Análise de Alertas de Sistemas de Detecção de Intrusão: Uso de Aprendizado Supervisionado na Redução de Alertas Falsos Positivos
Abstract
Intrusion Detection Systems (IDS) detect various types of malicious behavior in computer systems, which can compromise their security and reliability. Although IDSs improve system protection, there is a problem: the generation of alerts that do not represent the real situation of the computational environment, referred to as false positive alerts. This paper presents an approach for reducing false positive alerts, using priority alert filtering and machine learning methods. A separation of alerts is performed based on their priorities as well as the insertion of new information based on other data sources. Then machine learning algorithms (kNN and Random Forest) are applied based on a supervised classifier to identify false positives. The approach has achieved its goal by presenting a significant reduction of false positive alerts in a case study conducted on a real corporate network.
References
CERT.br - Centro de Estudos, R. e. T. d. I. d. S. n. B. (2015). Estatísticas dos Incidentes Reportados ao CERT.br. Disponível em: https://www.cert.br/stats/incidentes/ . Acessado em Junho de 2017. CERT.br.
Ebrahimi, A., Navin, A. H. Z., Mirnia, M. K., Bahrbegi, H., and Ahrabi, A. A. A. (2011). Automatic attack scenario discovering based on a new alert correlation method. In Systems Conference (SysCon), 2011 IEEE International, pages 52–58. IEEE.
Elshoush, H. T. I. (2014). An innovative framework for collaborative intrusion alert correlation. In Science and Information Conference (SAI), 2014, pages 607–614. IEEE.
Granadillo, G. G., El-Barbori, M., and Debar, H. (2016). New types of alert correlation for security information and event management systems. In New Technologies, Mobility and Security (NTMS), 2016 8th IFIP International Conference on, pages 1–7. IEEE.
Julisch, K. and Dacier, M. (2002). Mining intrusion detection alarms for actionable knowledge. In Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining, pages 366–375. ACM.
Kawakani, C. T., Junior, S. B., Miani, R. S., Cukier, M., and Zarpelão, B. B. (2016). Intrusion alert correlation to support security management. In Proceedings of the XII Brazilian Symposium on Information Systems on Brazilian Symposium on Information Systems: Information Systems in the Cloud Computing Era-Volume 1, page 42. Brazilian Computer Society.
Kurose, J. F., Ross, K. W., Marques, A. S., and Zucchi, W. L. (2010). Redes de Computadores ea Internet: uma abordagem top-down. Pearson.
Shittu, R., Healing, A., Bloomfield, R., and Muttukrishnan, R. (2012). Visual analytic agent-based framework for intrusion alert analysis. In Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2012 International Conference on, pages 201–207. IEEE.
Shittu, R., Healing, A., Ghanea-Hercock, R., Bloomfield, R., and Muttukrishnan, R. (2014). Outmet: A new metric for prioritising intrusion alerts using correlation and outlier analysis. In Local Computer Networks (LCN), 2014 IEEE 39th Conference on, pages 322–330. IEEE.
Verma, R., Kantarcioglu, M., Marchette, D., Leiss, E., and Solorio, T. (2015). Security analytics: essential data analytics knowledge for cybersecurity professionals and students. IEEE Security & Privacy, 13(6):60–65.
Vidal, J. M., Orozco, A. L. S., and Villalba, L. J. G. (2015). Quantitative criteria for alert correlation of anomalies-based NIDS. IEEE Latin America Transactions, 13(10):3461–3466.
