Alarm management for intrusion detection systems - Prioritizing and presenting alarms from intrusion detection systems

Abstract

Intrusion detection systems (IDSs) are important tools helping the network and system administrators to detect intrusions, but have the drawback of many false positives. Due to increasing bandwidth, an IDS must process a vast amount of data, which results in an ever increasing amount of alarms. For a system administrator to be able to handle the alarms they must be aggregated, correlated and ordered into a manageable form and presented in a way which is easy to overview. In this thesis we study aggregation, correlation, filtering and ranking as methods for managing alarms from IDSs. We have implemented a ranking functionality in the graphical user interface Snorby, a front end to the open source IDS Snort. Each alarm starts with a basic rank of 0 and the user is able to prioritize or down prioritize the alarm by pressing either a ’+’ button or a ’-’ button, thus influencing its current rank. The rank is calculated from several features, i.e. source IP, destination IP, destination port and alarm signature. Based on our studies we suggest that ranking systems supported by user votes have several advantages. First, they allow the user to dynamically change the way the IDS lists the alarms through a very simple means. Second, it shortens the time required to locate the more important ones, thus reducing the likelihood that a serious attack will be missed.