From redundant/irrelevant alert elimination to handling IDSs' reliability and controlling severe attack prediction/false alarm rate tradeoffs

Abstract : The use of multiple intrusion detection systems (IDSs), security tools and complementary approaches is fundamental and highly recommended in order to improve the overall detection rates. This however inevitably rises huge amounts of alerts most of which are redundant and false alarms making their manual analysis untractable. In this paper, we propose an approach which first preprocesses the IDMEF alerts reported by several IDSs in order to eliminate the redundant and irrelevant alerts and format them so that they can be analyzed by a severe attack prediction model. This model is based on a Bayesian network allowing on one hand to handle the reliability of IDSs when predicting severe attacks and on the other hand provides a flexible and efficient approach especially designed to limit the false alarm rates by controlling the confidence of the prediction model. Our experimental studies carried out on a real and representative IDMEF alert corpus collected in the framework of the PLACID project show very interesting performances regarding the tradeoffs between the prediction rates and the corresponding false alarm ones.
Complete list of metadatas

https://hal.archives-ouvertes.fr/hal-00481061
Contributor : Karim Tabia <>
Submitted on : Wednesday, May 5, 2010 - 6:31:29 PM
Last modification on : Thursday, April 5, 2018 - 10:36:49 AM

Identifiers

  • HAL Id : hal-00481061, version 1

Collections

Citation

Karim Tabia, Philippe Leray, Ludovic Mé. From redundant/irrelevant alert elimination to handling IDSs' reliability and controlling severe attack prediction/false alarm rate tradeoffs. Fifth Conference on Network and Information Systems Security (SARSSI 2010), May 2010, Nice, France. pp.15. ⟨hal-00481061⟩

Share

Metrics

Record views

449