A correlative context-based framework for network intrusion detection system

Intrusion detection system (IDS) is one of the most important security protection mechanisms. Although many IDS commercial products and research projects exist, we still face a serious problem under current systems, a high false positive rate. We observe that current network IDSs don´t make full use of the information available from different levels and points of the protected network, and we argue that the utilization of this information is essential. We introduce a new framework for network IDSs based on a network context awareness (NCA) layer as an additional data source to IDSs. We describe the architecture of NCA and methods of how to extract network information into NCA. A correlation engine is presented that works on alerts generated by a specific IDS system (Snort) and NCA information. Our experimental results using simulated attacks show that our proposed solution significantly reduces the false alarm rate and has the potential to greatly improve the efficacy of detecting novel attacks.