Title :
OutMet: A new metric for prioritising intrusion alerts using correlation and outlier analysis
Author :
Shittu, Riyanat ; Healing, Alex ; Ghanea-Hercock, Robert ; Bloomfield, Robin ; Muttukrishnan, Raj
Author_Institution :
Sch. of Electr. & Math. Sci., City Univ. London, London, UK
Abstract :
In a medium sized network, an Intrusion Detection System (IDS) could produce thousands of alerts a day many of which may be false positives. In the vast number of triggered intrusion alerts, identifying those to prioritise is highly challenging. Alert correlation and prioritisation are both viable analytical methods which are commonly used to understand and prioritise alerts. However, to the author´s knowledge, very few dynamic prioritisation metrics exist. In this paper, a new prioritisation metric - OutMet, which is based on measuring the degree to which an alert belongs to anomalous behaviour is proposed. OutMet combines alert correlation and prioritisation analysis. We illustrate the effectiveness of OutMet by testing its ability to prioritise alerts generated from a 2012 red-team cyber-range experiment that was carried out as part of the BT Saturn programme. In one of the scenarios, OutMet significantly reduced the false-positives by 99.3%.
Keywords :
computer network security; correlation methods; graph theory; BT Saturn programme; IDS; OutMet; alert correlation and prioritisation analysis; correlation analysis; dynamic prioritisation metrics; intrusion alerts; intrusion detection system; medium sized network; outlier analysis; red-team cyber-range experiment; Cities and towns; Complexity theory; Context; Correlation; Educational institutions; IP networks; Measurement; Alert Correlation; Attack Scenario; Graph Mining; IDS Logs; Intrusion Alert Analysis; Intrusion Detection; Pattern Detection;
Conference_Titel :
Local Computer Networks (LCN), 2014 IEEE 39th Conference on
Conference_Location :
Edmonton, AB
Print_ISBN :
978-1-4799-3778-3
DOI :
10.1109/LCN.2014.6925787
