Intrusion alert quality framework for security false alert reduction

Thumbnail Image
Date
2007
Authors
Abu Bakar, Najwa
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
This thesis investigates the design and implementation of a framework to prepare security alerts with verified data quality metrics, enrich alerts with these metrics and finally, format the alerts in a standard format, suitable for consumption by highlevel alert analysis procedures. This framework is called “Intrusion Alert Quality Framework” (IAQF) and its main aim is to improve false alerts’ reduction in intrusion detection area. An analysis of existing solutions to reduce false alerts shows that they focus either at the sensor-level or at the analysis-level. Tuning or customizing the sensors may help reduces the number of alerts but we risk missing real attacks known as false negative. On the other extreme, leaving the tasks to filter false alerts at the analysis stage may not be effective either. First, is because incomplete contextual information about alerts may make any effective decision at this stage difficult, and the outcome to be most likely inaccurate. Second, the sheer size of alerts may dominate the computational time of cleaning raw alerts prior to performing the core task of reducing false alerts. Thus, a proper data preparation at low-level stage nearer to the data source is needed prior to the alert analysis. In this research, we look at this problem from the information management perspective where the problem is due to the alerts’ low data quality. IAQF that adapts a data quality principle called TDQM is proposed where the processes included are definition, measurement, analysis, and improvement. IAQF is implemented at the low level stage of alert analysis procedures to prepare and improve the data quality of the alerts. IAQF features the ability to verify alerts using resource contextual information, enrich them with data quality metrics, and standardize them using IDMEF format, a standard data format to present IDS alerts. The advantage of this approach is that the output can be directly consumed by analysis procedures, which are correlation, data mining, and machine learning. We demonstrated that by applying data quality principles towards false alerts reduction, we managed to reduce false alerts in the range of 10 to 50%, and prepared the alerts with extra contextual information to benefit the high level analysis.
Description
master
Keywords
Science computer , Intrusion alert , alert reduction
Citation
URI
http://hdl.handle.net/123456789/455
Collections
Pusat Pengajian Sains Fizik - Tesis