Author(s)

M. Colajanni, D. Gozzi & M. Marchetti

Abstract

Network Intrusion Detection Systems (NIDS) are popular components for a fast detection of network attacks and intrusions, but their efficacy is limited by overwhelming amounts of false alarms that have to be manually managed by system administrators. In order to improve the efficacy of attack detection and reduce the amount of false positives, we propose a novel scheme for runtime alert management. It filters innocuous attacks by taking advantage of the correlation between the NIDS alerts and detailed information concerning the protected information systems, that is retrieved from heterogeneous and unstructured data sources. Thanks to the proposed scheme, an alert is sent to the system administrator only if an attack threatens some real vulnerability of the protected hosts. Otherwise, as it occurs in the large majority of the cases, the alert is stored for a subsequent offline analysis. The viability and efficacy of the proposed solution are demonstrated through an operative prototype that has been tested in networks subject to realistic attacks. Keywords: intrusion detection system, network protection, false positive reduction, alert correlation, alert filtering. 1 Introduction All modern networked information systems must be protected by some hardware or software appliance. Beyond the first line of defense represented by firewalls, the Network Intrusion Detection Systems (NIDS) are the most valuable technology for increasing the network security level through a continuous monitoring and analysis of the network traffic. A generic NIDS processes a copy of the traffic flowing through the protected networks, with the aim of finding illicit activities, attacks

Keywords

intrusion detection system, network protection, false positive reduction, alert correlation, alert filtering.