Intrusion alert quality framework for security false alert reduction
Loading...
Date
2007
Authors
Abu Bakar, Najwa
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
This thesis investigates the design and implementation of a framework to
prepare security alerts with verified data quality metrics, enrich alerts with these metrics
and finally, format the alerts in a standard format, suitable for consumption by highlevel
alert analysis procedures. This framework is called “Intrusion Alert Quality
Framework” (IAQF) and its main aim is to improve false alerts’ reduction in intrusion
detection area. An analysis of existing solutions to reduce false alerts shows that they
focus either at the sensor-level or at the analysis-level. Tuning or customizing the
sensors may help reduces the number of alerts but we risk missing real attacks known
as false negative. On the other extreme, leaving the tasks to filter false alerts at the
analysis stage may not be effective either. First, is because incomplete contextual
information about alerts may make any effective decision at this stage difficult, and the
outcome to be most likely inaccurate. Second, the sheer size of alerts may dominate
the computational time of cleaning raw alerts prior to performing the core task of
reducing false alerts. Thus, a proper data preparation at low-level stage nearer to the
data source is needed prior to the alert analysis. In this research, we look at this
problem from the information management perspective where the problem is due to the
alerts’ low data quality. IAQF that adapts a data quality principle called TDQM is
proposed where the processes included are definition, measurement, analysis, and
improvement. IAQF is implemented at the low level stage of alert analysis procedures
to prepare and improve the data quality of the alerts. IAQF features the ability to verify
alerts using resource contextual information, enrich them with data quality metrics, and
standardize them using IDMEF format, a standard data format to present IDS alerts.
The advantage of this approach is that the output can be directly consumed by analysis
procedures, which are correlation, data mining, and machine learning. We
demonstrated that by applying data quality principles towards false alerts reduction, we
managed to reduce false alerts in the range of 10 to 50%, and prepared the alerts with
extra contextual information to benefit the high level analysis.
Description
master
Keywords
Science computer , Intrusion alert , alert reduction