eliminating false positives produced by various intrusion detection systems in the network. For this purpose, the alerts are normalized first. Then, a preliminary alert filtration phase prioritize the alerts and removes irrelevant alerts. The higher priority alerts are then aggregated to fewer numbers of hyper alerts. In the final phase, alert correlation is done and alert correlation graph is constructed for finding the causal relationship among the alerts which further eliminates false positives. Experiments were conducted on LLDOS 1.0 dataset for verifying the approach and measuring the accuracy. Keywords: Intrusion detection system, alert prioritization, alert aggregation, alert correlation, LLDOS 1.0 dataset, alert correlation graph.