Improving the results of intrusion detection systems
Βελτιώνοντας τα αποτελέσματα των συστημάτων ανίχνευσης παρεισφρήσεων
Σπαθούλας, Γεώργιος Παναγιώτης
SubjectΑυτόματος έλεγχος ; Συστήματα ψηφιακού ελέγχου ; Computer networks -- Security measures ; Neural networks (Computer science)
Intrusion detection systems successfully detect intrusions, but the alert-sets they produce suffer from multiple deficiencies. The volume of alerts is difficult to handle, while the percentage of false ones is relatively high. The intruder's attack plan is difficult to be unveiled, as alerts correspond to low level events and the security analyst has to put in a lot of effort, in order to successfully monitor the security status of the protected system.An alerts post-processing system is proposed to improve the results of intrusion detection systems. It transforms the alert-sets produced by multiple intrusion detection sensors to a meaningful live graphical representation, that can timely inform the analyst about occurring events and enable her to further examine these events and react accordingly. The system consists of sensor managers, each one of which is responsible for an intrusion detection sensor's alert flow. They calculate a validity estimation for each alert and aggregate identical alerts. Their outputs are all led to a single clustering subsystem. This merges these flows into a system-wide flow and commits the required clustering between relevant aggregated alerts. It optionally attempts to estimate information about events missed by the intrusion detection sensors. Finally a visualization subsystem produces a three dimensional live graph of existing clusters, in order to provide the analyst with a compact representation of occurring security events.Along with the proposed system, an alternative method for false alerts filtering is discussed. It is based on fuzzy inference systems and efficiently evaluates the validity of alerts, eventually filtering out false ones. Finally a platform for conducting alerts post-processing experiments is presented. It provides users with standard ready to use functionality, while it enables them to reuse theirs or others past components.