False positives reduction via intrusion alert quality framework

Existing security monitoring sensors such as IDS/IPS, firewalls, filtering routers, and others often record logs and subsequently generate alerts to warn security analysts of what is perceived as posing security threat to the environment or organization they are monitoring. Unfortunately, these logs and alerts are not only huge in number but also poor in data quality i.e. containing false logs/alerts. This in turn poses two main challenges to higher-level operations; first computationally efficient algorithms are needed to process and shift through large unverified logs and alerts. Second is the need to develop algorithms that avoid making wrong conclusions due to poor quality logs and alerts. In this paper, we implement intrusion alert quality framework to reduce false positive alerts in IDS. Using this framework, we enrich each alert with quality parameters such as correctness, accuracy, reliability, and sensitivity. To compliment this effort, we normalize the enriched alerts in the IDMEF format. In this form (enriched and normalized), higher level operations are given the option to utilize the quality parameters values tagged in the alerts in their core operations in order to produce good conclusions. Finally, we demonstrate the efficacy of the framework in reducing false positive alerts using DARPA 2000 network traffic.