Clustering of Snort alerts to identify patterns and reduce analyst workload

Author

Harang, Richard ; Guarino, P.

Author_Institution

U.S. Army Res. Lab., ICF Int., Adelphi, MD, USA

fYear

2012

fDate

Oct. 29 2012-Nov. 1 2012

Firstpage

1

Lastpage

6

Abstract

Pattern-matching intrusion detection system (IDS) tools such as Snort are known to generate an extremely large number of alerts. To address this problem, we present a greedy aggregation algorithm that efficiently reduces multiple alerts by grouping the raw output of IDS tools into `meta-alerts´ that contain common information. In contrast to the current thrust of alert aggregation efforts, our approach does not require developing elaborate semantic structures for capturing information, nor creating and maintaining an external database containing information on attack vectors, network topologies, and cause-and-effect relationships. We apply our method to 30 days of Snort alerts, grouped by hour, and observe that we can reduce the number of analyst-visible Snort alerts by up to 99.5%, with an average reduction of approximately 83.2%.

Keywords

greedy algorithms; pattern clustering; pattern matching; security of data; Snort alerts clustering; alert aggregation efforts; analyst workload reduction; attack vectors; cause-and-effect relationships; greedy aggregation algorithm; network topologies; pattern identification; pattern-matching intrusion detection system; Approximation algorithms; IP networks; Indexes; Intrusion detection; Semantics; Sensors; Vectors; Computer security; Information security; Intrusion detection;

fLanguage

English

Publisher

ieee

Conference_Titel

MILITARY COMMUNICATIONS CONFERENCE, 2012 - MILCOM 2012

Conference_Location

Orlando, FL

ISSN

2155-7578

Print_ISBN

978-1-4673-1729-0

Type

conf

DOI

10.1109/MILCOM.2012.6415777

Filename

6415777