Parallel Network Alert Management System For IDS False Positive Reduction

Thumbnail Image
Date
2011
Authors
El-Taj, Homam Reda Kamel
Journal Title
Journal ISSN
Volume Title
Publisher
Universiti Sains Malaysia
Abstract
Every secure system has the possibility to fail. Therefore, extra effort should be taken to protect these systems. Intrusion detection systems (IDSs) had been proposed with the aim of providing extra protection to security systems. IDS is a powerful computer security system used to secure the computer environments. These systems trigger thousands of alerts per day, which prompt security analysts to verify each alert for relevance and severity based on an aggregation and correlation criterion. Several aggregation and correlation methods have been proposed to collect these alerts. This thesis presents a new IDS Alerts Management System (IDSAMS) which is a parallel system used to manage the IDS alerts, reduce the false positive by aggregating and correlating the IDS alerts to give full understanding of the network attacks as well as easing the process for the analysts and save their time. IDS Alerts management system is a standalone system which can work based on real alerts from an online data or offline data as full a Forensic Investigation System. This system was built by combining the aggregation algorithm and correlation algorithm. Each one of these two algorithms had been implemented to form a complete standalone system. The aggregation system aims to remove the redundancy from the alert’s file and reduce the false positive, while the correlation system aims to remove the false positive, reduce the alerts amount and resolve the relations between the alerts. IDSAMS aims to help the analyst to have a strong overview of security-related activities on the network. IDSAMS employs a correlation algorithm called Parallel Group Correlation (P-GCA) which is an enhancement of our Group Correlation Algorithm (GCA). GCA correlates the filtered aggregation results to give better and accurate results in a short time. GCA was built over an aggregation algorithm called Time Threshold Aggregation algorithm (TTA). The use of parallel in the aggregation system and the correlation system is to enhance the speed up of getting the final results of correlated alerts.
Description
Keywords
Parallel network alert management system , for IDS false positive reduction
Citation
URI
http://hdl.handle.net/123456789/6145
Collections
Pusat IPv6 Termaju Negara - Tesis