Alarm management for intrusion detection systems - Prioritizing and presenting alarms from intrusion detection systems
Abstract
Intrusion detection systems (IDSs) are important tools helping the network and
system administrators to detect intrusions, but have the drawback of many false
positives. Due to increasing bandwidth, an IDS must process a vast amount of
data, which results in an ever increasing amount of alarms. For a system administrator
to be able to handle the alarms they must be aggregated, correlated
and ordered into a manageable form and presented in a way which is easy to
overview.
In this thesis we study aggregation, correlation, filtering and ranking as methods
for managing alarms from IDSs. We have implemented a ranking functionality
in the graphical user interface Snorby, a front end to the open source IDS Snort.
Each alarm starts with a basic rank of 0 and the user is able to prioritize or
down prioritize the alarm by pressing either a ’+’ button or a ’-’ button, thus
influencing its current rank. The rank is calculated from several features, i.e.
source IP, destination IP, destination port and alarm signature.
Based on our studies we suggest that ranking systems supported by user votes
have several advantages. First, they allow the user to dynamically change the
way the IDS lists the alarms through a very simple means. Second, it shortens
the time required to locate the more important ones, thus reducing the likelihood
that a serious attack will be missed.
Degree
Student essay
Collections
Date
2012-02-28Author
Klüft, Sebastian
Staaf, Eva Lina
Keywords
intrusion detection, IDS, correlation, fusion, aggregation, filtering, ranking, alarm management
Language
eng