Quantitative Criteria for Alert Correlation of Anomalies-based NIDS

Author

Maestre Vidal, Jorge ; Sandoval Orozco, Ana Lucila ; Garcia Villalba, Luis Javier

Author_Institution

Univ. Complutense de Madrid (UCM), Madrid, Spain

Volume

13

Issue

10

fYear

2015

Firstpage

3461

Lastpage

3466

Abstract

This paper presents an alert correlation system for mitigating the false positives problem on network-based intrusion detection, when anomalous detection techniques are applied. The system allows the quantitative assessment of the likelihood that an alert issued because an anomaly becomes a real threat. To do this the differences between the characteristics of the model representing the habitual and legitimate network usage are taken into account, as well as the most representative features of the traffic that generated the alert. The result is a quantitative assessment of its similarity to the network legitimate usage, and the prioritization of the issued alerts. Experiments have demonstrated the validity of the proposal. The 95.7% of the false positives were labeled as low priority treatment alerts, and the various real threats were properly identified.

Keywords

security of data; alert correlation system; anomalies-based NIDS; anomalous detection techniques; false positives problem; habitual network usage; legitimate network usage; network-based intrusion detection; representative features; Correlation; Floods; Intrusion detection; Irrigation; Monitoring; Proposals; Silicon compounds; Alert Correlation; Anomalies; False Positives; IDS; Intrusion Detection System; NIDS; Network-based Intrusion Detection System;

fLanguage

English

Journal_Title

Latin America Transactions, IEEE (Revista IEEE America Latina)

Publisher

ieee

ISSN

1548-0992

Type

jour

DOI

10.1109/TLA.2015.7387255

Filename

7387255